From 8daa83a594a2e98f39d764422bfbdbc62c9efd44 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 19:20:00 +0200 Subject: Adding upstream version 2:4.20.0+dfsg. Signed-off-by: Daniel Baumann --- .../smbdotconf/security/accessbasedshareenum.xml | 19 ++ .../smbdotconf/security/aclclaimsevaluation.xml | 42 ++++ .../security/aclflaginheritedcanonicalization.xml | 30 +++ docs-xml/smbdotconf/security/aclgroupcontrol.xml | 45 ++++ docs-xml/smbdotconf/security/adminusers.xml | 18 ++ .../smbdotconf/security/algorithmicridbase.xml | 26 +++ .../security/allowdcerpcauthlevelconnect.xml | 27 +++ .../smbdotconf/security/allowtrusteddomains.xml | 25 +++ docs-xml/smbdotconf/security/binddnsdir.xml | 17 ++ .../smbdotconf/security/checkpasswordscript.xml | 43 ++++ docs-xml/smbdotconf/security/clientipcsigning.xml | 26 +++ docs-xml/smbdotconf/security/clientlanmanauth.xml | 36 +++ docs-xml/smbdotconf/security/clientntlmv2auth.xml | 46 ++++ .../smbdotconf/security/clientplaintextauth.xml | 20 ++ docs-xml/smbdotconf/security/clientprotection.xml | 51 +++++ docs-xml/smbdotconf/security/clientschannel.xml | 30 +++ docs-xml/smbdotconf/security/clientsigning.xml | 24 ++ docs-xml/smbdotconf/security/clientsmbencrypt.xml | 126 +++++++++++ .../security/clientsmbencryptionalgos.xml | 21 ++ .../smbdotconf/security/clientsmbsigningalgos.xml | 22 ++ docs-xml/smbdotconf/security/clientusekerberos.xml | 49 +++++ .../security/clientusepsnegoprincipal.xml | 35 +++ docs-xml/smbdotconf/security/createmask.xml | 37 ++++ docs-xml/smbdotconf/security/debugencryption.xml | 22 ++ .../smbdotconf/security/dedicatedkeytabfile.xml | 16 ++ docs-xml/smbdotconf/security/directorymask.xml | 33 +++ .../smbdotconf/security/directorysecuritymask.xml | 12 + docs-xml/smbdotconf/security/encryptpasswords.xml | 47 ++++ docs-xml/smbdotconf/security/forcecreatemode.xml | 25 +++ .../smbdotconf/security/forcedirectorymode.xml | 25 +++ .../security/forcedirectorysecuritymode.xml | 11 + docs-xml/smbdotconf/security/forcegroup.xml | 40 ++++ docs-xml/smbdotconf/security/forcesecuritymode.xml | 11 + .../smbdotconf/security/forceunknownacluser.xml | 27 +++ docs-xml/smbdotconf/security/forceuser.xml | 28 +++ docs-xml/smbdotconf/security/guestaccount.xml | 27 +++ docs-xml/smbdotconf/security/guestok.xml | 19 ++ docs-xml/smbdotconf/security/guestonly.xml | 15 ++ docs-xml/smbdotconf/security/hostsallow.xml | 62 ++++++ docs-xml/smbdotconf/security/hostsdeny.xml | 24 ++ docs-xml/smbdotconf/security/inheritacls.xml | 24 ++ docs-xml/smbdotconf/security/inheritowner.xml | 58 +++++ .../smbdotconf/security/inheritpermissions.xml | 35 +++ docs-xml/smbdotconf/security/invalidusers.xml | 34 +++ .../security/kdcdefaultdomainsupportedenctypes.xml | 42 ++++ docs-xml/smbdotconf/security/kdcenablefast.xml | 15 ++ .../security/kdcforceenablerc4weaksessionkeys.xml | 24 ++ .../smbdotconf/security/kdcsupportedenctypes.xml | 40 ++++ .../security/kerberosencryptiontypes.xml | 47 ++++ docs-xml/smbdotconf/security/kerberosmethod.xml | 41 ++++ docs-xml/smbdotconf/security/kpasswdport.xml | 11 + docs-xml/smbdotconf/security/krb5port.xml | 10 + docs-xml/smbdotconf/security/lanmanauth.xml | 55 +++++ docs-xml/smbdotconf/security/lognttokencommand.xml | 14 ++ docs-xml/smbdotconf/security/maptoguest.xml | 62 ++++++ docs-xml/smbdotconf/security/mindomainuid.xml | 17 ++ docs-xml/smbdotconf/security/mitkdccommand.xml | 15 ++ docs-xml/smbdotconf/security/nt_hash_store.xml | 70 ++++++ docs-xml/smbdotconf/security/ntlmauth.xml | 87 ++++++++ .../security/ntpsigndsocketdirectory.xml | 16 ++ docs-xml/smbdotconf/security/nullpasswords.xml | 14 ++ .../smbdotconf/security/obeypamrestrictions.xml | 19 ++ .../security/oldpasswordallowedperiod.xml | 12 + docs-xml/smbdotconf/security/pampasswordchange.xml | 16 ++ docs-xml/smbdotconf/security/passdbbackend.xml | 65 ++++++ .../smbdotconf/security/passdbexpandexplicit.xml | 14 ++ docs-xml/smbdotconf/security/passwdchat.xml | 57 +++++ docs-xml/smbdotconf/security/passwdchatdebug.xml | 26 +++ docs-xml/smbdotconf/security/passwdchattimeout.xml | 13 ++ docs-xml/smbdotconf/security/passwdprogram.xml | 37 ++++ .../smbdotconf/security/passwordhashgpgkeyids.xml | 45 ++++ .../security/passwordhashuserpasswordschemes.xml | 67 ++++++ docs-xml/smbdotconf/security/passwordserver.xml | 46 ++++ docs-xml/smbdotconf/security/preloadmodules.xml | 13 ++ docs-xml/smbdotconf/security/privatedir.xml | 14 ++ docs-xml/smbdotconf/security/rawntlmv2auth.xml | 27 +++ docs-xml/smbdotconf/security/readlist.xml | 18 ++ docs-xml/smbdotconf/security/readonly.xml | 18 ++ docs-xml/smbdotconf/security/renameuserscript.xml | 33 +++ docs-xml/smbdotconf/security/restrictanonymous.xml | 38 ++++ docs-xml/smbdotconf/security/rootdirectory.xml | 35 +++ docs-xml/smbdotconf/security/sambakcccommand.xml | 18 ++ docs-xml/smbdotconf/security/security.xml | 105 +++++++++ docs-xml/smbdotconf/security/securitymask.xml | 11 + docs-xml/smbdotconf/security/serverrole.xml | 96 ++++++++ docs-xml/smbdotconf/security/serverschannel.xml | 102 +++++++++ .../security/serverschannelrequireseal.xml | 117 ++++++++++ docs-xml/smbdotconf/security/serversigning.xml | 29 +++ docs-xml/smbdotconf/security/serversmbencrypt.xml | 241 +++++++++++++++++++++ .../security/serversmbencryptionalgos.xml | 21 ++ .../smbdotconf/security/serversmbsigningalgos.xml | 22 ++ docs-xml/smbdotconf/security/smbencrypt.xml | 15 ++ docs-xml/smbdotconf/security/smbpasswdfile.xml | 18 ++ docs-xml/smbdotconf/security/tlscafile.xml | 20 ++ docs-xml/smbdotconf/security/tlscertfile.xml | 19 ++ docs-xml/smbdotconf/security/tlscrlfile.xml | 19 ++ docs-xml/smbdotconf/security/tlsdhparamsfile.xml | 20 ++ docs-xml/smbdotconf/security/tlsenabled.xml | 10 + docs-xml/smbdotconf/security/tlskeyfile.xml | 20 ++ docs-xml/smbdotconf/security/tlspriority.xml | 19 ++ docs-xml/smbdotconf/security/tlsverifypeer.xml | 47 ++++ docs-xml/smbdotconf/security/unixpasswordsync.xml | 26 +++ docs-xml/smbdotconf/security/usernamelevel.xml | 26 +++ docs-xml/smbdotconf/security/usernamemap.xml | 130 +++++++++++ .../smbdotconf/security/usernamemapcachetime.xml | 26 +++ docs-xml/smbdotconf/security/usernamemapscript.xml | 19 ++ docs-xml/smbdotconf/security/validusers.xml | 38 ++++ docs-xml/smbdotconf/security/writeable.xml | 14 ++ docs-xml/smbdotconf/security/writelist.xml | 24 ++ 109 files changed, 3875 insertions(+) create mode 100644 docs-xml/smbdotconf/security/accessbasedshareenum.xml create mode 100644 docs-xml/smbdotconf/security/aclclaimsevaluation.xml create mode 100644 docs-xml/smbdotconf/security/aclflaginheritedcanonicalization.xml create mode 100644 docs-xml/smbdotconf/security/aclgroupcontrol.xml create mode 100644 docs-xml/smbdotconf/security/adminusers.xml create mode 100644 docs-xml/smbdotconf/security/algorithmicridbase.xml create mode 100644 docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml create mode 100644 docs-xml/smbdotconf/security/allowtrusteddomains.xml create mode 100644 docs-xml/smbdotconf/security/binddnsdir.xml create mode 100644 docs-xml/smbdotconf/security/checkpasswordscript.xml create mode 100644 docs-xml/smbdotconf/security/clientipcsigning.xml create mode 100644 docs-xml/smbdotconf/security/clientlanmanauth.xml create mode 100644 docs-xml/smbdotconf/security/clientntlmv2auth.xml create mode 100644 docs-xml/smbdotconf/security/clientplaintextauth.xml create mode 100644 docs-xml/smbdotconf/security/clientprotection.xml create mode 100644 docs-xml/smbdotconf/security/clientschannel.xml create mode 100644 docs-xml/smbdotconf/security/clientsigning.xml create mode 100644 docs-xml/smbdotconf/security/clientsmbencrypt.xml create mode 100644 docs-xml/smbdotconf/security/clientsmbencryptionalgos.xml create mode 100644 docs-xml/smbdotconf/security/clientsmbsigningalgos.xml create mode 100644 docs-xml/smbdotconf/security/clientusekerberos.xml create mode 100644 docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml create mode 100644 docs-xml/smbdotconf/security/createmask.xml create mode 100644 docs-xml/smbdotconf/security/debugencryption.xml create mode 100644 docs-xml/smbdotconf/security/dedicatedkeytabfile.xml create mode 100644 docs-xml/smbdotconf/security/directorymask.xml create mode 100644 docs-xml/smbdotconf/security/directorysecuritymask.xml create mode 100644 docs-xml/smbdotconf/security/encryptpasswords.xml create mode 100644 docs-xml/smbdotconf/security/forcecreatemode.xml create mode 100644 docs-xml/smbdotconf/security/forcedirectorymode.xml create mode 100644 docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml create mode 100644 docs-xml/smbdotconf/security/forcegroup.xml create mode 100644 docs-xml/smbdotconf/security/forcesecuritymode.xml create mode 100644 docs-xml/smbdotconf/security/forceunknownacluser.xml create mode 100644 docs-xml/smbdotconf/security/forceuser.xml create mode 100644 docs-xml/smbdotconf/security/guestaccount.xml create mode 100644 docs-xml/smbdotconf/security/guestok.xml create mode 100644 docs-xml/smbdotconf/security/guestonly.xml create mode 100644 docs-xml/smbdotconf/security/hostsallow.xml create mode 100644 docs-xml/smbdotconf/security/hostsdeny.xml create mode 100644 docs-xml/smbdotconf/security/inheritacls.xml create mode 100644 docs-xml/smbdotconf/security/inheritowner.xml create mode 100644 docs-xml/smbdotconf/security/inheritpermissions.xml create mode 100644 docs-xml/smbdotconf/security/invalidusers.xml create mode 100644 docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml create mode 100644 docs-xml/smbdotconf/security/kdcenablefast.xml create mode 100644 docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml create mode 100644 docs-xml/smbdotconf/security/kdcsupportedenctypes.xml create mode 100644 docs-xml/smbdotconf/security/kerberosencryptiontypes.xml create mode 100644 docs-xml/smbdotconf/security/kerberosmethod.xml create mode 100644 docs-xml/smbdotconf/security/kpasswdport.xml create mode 100644 docs-xml/smbdotconf/security/krb5port.xml create mode 100644 docs-xml/smbdotconf/security/lanmanauth.xml create mode 100644 docs-xml/smbdotconf/security/lognttokencommand.xml create mode 100644 docs-xml/smbdotconf/security/maptoguest.xml create mode 100644 docs-xml/smbdotconf/security/mindomainuid.xml create mode 100644 docs-xml/smbdotconf/security/mitkdccommand.xml create mode 100644 docs-xml/smbdotconf/security/nt_hash_store.xml create mode 100644 docs-xml/smbdotconf/security/ntlmauth.xml create mode 100644 docs-xml/smbdotconf/security/ntpsigndsocketdirectory.xml create mode 100644 docs-xml/smbdotconf/security/nullpasswords.xml create mode 100644 docs-xml/smbdotconf/security/obeypamrestrictions.xml create mode 100644 docs-xml/smbdotconf/security/oldpasswordallowedperiod.xml create mode 100644 docs-xml/smbdotconf/security/pampasswordchange.xml create mode 100644 docs-xml/smbdotconf/security/passdbbackend.xml create mode 100644 docs-xml/smbdotconf/security/passdbexpandexplicit.xml create mode 100644 docs-xml/smbdotconf/security/passwdchat.xml create mode 100644 docs-xml/smbdotconf/security/passwdchatdebug.xml create mode 100644 docs-xml/smbdotconf/security/passwdchattimeout.xml create mode 100644 docs-xml/smbdotconf/security/passwdprogram.xml create mode 100644 docs-xml/smbdotconf/security/passwordhashgpgkeyids.xml create mode 100644 docs-xml/smbdotconf/security/passwordhashuserpasswordschemes.xml create mode 100644 docs-xml/smbdotconf/security/passwordserver.xml create mode 100644 docs-xml/smbdotconf/security/preloadmodules.xml create mode 100644 docs-xml/smbdotconf/security/privatedir.xml create mode 100644 docs-xml/smbdotconf/security/rawntlmv2auth.xml create mode 100644 docs-xml/smbdotconf/security/readlist.xml create mode 100644 docs-xml/smbdotconf/security/readonly.xml create mode 100644 docs-xml/smbdotconf/security/renameuserscript.xml create mode 100644 docs-xml/smbdotconf/security/restrictanonymous.xml create mode 100644 docs-xml/smbdotconf/security/rootdirectory.xml create mode 100644 docs-xml/smbdotconf/security/sambakcccommand.xml create mode 100644 docs-xml/smbdotconf/security/security.xml create mode 100644 docs-xml/smbdotconf/security/securitymask.xml create mode 100644 docs-xml/smbdotconf/security/serverrole.xml create mode 100644 docs-xml/smbdotconf/security/serverschannel.xml create mode 100644 docs-xml/smbdotconf/security/serverschannelrequireseal.xml create mode 100644 docs-xml/smbdotconf/security/serversigning.xml create mode 100644 docs-xml/smbdotconf/security/serversmbencrypt.xml create mode 100644 docs-xml/smbdotconf/security/serversmbencryptionalgos.xml create mode 100644 docs-xml/smbdotconf/security/serversmbsigningalgos.xml create mode 100644 docs-xml/smbdotconf/security/smbencrypt.xml create mode 100644 docs-xml/smbdotconf/security/smbpasswdfile.xml create mode 100644 docs-xml/smbdotconf/security/tlscafile.xml create mode 100644 docs-xml/smbdotconf/security/tlscertfile.xml create mode 100644 docs-xml/smbdotconf/security/tlscrlfile.xml create mode 100644 docs-xml/smbdotconf/security/tlsdhparamsfile.xml create mode 100644 docs-xml/smbdotconf/security/tlsenabled.xml create mode 100644 docs-xml/smbdotconf/security/tlskeyfile.xml create mode 100644 docs-xml/smbdotconf/security/tlspriority.xml create mode 100644 docs-xml/smbdotconf/security/tlsverifypeer.xml create mode 100644 docs-xml/smbdotconf/security/unixpasswordsync.xml create mode 100644 docs-xml/smbdotconf/security/usernamelevel.xml create mode 100644 docs-xml/smbdotconf/security/usernamemap.xml create mode 100644 docs-xml/smbdotconf/security/usernamemapcachetime.xml create mode 100644 docs-xml/smbdotconf/security/usernamemapscript.xml create mode 100644 docs-xml/smbdotconf/security/validusers.xml create mode 100644 docs-xml/smbdotconf/security/writeable.xml create mode 100644 docs-xml/smbdotconf/security/writelist.xml (limited to 'docs-xml/smbdotconf/security') diff --git a/docs-xml/smbdotconf/security/accessbasedshareenum.xml b/docs-xml/smbdotconf/security/accessbasedshareenum.xml new file mode 100644 index 0000000..4557465 --- /dev/null +++ b/docs-xml/smbdotconf/security/accessbasedshareenum.xml @@ -0,0 +1,19 @@ + + + If this parameter is yes for a + service, then the share hosted by the service will only be visible + to users who have read or write access to the share during share + enumeration (for example net view \\sambaserver). The share ACLs + which allow or deny the access to the share can be modified using + for example the sharesec command + or using the appropriate Windows tools. This has + parallels to access based enumeration, the main difference being + that only share permissions are evaluated, and security + descriptors on files contained on the share are not used in + computing enumeration access rights. + + no + diff --git a/docs-xml/smbdotconf/security/aclclaimsevaluation.xml b/docs-xml/smbdotconf/security/aclclaimsevaluation.xml new file mode 100644 index 0000000..ab72617 --- /dev/null +++ b/docs-xml/smbdotconf/security/aclclaimsevaluation.xml @@ -0,0 +1,42 @@ + + + This option controls the way Samba handles evaluation of + security descriptors in Samba, with regards to Active + Directory Claims. AD Claims, introduced with Windows 2012, + are essentially administrator-defined key-value pairs that can + be set both in Active Directory (communicated via the Kerberos + PAC) and in the security descriptor themselves. + + + Active Directory claims are new with Samba 4.20. + Because the claims are evaluated against a very flexible + expression language within the security descriptor, this option provides a mechanism + to disable this logic if required by the administrator. + + This default behaviour is that claims evaluation is + enabled in the AD DC only. Additionally, claims evaluation on + the AD DC is only enabled if the DC functional level + is 2012 or later. See . + + Possible values are : + + + AD DC only: Enabled for the Samba AD + DC (for DC functional level 2012 or higher). + + + never: Disabled in all cases. + This option disables some but not all of the + Authentication Policies and Authentication Policy Silos features of + the Windows 2012R2 functional level in the AD DC. + + + + +AD DC only + diff --git a/docs-xml/smbdotconf/security/aclflaginheritedcanonicalization.xml b/docs-xml/smbdotconf/security/aclflaginheritedcanonicalization.xml new file mode 100644 index 0000000..b306b2b --- /dev/null +++ b/docs-xml/smbdotconf/security/aclflaginheritedcanonicalization.xml @@ -0,0 +1,30 @@ + + + This option controls the way Samba handles client requests setting + the Security Descriptor of files and directories and the effect the + operation has on the Security Descriptor flag "DACL + auto-inherited" (DI). Generally, this flag is set on a file (or + directory) upon creation if the parent directory has DI set and also has + inheritable ACEs. + + + On the other hand when a Security Descriptor is explicitly set on + a file, the DI flag is cleared, unless the flag "DACL Inheritance + Required" (DR) is also set in the new Security Descriptor (fwiw, DR is + never stored on disk). + + This is the default behaviour when this option is enabled (the + default). When setting this option to no, the + resulting value of the DI flag on-disk is directly taken from the DI + value of the to-be-set Security Descriptor. This can be used so dump + tools like rsync that copy data blobs from xattrs that represent ACLs + created by the acl_xattr VFS module will result in copies of the ACL + that are identical to the source. Without this option, the copied ACLs + would all lose the DI flag if set on the source. + + +yes + diff --git a/docs-xml/smbdotconf/security/aclgroupcontrol.xml b/docs-xml/smbdotconf/security/aclgroupcontrol.xml new file mode 100644 index 0000000..eeec434 --- /dev/null +++ b/docs-xml/smbdotconf/security/aclgroupcontrol.xml @@ -0,0 +1,45 @@ + + + + In a POSIX filesystem, only the owner of a file or directory and the superuser can modify the permissions + and ACLs on a file. If this parameter is set, then Samba overrides this restriction, and also allows the + primary group owner of a file or directory to modify the permissions and ACLs + on that file. + + + On a Windows server, groups may be the owner of a file or directory - thus allowing anyone in + that group to modify the permissions on it. This allows the delegation of security controls + on a point in the filesystem to the group owner of a directory and anything below it also owned + by that group. This means there are multiple people with permissions to modify ACLs on a file + or directory, easing manageability. + + + This parameter allows Samba to also permit delegation of the control over a point in the exported + directory hierarchy in much the same way as Windows. This allows all members of a UNIX group to + control the permissions on a file or directory they have group ownership on. + + + + This parameter is best used with the option and also + on a share containing directories with the UNIX setgid bit set + on them, which causes new files and directories created within it to inherit the group + ownership from the containing directory. + + + + This parameter was deprecated in Samba 3.0.23, but re-activated in + Samba 3.0.31 and above, as it now only controls permission changes if the user + is in the owning primary group. It is now no longer equivalent to the + dos filemode option. + + + + +inherit owner +inherit permissions + +no + diff --git a/docs-xml/smbdotconf/security/adminusers.xml b/docs-xml/smbdotconf/security/adminusers.xml new file mode 100644 index 0000000..5e0f60c --- /dev/null +++ b/docs-xml/smbdotconf/security/adminusers.xml @@ -0,0 +1,18 @@ + + + This is a list of users who will be granted + administrative privileges on the share. This means that they + will do all file operations as the super-user (root). + + You should use this option very carefully, as any user in + this list will be able to do anything they like on the share, + irrespective of file permissions. + + + + +jason + diff --git a/docs-xml/smbdotconf/security/algorithmicridbase.xml b/docs-xml/smbdotconf/security/algorithmicridbase.xml new file mode 100644 index 0000000..a5eba3c --- /dev/null +++ b/docs-xml/smbdotconf/security/algorithmicridbase.xml @@ -0,0 +1,26 @@ + + + This determines how Samba will use its + algorithmic mapping from uids/gid to the RIDs needed to construct + NT Security Identifiers. + + + Setting this option to a larger value could be useful to sites + transitioning from WinNT and Win2k, as existing user and + group rids would otherwise clash with system users etc. + + + All UIDs and GIDs must be able to be resolved into SIDs for + the correct operation of ACLs on the server. As such the algorithmic + mapping can't be 'turned off', but pushing it 'out of the way' should + resolve the issues. Users and groups can then be assigned 'low' RIDs + in arbitrary-rid supporting backends. + + + +1000 +100000 + diff --git a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml new file mode 100644 index 0000000..8bccab3 --- /dev/null +++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml @@ -0,0 +1,27 @@ + + + This option controls whether DCERPC services are allowed to + be used with DCERPC_AUTH_LEVEL_CONNECT, which provides authentication, + but no per message integrity nor privacy protection. + + Some interfaces like samr, lsarpc and netlogon have a hard-coded default of + no and epmapper, mgmt and rpcecho have a hard-coded default of + yes. + + + The behavior can be overwritten per interface name (e.g. lsarpc, netlogon, samr, srvsvc, + winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = yes' as option. + + This option is over-ridden by the implementation specific restrictions. + E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY. + The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY. + + + +no +yes + + diff --git a/docs-xml/smbdotconf/security/allowtrusteddomains.xml b/docs-xml/smbdotconf/security/allowtrusteddomains.xml new file mode 100644 index 0000000..3617210 --- /dev/null +++ b/docs-xml/smbdotconf/security/allowtrusteddomains.xml @@ -0,0 +1,25 @@ + + + + This option only takes effect when the option is set to + server, domain or ads. + If it is set to no, then attempts to connect to a resource from + a domain or workgroup other than the one which smbd is running + in will fail, even if that domain is trusted by the remote server + doing the authentication. + + This is useful if you only want your Samba server to + serve resources to users in the domain it is a member of. As + an example, suppose that there are two domains DOMA and DOMB. DOMB + is trusted by DOMA, which contains the Samba server. Under normal + circumstances, a user with an account in DOMB can then access the + resources of a UNIX account with the same account name on the + Samba server even if they do not have an account in DOMA. This + can make implementing a security boundary difficult. + + +yes + diff --git a/docs-xml/smbdotconf/security/binddnsdir.xml b/docs-xml/smbdotconf/security/binddnsdir.xml new file mode 100644 index 0000000..a948cb5 --- /dev/null +++ b/docs-xml/smbdotconf/security/binddnsdir.xml @@ -0,0 +1,17 @@ + +bind dns directory + + + This parameters defines the directory samba will use to store the configuration + files for bind, such as named.conf. + + NOTE: The bind dns directory needs to be on the same mount point as the private + directory! + + + +&pathconfig.BINDDNS_DIR; + diff --git a/docs-xml/smbdotconf/security/checkpasswordscript.xml b/docs-xml/smbdotconf/security/checkpasswordscript.xml new file mode 100644 index 0000000..18aa2c6 --- /dev/null +++ b/docs-xml/smbdotconf/security/checkpasswordscript.xml @@ -0,0 +1,43 @@ + + + The name of a program that can be used to check password + complexity. The password is sent to the program's standard input. + + The program must return 0 on a good password, or any other value + if the password is bad. + In case the password is considered weak (the program does not return 0) the + user will be notified and the password change will fail. + + In Samba AD, this script will be run AS ROOT by + samba 8 + without any substitutions. + + Note that starting with Samba 4.11 the following environment variables are exported to the script: + + + + SAMBA_CPS_ACCOUNT_NAME is always present and contains the sAMAccountName of user, + the is the same as the %u substitutions in the none AD DC case. + + + + SAMBA_CPS_USER_PRINCIPAL_NAME is optional in the AD DC case if the userPrincipalName is present. + + + + SAMBA_CPS_FULL_NAME is optional if the displayName is present. + + + + Note: In the example directory is a sample program called crackcheck + that uses cracklib to check the password quality. + + + +Disabled +/usr/local/sbin/crackcheck + diff --git a/docs-xml/smbdotconf/security/clientipcsigning.xml b/docs-xml/smbdotconf/security/clientipcsigning.xml new file mode 100644 index 0000000..efbf17a --- /dev/null +++ b/docs-xml/smbdotconf/security/clientipcsigning.xml @@ -0,0 +1,26 @@ + + + This controls whether the client is allowed or required to use SMB signing for IPC$ + connections as DCERPC transport. Possible values + are desired, required + and disabled. + + + When set to required or default, SMB signing is mandatory. + + When set to desired, SMB signing is offered, but not enforced and if set + to disabled, SMB signing is not offered either. + + Connections from winbindd to Active Directory Domain Controllers + always enforce signing. + + +client signing + +default + diff --git a/docs-xml/smbdotconf/security/clientlanmanauth.xml b/docs-xml/smbdotconf/security/clientlanmanauth.xml new file mode 100644 index 0000000..60e1c86 --- /dev/null +++ b/docs-xml/smbdotconf/security/clientlanmanauth.xml @@ -0,0 +1,36 @@ + + + This parameter has been deprecated since Samba 4.13 and + support for LanMan (as distinct from NTLM, NTLMv2 or + Kerberos) authentication as a client + will be removed in a future Samba release. + That is, in the future, the current default of + client NTLMv2 auth = yes + will be the enforced behaviour. + + This parameter determines whether or not smbclient + 8 and other samba client + tools will attempt to authenticate itself to servers using the + weaker LANMAN password hash. If disabled, only server which support NT + password hashes (e.g. Windows NT/2000, Samba, etc... but not + Windows 95/98) will be able to be connected from the Samba client. + + The LANMAN encrypted response is easily broken, due to its + case-insensitive nature, and the choice of algorithm. Clients + without Windows 95/98 servers are advised to disable + this option. + + Disabling this option will also disable the client plaintext auth option. + + Likewise, if the client ntlmv2 + auth parameter is enabled, then only NTLMv2 logins will be + attempted. + + +no + diff --git a/docs-xml/smbdotconf/security/clientntlmv2auth.xml b/docs-xml/smbdotconf/security/clientntlmv2auth.xml new file mode 100644 index 0000000..9b47944 --- /dev/null +++ b/docs-xml/smbdotconf/security/clientntlmv2auth.xml @@ -0,0 +1,46 @@ + + + This parameter has been deprecated since Samba 4.13 and + support for NTLM and LanMan (as distinct from NTLMv2 or + Kerberos authentication) + will be removed in a future Samba release. + That is, in the future, the current default of + client NTLMv2 auth = yes + will be the enforced behaviour. + + This parameter determines whether or not smbclient + 8 will attempt to + authenticate itself to servers using the NTLMv2 encrypted password + response. + + If enabled, only an NTLMv2 and LMv2 response (both much more + secure than earlier versions) will be sent. Older servers + (including NT4 < SP4, Win9x and Samba 2.2) are not compatible with + NTLMv2 when not in an NTLMv2 supporting domain + + Similarly, if enabled, NTLMv1, client lanman auth and client plaintext auth + authentication will be disabled. This also disables share-level + authentication. + + If disabled, an NTLM response (and possibly a LANMAN response) + will be sent by the client, depending on the value of client lanman auth. + + Note that Windows Vista and later versions already use + NTLMv2 by default, and some sites (particularly those following + 'best practice' security polices) only allow NTLMv2 responses, and + not the weaker LM or NTLM. + + When is also set to + yes extended security (SPNEGO) is required + in order to use NTLMv2 only within NTLMSSP. This behavior was + introduced with the patches for CVE-2016-2111. + +yes + diff --git a/docs-xml/smbdotconf/security/clientplaintextauth.xml b/docs-xml/smbdotconf/security/clientplaintextauth.xml new file mode 100644 index 0000000..5a51c33 --- /dev/null +++ b/docs-xml/smbdotconf/security/clientplaintextauth.xml @@ -0,0 +1,20 @@ + + + This parameter has been deprecated since Samba 4.13 and + support for plaintext (as distinct from NTLM, NTLMv2 or + Kerberos authentication) + will be removed in a future Samba release. + That is, in the future, the current default of + client plaintext auth = no + will be the enforced behaviour. + + Specifies whether a client should send a plaintext + password if the server does not support encrypted passwords. + +no + + diff --git a/docs-xml/smbdotconf/security/clientprotection.xml b/docs-xml/smbdotconf/security/clientprotection.xml new file mode 100644 index 0000000..347b004 --- /dev/null +++ b/docs-xml/smbdotconf/security/clientprotection.xml @@ -0,0 +1,51 @@ + + + + This parameter defines which protection Samba client + tools should use by default. + + + Possible client settings are: + + + + default - Use the individual + default values of the options: + + client signing + client smb encrypt + + + + + + + plain - This will send + everything just as plaintext, signing or + encryption are turned off. + + + + + + sign - This will enable + integrity checking. + + + + + + encrypt - This will enable + integrity checks and force encryption for + privacy. + + + + + +default + diff --git a/docs-xml/smbdotconf/security/clientschannel.xml b/docs-xml/smbdotconf/security/clientschannel.xml new file mode 100644 index 0000000..d124ad4 --- /dev/null +++ b/docs-xml/smbdotconf/security/clientschannel.xml @@ -0,0 +1,30 @@ + + + + + This option is deprecated with Samba 4.8 and will be removed in future. + At the same time the default changed to yes, which will be the + hardcoded behavior in future. + + + + This controls whether the client offers or even demands the use of the netlogon schannel. + no does not offer the schannel, + auto offers the schannel but does not + enforce it, and yes denies access + if the server is not able to speak netlogon schannel. + + + Note that for active directory domains this is hardcoded to + yes. + + This option is over-ridden by the option. + +yes +auto + diff --git a/docs-xml/smbdotconf/security/clientsigning.xml b/docs-xml/smbdotconf/security/clientsigning.xml new file mode 100644 index 0000000..bd92818 --- /dev/null +++ b/docs-xml/smbdotconf/security/clientsigning.xml @@ -0,0 +1,24 @@ + + + This controls whether the client is allowed or required to use SMB signing. Possible values + are desired, required + and disabled. + + + When set to desired or default, SMB signing is offered, but not enforced. + + When set to required, SMB signing is mandatory and if set + to disabled, SMB signing is not offered either. + + IPC$ connections for DCERPC e.g. in winbindd, are handled by the + option. + + +client ipc signing + +default + diff --git a/docs-xml/smbdotconf/security/clientsmbencrypt.xml b/docs-xml/smbdotconf/security/clientsmbencrypt.xml new file mode 100644 index 0000000..05df152 --- /dev/null +++ b/docs-xml/smbdotconf/security/clientsmbencrypt.xml @@ -0,0 +1,126 @@ + + + + This parameter controls whether a client should try or is required + to use SMB encryption. It has different effects depending on whether + the connection uses SMB1 or SMB3: + + + + + + If the connection uses SMB1, then this option controls the use + of a Samba-specific extension to the SMB protocol introduced in + Samba 3.2 that makes use of the Unix extensions. + + + + + + If the connection uses SMB2 or newer, then this option controls + the use of the SMB-level encryption that is supported in SMB + version 3.0 and above and available in Windows 8 and newer. + + + + + + This parameter can be set globally. Possible values are + + off, + if_required, + desired, + and + required. + A special value is default which is + the implicit default setting of if_required. + + + + + Effects for SMB1 + + + The Samba-specific encryption of SMB1 connections is an + extension to the SMB protocol negotiated as part of the UNIX + extensions. SMB encryption uses the GSSAPI (SSPI on Windows) + ability to encrypt and sign every request/response in a SMB + protocol stream. When enabled it provides a secure method of + SMB/CIFS communication, similar to an ssh protected session, but + using SMB/CIFS authentication to negotiate encryption and + signing keys. Currently this is only supported smbclient of by + Samba 3.2 and newer. Windows does not support this feature. + + + + When set to default, SMB encryption is probed, but not + enforced. When set to required, SMB encryption is required and + if set to disabled, SMB encryption can not be negotiated. + + + + + + Effects for SMB3 and newer + + + Native SMB transport encryption is available in SMB version 3.0 + or newer. It is only used by Samba if + client max protocol is set to + SMB3 or newer. + + + + These features can be controlled with settings of + client smb encrypt as follows: + + + + + + Leaving it as default, explicitly setting + default, or setting it to + if_required globally will enable + negotiation of encryption but will not turn on + data encryption globally. + + + + + + Setting it to desired globally + will enable negotiation and will turn on data encryption + on sessions and share connections for those servers + that support it. + + + + + + Setting it to required globally + will enable negotiation and turn on data encryption + on sessions and share connections. Clients that do + not support encryption will be denied access to the + server. + + + + + + Setting it to off globally will + completely disable the encryption feature for all + connections. + + + + + + + + +default + diff --git a/docs-xml/smbdotconf/security/clientsmbencryptionalgos.xml b/docs-xml/smbdotconf/security/clientsmbencryptionalgos.xml new file mode 100644 index 0000000..78df3f9 --- /dev/null +++ b/docs-xml/smbdotconf/security/clientsmbencryptionalgos.xml @@ -0,0 +1,21 @@ + + + This parameter specifies the availability and order of + encryption algorithms which are available for negotiation in the SMB3_11 dialect. + + It is also possible to remove individual algorithms from the default list, + by prefixing them with '-'. This can avoid having to specify a hardcoded list. + + Note: that the removal of AES-128-CCM from the list will result + in SMB3_00 and SMB3_02 being unavailable, as it is the default and only + available algorithm for these dialects. + + + +AES-128-GCM, AES-128-CCM, AES-256-GCM, AES-256-CCM +AES-256-GCM +-AES-128-GCM -AES-128-CCM + diff --git a/docs-xml/smbdotconf/security/clientsmbsigningalgos.xml b/docs-xml/smbdotconf/security/clientsmbsigningalgos.xml new file mode 100644 index 0000000..f7c61f3 --- /dev/null +++ b/docs-xml/smbdotconf/security/clientsmbsigningalgos.xml @@ -0,0 +1,22 @@ + + + This parameter specifies the availability and order of + signing algorithms which are available for negotiation in the SMB3_11 dialect. + + It is also possible to remove individual algorithms from the default list, + by prefixing them with '-'. This can avoid having to specify a hardcoded list. + + Note: that the removal of AES-128-CMAC from the list will result + in SMB3_00 and SMB3_02 being unavailable, and the removal of HMAC-SHA256 + will result in SMB2_02 and SMB2_10 being unavailable, as these are the default and only + available algorithms for these dialects. + + + +AES-128-GMAC, AES-128-CMAC, HMAC-SHA256 +AES-128-CMAC, HMAC-SHA256 +-AES-128-CMAC + diff --git a/docs-xml/smbdotconf/security/clientusekerberos.xml b/docs-xml/smbdotconf/security/clientusekerberos.xml new file mode 100644 index 0000000..1ccf88e --- /dev/null +++ b/docs-xml/smbdotconf/security/clientusekerberos.xml @@ -0,0 +1,49 @@ + + + + This parameter determines whether Samba client tools will try + to authenticate using Kerberos. For Kerberos authentication you + need to use dns names instead of IP addresses when connecting + to a service. + + + Possible option settings are: + + + + desired - Kerberos + authentication will be tried first and if it fails it + automatically fallback to NTLM. + + + + + + required - Kerberos + authentication will be required. There will be no + fallback to NTLM or a different alternative. + + + + + + off - Don't use + Kerberos, use NTLM instead or another + alternative. + + + + + + In case that weak cryptography is not allowed (e.g. FIPS mode) + the default will be forced to required. + + + +desired + diff --git a/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml b/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml new file mode 100644 index 0000000..8e9edd2 --- /dev/null +++ b/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml @@ -0,0 +1,35 @@ + + + This parameter determines whether or not + smbclient + 8 and other samba components + acting as a client will attempt to use the server-supplied + principal sometimes given in the SPNEGO exchange. + + If enabled, Samba can attempt to use Kerberos to contact + servers known only by IP address. Kerberos relies on names, so + ordinarily cannot function in this situation. + + This is a VERY BAD IDEA for security reasons, and so this + parameter SHOULD NOT BE USED. It will be removed in a future + version of Samba. + + If disabled, Samba will use the name used to look up the + server when asking the KDC for a ticket. This avoids situations + where a server may impersonate another, soliciting authentication + as one principal while being known on the network as another. + + + Note that Windows XP SP2 and later versions already follow + this behaviour, and Windows Vista and later servers no longer + supply this 'rfc4178 hint' principal on the server side. + + This parameter is deprecated in Samba 4.2.1 and will be removed + (along with the functionality) in a later release of Samba. + +no + diff --git a/docs-xml/smbdotconf/security/createmask.xml b/docs-xml/smbdotconf/security/createmask.xml new file mode 100644 index 0000000..06ee896 --- /dev/null +++ b/docs-xml/smbdotconf/security/createmask.xml @@ -0,0 +1,37 @@ + + +create mode + + + When a file is created, the necessary permissions are calculated according to the mapping from DOS modes to + UNIX permissions, and the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may + be thought of as a bit-wise MASK for the UNIX modes of a file. Any bit not set here will + be removed from the modes set on a file when it is created. + + + + The default value of this parameter removes the group and other + write and execute bits from the UNIX modes. + + + + Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the + parameter which is set to 000 by default. + + + + This parameter does not affect directory masks. See the parameter + for details. + + + +force create mode +directory mode +inherit permissions + +0744 +0775 + diff --git a/docs-xml/smbdotconf/security/debugencryption.xml b/docs-xml/smbdotconf/security/debugencryption.xml new file mode 100644 index 0000000..5b51b4a --- /dev/null +++ b/docs-xml/smbdotconf/security/debugencryption.xml @@ -0,0 +1,22 @@ + + + + This option will make the smbd server and client code using + libsmb (smbclient, smbget, smbspool, ...) dump the Session Id, + the decrypted Session Key, the Signing Key, the Application Key, + the Encryption Key and the Decryption Key every time an SMB3+ + session is established. This information will be printed in logs + at level 0. + + + Warning: access to these values enables the decryption of any + encrypted traffic on the dumped sessions. This option should + only be enabled for debugging purposes. + + + + no + diff --git a/docs-xml/smbdotconf/security/dedicatedkeytabfile.xml b/docs-xml/smbdotconf/security/dedicatedkeytabfile.xml new file mode 100644 index 0000000..b7c2680 --- /dev/null +++ b/docs-xml/smbdotconf/security/dedicatedkeytabfile.xml @@ -0,0 +1,16 @@ + + + + Specifies the absolute path to the kerberos keytab file when + is set to "dedicated + keytab". + + +kerberos method + +/usr/local/etc/krb5.keytab + + diff --git a/docs-xml/smbdotconf/security/directorymask.xml b/docs-xml/smbdotconf/security/directorymask.xml new file mode 100644 index 0000000..890092a --- /dev/null +++ b/docs-xml/smbdotconf/security/directorymask.xml @@ -0,0 +1,33 @@ + +directory mode + + This parameter is the octal modes which are + used when converting DOS modes to UNIX modes when creating UNIX + directories. + + When a directory is created, the necessary permissions are + calculated according to the mapping from DOS modes to UNIX permissions, + and the resulting UNIX mode is then bit-wise 'AND'ed with this + parameter. This parameter may be thought of as a bit-wise MASK for + the UNIX modes of a directory. Any bit not set + here will be removed from the modes set on a directory when it is + created. + + The default value of this parameter removes the 'group' + and 'other' write bits from the UNIX mode, allowing only the + user who owns the directory to modify it. + + Following this Samba will bit-wise 'OR' the UNIX mode + created from this parameter with the value of the parameter. + This parameter is set to 000 by default (i.e. no extra mode bits are added). + + +force directory mode +create mask +inherit permissions +0755 +0775 + diff --git a/docs-xml/smbdotconf/security/directorysecuritymask.xml b/docs-xml/smbdotconf/security/directorysecuritymask.xml new file mode 100644 index 0000000..f02e4ff --- /dev/null +++ b/docs-xml/smbdotconf/security/directorysecuritymask.xml @@ -0,0 +1,12 @@ + + + + This parameter has been removed for Samba 4.0.0. + + + + diff --git a/docs-xml/smbdotconf/security/encryptpasswords.xml b/docs-xml/smbdotconf/security/encryptpasswords.xml new file mode 100644 index 0000000..4fdfa89 --- /dev/null +++ b/docs-xml/smbdotconf/security/encryptpasswords.xml @@ -0,0 +1,47 @@ + + + This parameter has been deprecated since Samba 4.11 and + support for plaintext (as distinct from NTLM, NTLMv2 + or Kerberos authentication) + will be removed in a future Samba release. + That is, in the future, the current default of + encrypt passwords = yes + will be the enforced behaviour. + This boolean controls whether encrypted passwords + will be negotiated with the client. Note that Windows NT 4.0 SP3 and + above and also Windows 98 will by default expect encrypted passwords + unless a registry entry is changed. To use encrypted passwords in + Samba see the chapter "User Database" in the Samba HOWTO Collection. + + + + MS Windows clients that expect Microsoft encrypted passwords and that + do not have plain text password support enabled will be able to + connect only to a Samba server that has encrypted password support + enabled and for which the user accounts have a valid encrypted password. + Refer to the smbpasswd command man page for information regarding the + creation of encrypted passwords for user accounts. + + + + The use of plain text passwords is NOT advised as support for this feature + is no longer maintained in Microsoft Windows products. If you want to use + plain text passwords you must set this parameter to no. + + + In order for encrypted passwords to work correctly + smbd + 8 must either + have access to a local smbpasswd + 5 file (see the smbpasswd + 8 program for information on how to set up + and maintain this file), or set the [domain|ads] parameter which + causes smbd to authenticate against another + server. + +yes + diff --git a/docs-xml/smbdotconf/security/forcecreatemode.xml b/docs-xml/smbdotconf/security/forcecreatemode.xml new file mode 100644 index 0000000..79e6e63 --- /dev/null +++ b/docs-xml/smbdotconf/security/forcecreatemode.xml @@ -0,0 +1,25 @@ + + + This parameter specifies a set of UNIX mode bit + permissions that will always be set on a + file created by Samba. This is done by bitwise 'OR'ing these bits onto + the mode bits of a file that is being created. The default for this parameter is (in octal) + 000. The modes in this parameter are bitwise 'OR'ed onto the file + mode after the mask set in the create mask + parameter is applied. + + The example below would force all newly created files to have read and execute + permissions set for 'group' and 'other' as well as the + read/write/execute bits set for the 'user'. + + + +create mask +inherit permissions + +0000 +0755 + diff --git a/docs-xml/smbdotconf/security/forcedirectorymode.xml b/docs-xml/smbdotconf/security/forcedirectorymode.xml new file mode 100644 index 0000000..aa8375a --- /dev/null +++ b/docs-xml/smbdotconf/security/forcedirectorymode.xml @@ -0,0 +1,25 @@ + + + This parameter specifies a set of UNIX mode bit + permissions that will always be set on a directory + created by Samba. This is done by bitwise 'OR'ing these bits onto the + mode bits of a directory that is being created. The default for this + parameter is (in octal) 0000 which will not add any extra permission + bits to a created directory. This operation is done after the mode + mask in the parameter directory mask is + applied. + + The example below would force all created directories to have read and execute + permissions set for 'group' and 'other' as well as the + read/write/execute bits set for the 'user'. + + +0000 +0755 + +directory mask +inherit permissions + diff --git a/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml b/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml new file mode 100644 index 0000000..fbd8e16 --- /dev/null +++ b/docs-xml/smbdotconf/security/forcedirectorysecuritymode.xml @@ -0,0 +1,11 @@ + + + + This parameter has been removed for Samba 4.0.0. + + + diff --git a/docs-xml/smbdotconf/security/forcegroup.xml b/docs-xml/smbdotconf/security/forcegroup.xml new file mode 100644 index 0000000..646f550 --- /dev/null +++ b/docs-xml/smbdotconf/security/forcegroup.xml @@ -0,0 +1,40 @@ + +group + + This specifies a UNIX group name that will be + assigned as the default primary group for all users connecting + to this service. This is useful for sharing files by ensuring + that all access to files on service will use the named group for + their permissions checking. Thus, by assigning permissions for this + group to the files and directories within this service the Samba + administrator can restrict or allow sharing of these files. + + In Samba 2.0.5 and above this parameter has extended + functionality in the following way. If the group name listed here + has a '+' character prepended to it then the current user accessing + the share only has the primary group default assigned to this group + if they are already assigned as a member of that group. This allows + an administrator to decide that only users who are already in a + particular group will create files with group ownership set to that + group. This gives a finer granularity of ownership assignment. For + example, the setting force group = +sys means + that only users who are already in group sys will have their default + primary group assigned to sys when accessing this Samba share. All + other users will retain their ordinary primary group. + + + If the parameter is also set the group specified in + force group will override the primary group + set in force user. + + + +force user + + +agroup + diff --git a/docs-xml/smbdotconf/security/forcesecuritymode.xml b/docs-xml/smbdotconf/security/forcesecuritymode.xml new file mode 100644 index 0000000..5a9479e --- /dev/null +++ b/docs-xml/smbdotconf/security/forcesecuritymode.xml @@ -0,0 +1,11 @@ + + + + This parameter has been removed for Samba 4.0.0. + + + diff --git a/docs-xml/smbdotconf/security/forceunknownacluser.xml b/docs-xml/smbdotconf/security/forceunknownacluser.xml new file mode 100644 index 0000000..c5aec53 --- /dev/null +++ b/docs-xml/smbdotconf/security/forceunknownacluser.xml @@ -0,0 +1,27 @@ + + + + + If this parameter is set, a Windows NT ACL that contains an unknown SID (security descriptor, or + representation of a user or group id) as the owner or group owner of the file will be silently + mapped into the current UNIX uid or gid of the currently connected user. + + + + This is designed to allow Windows NT clients to copy files and folders containing ACLs that were + created locally on the client machine and contain users local to that machine only (no domain + users) to be copied to a Samba server (usually with XCOPY /O) and have the unknown userid and + groupid of the file owner map to the current connected user. This can only be fixed correctly + when winbindd allows arbitrary mapping from any Windows NT SID to a UNIX uid or gid. + + + + Try using this parameter when XCOPY /O gives an ACCESS_DENIED error. + + + +no + diff --git a/docs-xml/smbdotconf/security/forceuser.xml b/docs-xml/smbdotconf/security/forceuser.xml new file mode 100644 index 0000000..f3010a9 --- /dev/null +++ b/docs-xml/smbdotconf/security/forceuser.xml @@ -0,0 +1,28 @@ + + + This specifies a UNIX user name that will be + assigned as the default user for all users connecting to this service. + This is useful for sharing files. You should also use it carefully + as using it incorrectly can cause security problems. + + This user name only gets used once a connection is established. + Thus clients still need to connect as a valid user and supply a + valid password. Once connected, all file operations will be performed + as the "forced user", no matter what username the client connected + as. This can be very useful. + + In Samba 2.0.5 and above this parameter also causes the + primary group of the forced user to be used as the primary group + for all file activity. Prior to 2.0.5 the primary group was left + as the primary group of the connecting user (this was a bug). + + + +force group + +auser + diff --git a/docs-xml/smbdotconf/security/guestaccount.xml b/docs-xml/smbdotconf/security/guestaccount.xml new file mode 100644 index 0000000..2914630 --- /dev/null +++ b/docs-xml/smbdotconf/security/guestaccount.xml @@ -0,0 +1,27 @@ + + + This is a username which will be used for access + to services which are specified as (see below). Whatever privileges this + user has will be available to any client connecting to the guest service. + This user must exist in the password file, but does not require + a valid login. The user account "ftp" is often a good choice + for this parameter. + + + On some systems the default guest account "nobody" may not + be able to print. Use another account in this case. You should test + this by trying to log in as your guest user (perhaps by using the + su - command) and trying to print using the + system print command such as lpr(1) or + lp(1). + + This parameter does not accept % macros, because + many parts of the system require this value to be + constant for correct operation. + +nobodydefault can be changed at compile-time +ftp + diff --git a/docs-xml/smbdotconf/security/guestok.xml b/docs-xml/smbdotconf/security/guestok.xml new file mode 100644 index 0000000..390f1c3 --- /dev/null +++ b/docs-xml/smbdotconf/security/guestok.xml @@ -0,0 +1,19 @@ + +public + + If this parameter is yes for + a service, then no password is required to connect to the service. + Privileges will be those of the . + + This parameter nullifies the benefits of setting + 2 + + + See the section below on for more information about this option. + + +no + diff --git a/docs-xml/smbdotconf/security/guestonly.xml b/docs-xml/smbdotconf/security/guestonly.xml new file mode 100644 index 0000000..5660162 --- /dev/null +++ b/docs-xml/smbdotconf/security/guestonly.xml @@ -0,0 +1,15 @@ + +only guest + + If this parameter is yes for + a service, then only guest connections to the service are permitted. + This parameter will have no effect if is not set for the service. + + See the section below on for more information about this option. + + +no + diff --git a/docs-xml/smbdotconf/security/hostsallow.xml b/docs-xml/smbdotconf/security/hostsallow.xml new file mode 100644 index 0000000..8b4b622 --- /dev/null +++ b/docs-xml/smbdotconf/security/hostsallow.xml @@ -0,0 +1,62 @@ + +allow hosts + + A synonym for this parameter is . + + This parameter is a comma, space, or tab delimited + set of hosts which are permitted to access a service. + + If specified in the [global] section then it will + apply to all services, regardless of whether the individual + service has a different setting. + + You can specify the hosts by name or IP number. For + example, you could restrict access to only the hosts on a + Class C subnet with something like allow hosts = 150.203.5.. + The full syntax of the list is described in the man + page hosts_access(5). Note that this man + page may not be present on your system, so a brief description will + be given here also. + + Note that the localhost address 127.0.0.1 will always + be allowed access unless specifically denied by a option. + + You can also specify hosts by network/netmask pairs and + by netgroup names if your system supports netgroups. The + EXCEPT keyword can also be used to limit a + wildcard list. The following examples may provide some help: + +Example 1: allow all IPs in 150.203.*.*; except one + + hosts allow = 150.203. EXCEPT 150.203.6.66 + + Example 2: allow hosts that match the given network/netmask + + hosts allow = 150.203.15.0/255.255.255.0 + + Example 3: allow a couple of hosts + + hosts allow = lapland, arvidsjaur + + Example 4: allow only hosts in NIS netgroup "foonet", but + deny access from one particular host + + hosts allow = @foonet + + hosts deny = pirate + + Note that access still requires suitable user-level passwords. + + See testparm + 1 for a way of testing your host access + to see if it does what you expect. + + + + +150.203.5. myhost.mynet.edu.au +none (i.e., all hosts permitted access) + diff --git a/docs-xml/smbdotconf/security/hostsdeny.xml b/docs-xml/smbdotconf/security/hostsdeny.xml new file mode 100644 index 0000000..cd2f8de --- /dev/null +++ b/docs-xml/smbdotconf/security/hostsdeny.xml @@ -0,0 +1,24 @@ + +deny hosts + + The opposite of hosts allow + - hosts listed here are NOT permitted access to + services unless the specific services have their own lists to override + this one. Where the lists conflict, the allow + list takes precedence. + + + In the event that it is necessary to deny all by default, use the keyword + ALL (or the netmask 0.0.0.0/0) and then explicitly specify + to the hosts allow parameter those hosts + that should be permitted access. + + + +none (i.e., no hosts specifically excluded) + +150.203.4. badhost.mynet.edu.au + diff --git a/docs-xml/smbdotconf/security/inheritacls.xml b/docs-xml/smbdotconf/security/inheritacls.xml new file mode 100644 index 0000000..4f1bf99 --- /dev/null +++ b/docs-xml/smbdotconf/security/inheritacls.xml @@ -0,0 +1,24 @@ + + + This parameter is only relevant for filesystems that + do not support standardized NFS4 ACLs but only a POSIX draft ACL + implementation and which implements default ACLs like most filesystems + on Linux. It can be used to ensure that if default ACLs + exist on parent directories, they are always honored when creating a + new file or subdirectory in these parent directories. The default + behavior is to use the unix mode specified when creating the directory. + Enabling this option sets the unix mode to 0777, thus guaranteeing that + the default directory ACLs are propagated. + + Note that using the VFS modules acl_xattr or acl_tdb which store native + Windows as meta-data will automatically turn this option on for any + share for which they are loaded, as they require this option to emulate + Windows ACLs correctly. + + + +no + diff --git a/docs-xml/smbdotconf/security/inheritowner.xml b/docs-xml/smbdotconf/security/inheritowner.xml new file mode 100644 index 0000000..c081e56 --- /dev/null +++ b/docs-xml/smbdotconf/security/inheritowner.xml @@ -0,0 +1,58 @@ + + + The ownership of new files and directories + is normally governed by effective uid of the connected user. + This option allows the Samba administrator to specify that + the ownership for new files and directories should be controlled + by the ownership of the parent directory. + + Valid options are: + + no - + Both the Windows (SID) owner and the UNIX (uid) owner of the file are + governed by the identity of the user that created the file. + + + windows and unix - + The Windows (SID) owner and the UNIX (uid) owner of new files and + directories are set to the respective owner of the parent directory. + + + yes - a synonym for + windows and unix. + + + unix only - + Only the UNIX owner is set to the UNIX owner of the parent directory. + + + + Common scenarios where this behavior is useful is in + implementing drop-boxes, where users can create and edit files but + not delete them and ensuring that newly created files in a user's + roaming profile directory are actually owned by the user. + + The unix only option effectively + breaks the tie between the Windows owner of a file and the + UNIX owner. As a logical consequence, in this mode, + setting the Windows owner of a file does not modify the UNIX + owner. Using this mode should typically be combined with a + backing store that can emulate the full NT ACL model without + affecting the POSIX permissions, such as the acl_xattr + VFS module, coupled with + yes. + This can be used to emulate folder quotas, when files are + exposed only via SMB (without UNIX extensions). + The UNIX owner of a directory is locally set + and inherited by all subdirectories and files, and they all + consume the same quota. + + +inherit permissions + +no + diff --git a/docs-xml/smbdotconf/security/inheritpermissions.xml b/docs-xml/smbdotconf/security/inheritpermissions.xml new file mode 100644 index 0000000..9dda734 --- /dev/null +++ b/docs-xml/smbdotconf/security/inheritpermissions.xml @@ -0,0 +1,35 @@ + + + + The permissions on new files and directories are normally governed by , + , and but the boolean inherit permissions parameter overrides this. + + + New directories inherit the mode of the parent directory, + including bits such as setgid. + + + New files inherit their read/write bits from the parent directory. Their execute bits continue to be + determined by , and as usual. + + + Note that the setuid bit is never set via + inheritance (the code explicitly prohibits this). + + This can be particularly useful on large systems with + many users, perhaps several thousand, to allow a single [homes] + share to be used flexibly by each user. + + +create mask +directory mask +force create mode +force directory mode + +no + diff --git a/docs-xml/smbdotconf/security/invalidusers.xml b/docs-xml/smbdotconf/security/invalidusers.xml new file mode 100644 index 0000000..b2fb2b9 --- /dev/null +++ b/docs-xml/smbdotconf/security/invalidusers.xml @@ -0,0 +1,34 @@ + + + This is a list of users that should not be allowed + to login to this service. This is really a paranoid + check to absolutely ensure an improper setting does not breach + your security. + + A name starting with a '@' is interpreted as an NIS + netgroup first (if your system supports NIS), and then as a UNIX + group if the name was not found in the NIS netgroup database. + + A name starting with '+' is interpreted only + by looking in the UNIX group database via the NSS getgrnam() interface. A name starting with + '&' is interpreted only by looking in the NIS netgroup database + (this requires NIS to be working on your system). The characters + '+' and '&' may be used at the start of the name in either order + so the value +&group means check the + UNIX group database, followed by the NIS netgroup database, and + the value &+group means check the NIS + netgroup database, followed by the UNIX group database (the + same as the '@' prefix). + + The current servicename is substituted for %S. + This is useful in the [homes] section. + + +valid users + +no invalid users +root fred admin @wheel + diff --git a/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml b/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml new file mode 100644 index 0000000..9846111 --- /dev/null +++ b/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml @@ -0,0 +1,42 @@ + + + + Set the default value of msDS-SupportedEncryptionTypes for service accounts in Active Directory that are missing this value or where msDS-SupportedEncryptionTypes is set to 0. + + + + This allows Samba administrators to match the configuration flexibility provided by the + HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\KDC\DefaultDomainSupportedEncTypes Registry Value on Windows. + + + Unlike the Windows registry key (which only takes an base-10 number), in Samba this may also be expressed in hexadecimal or as a list of Kerberos encryption type names. + + + Specified values are ORed together bitwise, and those currently supported consist of: + + + arcfour-hmac-md5, rc4-hmac, 0x4, or 4 + Known on Windows as Kerberos RC4 encryption + + + aes128-cts-hmac-sha1-96, aes128-cts, 0x8, or 8 + Known on Windows as Kerberos AES 128 bit encryption + + + aes256-cts-hmac-sha1-96, aes256-cts, 0x10, or 16 + Known on Windows as Kerberos AES 256 bit encryption + + + aes256-cts-hmac-sha1-96-sk, aes256-cts-sk, 0x20, or 32 + Allow AES session keys. When this is set, it indicates to the KDC that AES session keys can be used, even when aes256-cts and aes128-cts are not set. This allows use of AES keys against hosts otherwise only configured with RC4 for ticket keys (which is the default). + + + + + +0maps to what the software supports currently: arcfour-hmac-md5 aes256-cts-hmac-sha1-96-sk + diff --git a/docs-xml/smbdotconf/security/kdcenablefast.xml b/docs-xml/smbdotconf/security/kdcenablefast.xml new file mode 100644 index 0000000..e47ca3b --- /dev/null +++ b/docs-xml/smbdotconf/security/kdcenablefast.xml @@ -0,0 +1,15 @@ + + + With the Samba 4.16 the embedded Heimdal KDC brings + support for RFC6113 FAST, which wasn't available in + older Samba versions. + + This option is mostly for testing and currently only applies + if the embedded Heimdal KDC is used. + + +yes + diff --git a/docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml b/docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml new file mode 100644 index 0000000..1cb46d7 --- /dev/null +++ b/docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml @@ -0,0 +1,24 @@ + + + + RFC8429 declares that + rc4-hmac Kerberos ciphers are weak and + there are known attacks on Active Directory use of this + cipher suite. + + + However for compatibility with Microsoft Windows this option + allows the KDC to assume that regardless of the value set in + a service account's + msDS-SupportedEncryptionTypes attribute + that a rc4-hmac Kerberos session key (as distinct from the ticket key, as + found in a service keytab) can be used if the potentially + older client requests it. + + + +no + diff --git a/docs-xml/smbdotconf/security/kdcsupportedenctypes.xml b/docs-xml/smbdotconf/security/kdcsupportedenctypes.xml new file mode 100644 index 0000000..5e028bb --- /dev/null +++ b/docs-xml/smbdotconf/security/kdcsupportedenctypes.xml @@ -0,0 +1,40 @@ + + + + On an active directory domain controller, this is the list of supported encryption types for local running kdc. + + + + This allows Samba administrators to remove support for weak/unused encryption types, similar + the configuration flexibility provided by the Network security: Configure encryption types allowed for Kerberos + GPO/Local Policies/Security Options Value, which results in the + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes Registry Value on Windows. + + + Unlike the Windows registry key (which only takes an base-10 number), in Samba this may also be expressed as hexadecimal or a list of Kerberos encryption type names. + + + Specified values are ORed together bitwise, and those currently supported consist of: + + + arcfour-hmac-md5, rc4-hmac, 0x4, or 4 + Known on Windows as Kerberos RC4 encryption + + + aes128-cts-hmac-sha1-96, aes128-cts, 0x8, or 8 + Known on Windows as Kerberos AES 128 bit encryption + + + aes256-cts-hmac-sha1-96, aes256-cts, 0x10, or 16 + Known on Windows as Kerberos AES 256 bit encryption + + + + + +0maps to what the software supports currently: arcfour-hmac-md5 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 + diff --git a/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml b/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml new file mode 100644 index 0000000..a245af5 --- /dev/null +++ b/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml @@ -0,0 +1,47 @@ + + + This parameter determines the encryption types to use when operating + as a Kerberos client. Possible values are all, + strong, and legacy. + + + Samba uses a Kerberos library (MIT or Heimdal) to obtain Kerberos + tickets. This library is normally configured outside of Samba, using + the krb5.conf file. This file may also include directives to configure + the encryption types to be used. However, Samba implements Active Directory + protocols and algorithms to locate a domain controller. In order to + force the Kerberos library into using the correct domain controller, + some Samba processes, such as + winbindd + 8 and + net + 8, build a private krb5.conf + file for use by the Kerberos library while being invoked from Samba. + This private file controls all aspects of the Kerberos library operation, + and this parameter controls how the encryption types are configured + within this generated file, and therefore also controls the encryption + types negotiable by Samba. + + + When set to all, all active directory + encryption types are allowed. + + + When set to strong, only AES-based encryption + types are offered. This can be used in hardened environments to prevent + downgrade attacks. + + + When set to legacy, only RC4-HMAC-MD5 + is allowed. AVOID using this option, because of + CVE-2022-37966 see + https://bugzilla.samba.org/show_bug.cgi?id=15237. + + + +all + diff --git a/docs-xml/smbdotconf/security/kerberosmethod.xml b/docs-xml/smbdotconf/security/kerberosmethod.xml new file mode 100644 index 0000000..b7cd988 --- /dev/null +++ b/docs-xml/smbdotconf/security/kerberosmethod.xml @@ -0,0 +1,41 @@ + + + + Controls how kerberos tickets are verified. + + + Valid options are: + + secrets only - use only the secrets.tdb for + ticket verification (default) + + system keytab - use only the system keytab + for ticket verification + + dedicated keytab - use a dedicated keytab + for ticket verification + + secrets and keytab - use the secrets.tdb + first, then the system keytab + + + + The major difference between "system keytab" and "dedicated + keytab" is that the latter method relies on kerberos to find the + correct keytab entry instead of filtering based on expected + principals. + + + + When the kerberos method is in "dedicated keytab" mode, + must be set to + specify the location of the keytab file. + + +dedicated keytab file +default + diff --git a/docs-xml/smbdotconf/security/kpasswdport.xml b/docs-xml/smbdotconf/security/kpasswdport.xml new file mode 100644 index 0000000..71cd337 --- /dev/null +++ b/docs-xml/smbdotconf/security/kpasswdport.xml @@ -0,0 +1,11 @@ + + + Specifies which ports the Kerberos server should listen on for + password changes. + + +464 + diff --git a/docs-xml/smbdotconf/security/krb5port.xml b/docs-xml/smbdotconf/security/krb5port.xml new file mode 100644 index 0000000..06c7988 --- /dev/null +++ b/docs-xml/smbdotconf/security/krb5port.xml @@ -0,0 +1,10 @@ + + + Specifies which port the KDC should listen on for Kerberos traffic. + + +88 + diff --git a/docs-xml/smbdotconf/security/lanmanauth.xml b/docs-xml/smbdotconf/security/lanmanauth.xml new file mode 100644 index 0000000..045e89d --- /dev/null +++ b/docs-xml/smbdotconf/security/lanmanauth.xml @@ -0,0 +1,55 @@ + + + This parameter has been deprecated since Samba 4.11 and + support for LanMan (as distinct from NTLM, NTLMv2 or + Kerberos authentication) + will be removed in a future Samba release. + That is, in the future, the current default of + lanman auth = no + will be the enforced behaviour. + + This parameter determines whether or not smbd + 8 will attempt to + authenticate users or permit password changes + using the LANMAN password hash. If disabled, only clients which support NT + password hashes (e.g. Windows NT/2000 clients, smbclient, but not + Windows 95/98 or the MS DOS network client) will be able to + connect to the Samba host. + + The LANMAN encrypted response is easily broken, due to its + case-insensitive nature, and the choice of algorithm. Servers + without Windows 95/98/ME or MS DOS clients are advised to disable + this option. + + When this parameter is set to no this + will also result in sambaLMPassword in Samba's passdb being + blanked after the next password change. As a result of that + lanman clients won't be able to authenticate, even if lanman + auth is re-enabled later on. + + + Unlike the encrypt + passwords option, this parameter cannot alter client + behaviour, and the LANMAN response will still be sent over the + network. See the client lanman + auth to disable this for Samba's clients (such as smbclient) + + This parameter is overridden by ntlm + auth, so unless that it is also set to + ntlmv1-permitted or yes, + then only NTLMv2 logins will be permitted and no LM hash will be + stored. All modern clients support NTLMv2, and but some older + clients require special configuration to use it. + + This parameter has no impact on the Samba AD DC, + LM authentication is always disabled and no LM password is ever + stored. + + +no + diff --git a/docs-xml/smbdotconf/security/lognttokencommand.xml b/docs-xml/smbdotconf/security/lognttokencommand.xml new file mode 100644 index 0000000..0ea269e --- /dev/null +++ b/docs-xml/smbdotconf/security/lognttokencommand.xml @@ -0,0 +1,14 @@ + + + This option can be set to a command that will be called when new nt + tokens are created. + + This is only useful for development purposes. + + + + diff --git a/docs-xml/smbdotconf/security/maptoguest.xml b/docs-xml/smbdotconf/security/maptoguest.xml new file mode 100644 index 0000000..c98086a --- /dev/null +++ b/docs-xml/smbdotconf/security/maptoguest.xml @@ -0,0 +1,62 @@ + + + This parameter can take four different values, which tell + smbd + 8 what to do with user + login requests that don't match a valid UNIX user in some way. + + The four settings are : + + + + Never - Means user login + requests with an invalid password are rejected. This is the + default. + + + + Bad User - Means user + logins with an invalid password are rejected, unless the username + does not exist, in which case it is treated as a guest login and + mapped into the . + + + + Bad Password - Means user logins + with an invalid password are treated as a guest login and mapped + into the . Note that + this can cause problems as it means that any user incorrectly typing + their password will be silently logged on as "guest" - and + will not know the reason they cannot access files they think + they should - there will have been no message given to them + that they got their password wrong. Helpdesk services will + hate you if you set the map to + guest parameter this way :-). + + + Bad Uid - Is only applicable when Samba is configured + in some type of domain mode security (security = {domain|ads}) and means that + user logins which are successfully authenticated but which have no valid Unix + user account (and smbd is unable to create one) should be mapped to the defined + guest account. This was the default behavior of Samba 2.x releases. Note that + if a member server is running winbindd, this option should never be required + because the nss_winbind library will export the Windows domain users and groups + to the underlying OS via the Name Service Switch interface. + + + + Note that this parameter is needed to set up "Guest" + share services. This is because in these modes the name of the resource being + requested is not sent to the server until after + the server has successfully authenticated the client so the server + cannot make authentication decisions at the correct time (connection + to the share) for "Guest" shares. + + +Never +Bad User + diff --git a/docs-xml/smbdotconf/security/mindomainuid.xml b/docs-xml/smbdotconf/security/mindomainuid.xml new file mode 100644 index 0000000..46ae795 --- /dev/null +++ b/docs-xml/smbdotconf/security/mindomainuid.xml @@ -0,0 +1,17 @@ + + + + The integer parameter specifies the minimum uid allowed when mapping a + local account to a domain account. + + + + Note that this option interacts with the configured idmap ranges! + + + +1000 + diff --git a/docs-xml/smbdotconf/security/mitkdccommand.xml b/docs-xml/smbdotconf/security/mitkdccommand.xml new file mode 100644 index 0000000..602f27d --- /dev/null +++ b/docs-xml/smbdotconf/security/mitkdccommand.xml @@ -0,0 +1,15 @@ + + + This option specifies the path to the MIT kdc binary. + + If the KDC is not installed in the default location and wasn't + correctly detected during build then you should modify this variable and + point it to the correct binary. + + +&pathconfig.MITKDCPATH; +/opt/mit/sbin/krb5kdc + diff --git a/docs-xml/smbdotconf/security/nt_hash_store.xml b/docs-xml/smbdotconf/security/nt_hash_store.xml new file mode 100644 index 0000000..d7ed705 --- /dev/null +++ b/docs-xml/smbdotconf/security/nt_hash_store.xml @@ -0,0 +1,70 @@ + + + This parameter determines whether or not samba + 8 will, as an AD DC, attempt to + store the NT password hash used in NTLM and NTLMv2 authentication for + users in this domain. + + If so configured, the Samba Active Directory Domain Controller, + will, except for trust accounts (computers, domain + controllers and inter-domain trusts) the + NOT store the NT hash + for new and changed accounts in the sam.ldb database. + + This avoids the storage of an unsalted hash for these + user-created passwords. As a consequence the + arcfour-hmac-md5 Kerberos key type is + also unavailable in the KDC for these users - thankfully + modern clients will select an AES based key + instead. + + NOTE: As the password history in Active Directory is + stored as an NT hash (and thus unavailable), a workaround is + used, relying instead on Kerberos password hash values. + This stores three passwords, the current, previous and second previous + password. This allows some checking against reuse. + + However as these values are salted, changing the + sAMAccountName, userAccountControl or userPrincipalName of + an account will cause the salt to change. After the rare + combination of both a rename and a password change only the + current password will be recognised for password history + purposes. + + The available settings are: + + + + always - Always store the NT hash + (as machine accounts will also always store an NT hash, + a hash will be stored for all accounts). + + This setting may be useful if ntlm auth is set to disabled + for a trial period + + + + + never - Never store the NT hash + for user accounts, only for machine accounts + + + + auto - Store an NT hash if ntlm auth is not set to disabled. + + + + + + + + +ntlm auth +always + diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml new file mode 100644 index 0000000..7ea38a4 --- /dev/null +++ b/docs-xml/smbdotconf/security/ntlmauth.xml @@ -0,0 +1,87 @@ + + + This parameter determines whether or not smbd + 8 will attempt to + authenticate users using the NTLM encrypted password response for + this local passdb (SAM or account database). + + If disabled, both NTLM and LanMan authentication against the + local passdb is disabled. + + Note that these settings apply only to local users, + authentication will still be forwarded to and NTLM authentication + accepted against any domain we are joined to, and any trusted + domain, even if disabled or if NTLMv2-only is enforced here. To + control NTLM authentication for domain users, this option must + be configured on each DC. + + By default with ntlm auth set to + ntlmv2-only only NTLMv2 logins will be + permitted. All modern clients support NTLMv2 by default, but some older + clients will require special configuration to use it. + + The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x. + + The available settings are: + + + + ntlmv1-permitted + (alias yes) - Allow NTLMv1 and above for all clients. + + This is the required setting to enable the lanman auth parameter. + + + + + ntlmv2-only + (alias no) - Do not allow NTLMv1 to be used, + but permit NTLMv2. + + + + mschapv2-and-ntlmv2-only - Only + allow NTLMv1 when the client promises that it is providing + MSCHAPv2 authentication (such as the ntlm_auth tool). + + + + disabled - Do not accept NTLM (or + LanMan) authentication of any level, nor permit + NTLM password changes. + + WARNING: Both Microsoft Windows + and Samba Read Only Domain Controllers + (RODCs) convert a plain-text LDAP Simple Bind into an NTLMv2 + authentication to forward to a full DC. Setting this option + to disabled will cause these forwarded + authentications to fail. + + Additionally, for Samba acting as an Active Directory + Domain Controller, for user accounts, if nt hash store + is set to the default setting of auto, + the NT hash will not be stored + in the sam.ldb database for new users and after a + password change. + + + + + + The default changed from yes to + no with Samba 4.5. The default changed again + to ntlmv2-only with Samba 4.7, however the + behaviour is unchanged. + + +nt hash store +lanman auth +raw NTLMv2 auth +ntlmv2-only + diff --git a/docs-xml/smbdotconf/security/ntpsigndsocketdirectory.xml b/docs-xml/smbdotconf/security/ntpsigndsocketdirectory.xml new file mode 100644 index 0000000..18d70cf --- /dev/null +++ b/docs-xml/smbdotconf/security/ntpsigndsocketdirectory.xml @@ -0,0 +1,16 @@ + + + This setting controls the location of the socket that + the NTP daemon uses to communicate with Samba for + signing packets. + + If a non-default path is specified here, then it is also necessary + to make NTP aware of the new path using the ntpsigndsocket + directive in ntp.conf. + + +&pathconfig.NTP_SIGND_SOCKET_DIR; + diff --git a/docs-xml/smbdotconf/security/nullpasswords.xml b/docs-xml/smbdotconf/security/nullpasswords.xml new file mode 100644 index 0000000..49533f6 --- /dev/null +++ b/docs-xml/smbdotconf/security/nullpasswords.xml @@ -0,0 +1,14 @@ + + + Allow or disallow client access to accounts that have null passwords. + + See also smbpasswd + 5. + + +no + diff --git a/docs-xml/smbdotconf/security/obeypamrestrictions.xml b/docs-xml/smbdotconf/security/obeypamrestrictions.xml new file mode 100644 index 0000000..92708ef --- /dev/null +++ b/docs-xml/smbdotconf/security/obeypamrestrictions.xml @@ -0,0 +1,19 @@ + + + When Samba 3.0 is configured to enable PAM support + (i.e. --with-pam), this parameter will control whether or not Samba + should obey PAM's account and session management directives. The + default behavior is to use PAM for clear text authentication only + and to ignore any account or session management. Note that Samba + always ignores PAM for authentication in the case of yes. The reason + is that PAM modules cannot support the challenge/response + authentication mechanism needed in the presence of SMB password encryption. + + + +no + diff --git a/docs-xml/smbdotconf/security/oldpasswordallowedperiod.xml b/docs-xml/smbdotconf/security/oldpasswordallowedperiod.xml new file mode 100644 index 0000000..78d6ff1 --- /dev/null +++ b/docs-xml/smbdotconf/security/oldpasswordallowedperiod.xml @@ -0,0 +1,12 @@ + + + Number of minutes to permit an NTLM login after a password change or reset using the old password. This allows the user to re-cache the new password on multiple clients without disrupting a network reconnection in the meantime. + + This parameter only applies when is set to Active Directory Domain Controller. + + +60 + diff --git a/docs-xml/smbdotconf/security/pampasswordchange.xml b/docs-xml/smbdotconf/security/pampasswordchange.xml new file mode 100644 index 0000000..92ab4ad --- /dev/null +++ b/docs-xml/smbdotconf/security/pampasswordchange.xml @@ -0,0 +1,16 @@ + + + With the addition of better PAM support in Samba 2.2, + this parameter, it is possible to use PAM's password change control + flag for Samba. If enabled, then PAM will be used for password + changes when requested by an SMB client instead of the program listed in + . + It should be possible to enable this without changing your + parameter for most setups. + + +no + diff --git a/docs-xml/smbdotconf/security/passdbbackend.xml b/docs-xml/smbdotconf/security/passdbbackend.xml new file mode 100644 index 0000000..8265b3e --- /dev/null +++ b/docs-xml/smbdotconf/security/passdbbackend.xml @@ -0,0 +1,65 @@ + + + + This option allows the administrator to chose which backend + will be used for storing user and possibly group information. This allows + you to swap between different storage mechanisms without recompile. + + The parameter value is divided into two parts, the backend's name, and a 'location' + string that has meaning only to that particular backed. These are separated + by a : character. + + Available backends can include: + + + smbpasswd - The old plaintext passdb + backend. Some Samba features will not work if this passdb + backend is used. Takes a path to the smbpasswd file as an + optional argument. + + + + + tdbsam - The TDB based password storage + backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb + in the directory. + + + + ldapsam - The LDAP based passdb + backend. Takes an LDAP URL as an optional argument (defaults to + ldap://localhost) + + LDAP connections should be secured where possible. This may be done using either + Start-TLS (see ) or by + specifying ldaps:// in + the URL argument. + + Multiple servers may also be specified in double-quotes. + Whether multiple servers are supported or not and the exact + syntax depends on the LDAP library you use. + + + + + + + Examples of use are: + +passdb backend = tdbsam:/etc/samba/private/passdb.tdb + +or multi server LDAP URL with OpenLDAP library: + +passdb backend = ldapsam:"ldap://ldap-1.example.com ldap://ldap-2.example.com" + +or multi server LDAP URL with Netscape based LDAP library: + +passdb backend = ldapsam:"ldap://ldap-1.example.com ldap-2.example.com" + + + +tdbsam + diff --git a/docs-xml/smbdotconf/security/passdbexpandexplicit.xml b/docs-xml/smbdotconf/security/passdbexpandexplicit.xml new file mode 100644 index 0000000..41c8ea0 --- /dev/null +++ b/docs-xml/smbdotconf/security/passdbexpandexplicit.xml @@ -0,0 +1,14 @@ + + + + This parameter controls whether Samba substitutes %-macros in the passdb fields if they are explicitly set. We + used to expand macros here, but this turned out to be a bug because the Windows client can expand a variable + %G_osver% in which %G would have been substituted by the user's primary group. + + + +no + diff --git a/docs-xml/smbdotconf/security/passwdchat.xml b/docs-xml/smbdotconf/security/passwdchat.xml new file mode 100644 index 0000000..a04fc62 --- /dev/null +++ b/docs-xml/smbdotconf/security/passwdchat.xml @@ -0,0 +1,57 @@ + + + This string controls the "chat" + conversation that takes places between smbd + 8 and the local password changing + program to change the user's password. The string describes a + sequence of response-receive pairs that smbd + 8 uses to determine what to send to the + and what to expect back. If the expected output is not + received then the password is not changed. + + This chat sequence is often quite site specific, depending + on what local methods are used for password control. + + Note that this parameter only is used if the parameter is set to yes. This sequence is + then called AS ROOT when the SMB password in the + smbpasswd file is being changed, without access to the old password + cleartext. This means that root must be able to reset the user's password without + knowing the text of the previous password. + + + The string can contain the macro %n which is substituted + for the new password. The old password (%o) is only available when + has been disabled. + The chat sequence can also contain the standard macros + \n, \r, \t and \s to give line-feed, carriage-return, tab + and space. The chat sequence string can also contain + a '*' which matches any sequence of characters. Double quotes can + be used to collect strings with spaces in them into a single + string. + + If the send string in any part of the chat sequence is a full + stop ".", then no string is sent. Similarly, if the + expect string is a full stop then no string is expected. + + If the parameter is set to yes, the + chat pairs may be matched in any order, and success is determined by the PAM result, not any particular + output. The \n macro is ignored for PAM conversions. + + + + +unix password sync +passwd program +passwd chat debug +pam password change + +*new*password* %n\n *new*password* %n\n *changed* +"*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password changed*" + diff --git a/docs-xml/smbdotconf/security/passwdchatdebug.xml b/docs-xml/smbdotconf/security/passwdchatdebug.xml new file mode 100644 index 0000000..0c3481e --- /dev/null +++ b/docs-xml/smbdotconf/security/passwdchatdebug.xml @@ -0,0 +1,26 @@ + + + This boolean specifies if the passwd chat script + parameter is run in debug mode. In this mode the + strings passed to and received from the passwd chat are printed + in the smbd + 8 log with a + + of 100. This is a dangerous option as it will allow plaintext passwords + to be seen in the smbd log. It is available to help + Samba admins debug their passwd chat scripts + when calling the passwd program and should + be turned off after this has been done. This option has no effect if the + + parameter is set. This parameter is off by default. + + +passwd chat +pam password change +passwd program + +no + diff --git a/docs-xml/smbdotconf/security/passwdchattimeout.xml b/docs-xml/smbdotconf/security/passwdchattimeout.xml new file mode 100644 index 0000000..74e8688 --- /dev/null +++ b/docs-xml/smbdotconf/security/passwdchattimeout.xml @@ -0,0 +1,13 @@ + + + This integer specifies the number of seconds smbd will wait for an initial + answer from a passwd chat script being run. Once the initial answer is received + the subsequent answers must be received in one tenth of this time. The default it + two seconds. + + +2 + diff --git a/docs-xml/smbdotconf/security/passwdprogram.xml b/docs-xml/smbdotconf/security/passwdprogram.xml new file mode 100644 index 0000000..e12cc8e --- /dev/null +++ b/docs-xml/smbdotconf/security/passwdprogram.xml @@ -0,0 +1,37 @@ + + + The name of a program that can be used to set + UNIX user passwords. Any occurrences of %u + will be replaced with the user name. The user name is checked for + existence before calling the password changing program. + + Also note that many passwd programs insist in reasonable + passwords, such as a minimum length, or the inclusion + of mixed case chars and digits. This can pose a problem as some clients + (such as Windows for Workgroups) uppercase the password before sending + it. + + Note that if the unix + password sync parameter is set to yes + then this program is called AS ROOT + before the SMB password in the smbpasswd + file is changed. If this UNIX password change fails, then + smbd will fail to change the SMB password also + (this is by design). + + If the unix password sync parameter + is set this parameter MUST USE ABSOLUTE PATHS + for ALL programs called, and must be examined + for security implications. Note that by default unix + password sync is set to no. + + + unix password symc + + +/bin/passwd %u + diff --git a/docs-xml/smbdotconf/security/passwordhashgpgkeyids.xml b/docs-xml/smbdotconf/security/passwordhashgpgkeyids.xml new file mode 100644 index 0000000..e53cdbe --- /dev/null +++ b/docs-xml/smbdotconf/security/passwordhashgpgkeyids.xml @@ -0,0 +1,45 @@ + + + If samba is running as an + active directory domain controller, it is possible to store the + cleartext password of accounts in a PGP/OpenGPG encrypted form. + + You can specify one or more recipients by key id or user id. + Note that 32bit key ids are not allowed, specify at least 64bit. + + The value is stored as 'Primary:SambaGPG' in the + supplementalCredentials attribute. + + As password changes can occur on any domain controller, + you should configure this on each of them. Note that this feature is currently + available only on Samba domain controllers. + + This option is only available if samba + was compiled with gpgme support. + + You may need to export the GNUPGHOME + environment variable before starting samba. + It is strongly recommended to only store the public key in this + location. The private key is not used for encryption and should be + only stored where decryption is required. + + Being able to restore the cleartext password helps, when they need to be imported + into other authentication systems later (see samba-tool user getpassword) + or you want to keep the passwords in sync with another system, e.g. an OpenLDAP server + (see samba-tool user syncpasswords). + + While this option needs to be configured on all domain controllers, the + samba-tool user syncpasswords command should + run on a single domain controller only (typically the PDC-emulator). + + +unix password sync + + +4952E40301FAB41A +selftest@samba.example.com +selftest@samba.example.com, 4952E40301FAB41A + diff --git a/docs-xml/smbdotconf/security/passwordhashuserpasswordschemes.xml b/docs-xml/smbdotconf/security/passwordhashuserpasswordschemes.xml new file mode 100644 index 0000000..18a43f9 --- /dev/null +++ b/docs-xml/smbdotconf/security/passwordhashuserpasswordschemes.xml @@ -0,0 +1,67 @@ + + + +This parameter determines whether or not +samba +8 acting as an Active +Directory Domain Controller will attempt to store additional +passwords hash types for the user + +The values are stored as 'Primary:userPassword' in the +supplementalCredentials +attribute. The value of this option is a hash type. + +The currently supported hash types are: + + + CryptSHA256 + + + CryptSHA512 + + + +Multiple instances of a hash type may be computed and stored. +The password hashes are calculated using the +crypt +3 call. +The number of rounds used to compute the hash can be specified by adding +':rounds=xxxx' to the hash type, i.e. CryptSHA512:rounds=4500 would calculate +an SHA512 hash using 4500 rounds. If not specified the Operating System +defaults for +crypt +3 are used. + + +As password changes can occur on any domain controller, +you should configure this on each of them. Note that this feature is +currently available only on Samba domain controllers. + +Currently the NT Hash of the password is recorded when these hashes +are calculated and stored. When retrieving the hashes the current value of the +NT Hash is checked against the stored NT Hash. This detects password changes +that have not updated the password hashes. In this case +samba-tool user will ignore the stored +hash values. + + +Being able to obtain the hashed password helps, when +they need to be imported into other authentication systems +later (see samba-tool user +getpassword) or you want to keep the passwords in +sync with another system, e.g. an OpenLDAP server (see +samba-tool user +syncpasswords). + +unix password sync + + + + +CryptSHA256 +CryptSHA256 CryptSHA512 +CryptSHA256:rounds=5000 CryptSHA512:rounds=7000 + diff --git a/docs-xml/smbdotconf/security/passwordserver.xml b/docs-xml/smbdotconf/security/passwordserver.xml new file mode 100644 index 0000000..8bc2ecb --- /dev/null +++ b/docs-xml/smbdotconf/security/passwordserver.xml @@ -0,0 +1,46 @@ + + + By specifying the name of a domain controller with this option, + and using security = [ads|domain] + it is possible to get Samba + to do all its username/password validation using a specific remote server. + + Ideally, this option + should not be used, as the default '*' indicates to Samba + to determine the best DC to contact dynamically, just as all other hosts in an + AD domain do. This allows the domain to be maintained (addition + and removal of domain controllers) without modification to + the smb.conf file. The cryptographic protection on the authenticated RPC calls + used to verify passwords ensures that this default is safe. + + It is strongly recommended that you use the + default of '*', however if in your particular + environment you have reason to specify a particular DC list, then + the list of machines in this option must be a list of names or IP + addresses of Domain controllers for the Domain. If you use the + default of '*', or list several hosts in the password server option then smbd will try each in turn till it + finds one that responds. This is useful in case your primary + server goes down. + + If the list of servers contains both names/IP's and the '*' + character, the list is treated as a list of preferred + domain controllers, but an auto lookup of all remaining DC's + will be added to the list as well. Samba will not attempt to optimize + this list by locating the closest DC. + + If parameter is a name, it is looked up using the + parameter and so may resolved + by any method and order described in that parameter. + + + +security +* +NT-PDC, NT-BDC1, NT-BDC2, * +windc.mydomain.com:389 192.168.1.101 * + diff --git a/docs-xml/smbdotconf/security/preloadmodules.xml b/docs-xml/smbdotconf/security/preloadmodules.xml new file mode 100644 index 0000000..7b77674 --- /dev/null +++ b/docs-xml/smbdotconf/security/preloadmodules.xml @@ -0,0 +1,13 @@ + + + This is a list of paths to modules that should + be loaded into smbd before a client connects. This improves + the speed of smbd when reacting to new connections somewhat. + + + +/usr/lib/samba/passdb/mysql.so + diff --git a/docs-xml/smbdotconf/security/privatedir.xml b/docs-xml/smbdotconf/security/privatedir.xml new file mode 100644 index 0000000..9abcb7e --- /dev/null +++ b/docs-xml/smbdotconf/security/privatedir.xml @@ -0,0 +1,14 @@ + +private directory + + This parameters defines the directory + smbd will use for storing such files as smbpasswd + and secrets.tdb. + + + +&pathconfig.PRIVATE_DIR; + diff --git a/docs-xml/smbdotconf/security/rawntlmv2auth.xml b/docs-xml/smbdotconf/security/rawntlmv2auth.xml new file mode 100644 index 0000000..c4d7554 --- /dev/null +++ b/docs-xml/smbdotconf/security/rawntlmv2auth.xml @@ -0,0 +1,27 @@ + + + This parameter has been deprecated since Samba 4.13 and + support for NTLMv2 authentication without NTLMSSP will be removed + in a future Samba release. + That is, in the future, the current default of + raw NTLMv2 auth = no + will be the enforced behaviour. + + This parameter determines whether or not smbd + 8 will allow SMB1 clients without + extended security (without SPNEGO) to use NTLMv2 authentication. + + If this option, lanman auth + and ntlm auth are all disabled, + then only clients with SPNEGO support will be permitted. + That means NTLMv2 is only supported within NTLMSSP. + + +lanman auth +ntlm auth +no + diff --git a/docs-xml/smbdotconf/security/readlist.xml b/docs-xml/smbdotconf/security/readlist.xml new file mode 100644 index 0000000..96f3746 --- /dev/null +++ b/docs-xml/smbdotconf/security/readlist.xml @@ -0,0 +1,18 @@ + + + + This is a list of users that are given read-only access to a service. If the connecting user is in this list + then they will not be given write access, no matter what the option is set + to. The list can include group names using the syntax described in the + parameter. + + +write list +invalid users + + +mary, @students + diff --git a/docs-xml/smbdotconf/security/readonly.xml b/docs-xml/smbdotconf/security/readonly.xml new file mode 100644 index 0000000..834633f --- /dev/null +++ b/docs-xml/smbdotconf/security/readonly.xml @@ -0,0 +1,18 @@ + + + An inverted synonym is . + + If this parameter is yes, then users + of a service may not create or modify files in the service's + directory. + + Note that a printable service (printable = yes) + will ALWAYS allow writing to the directory + (user privileges permitting), but only via spooling operations. + + +yes + diff --git a/docs-xml/smbdotconf/security/renameuserscript.xml b/docs-xml/smbdotconf/security/renameuserscript.xml new file mode 100644 index 0000000..2bfbea4 --- /dev/null +++ b/docs-xml/smbdotconf/security/renameuserscript.xml @@ -0,0 +1,33 @@ + + + + This is the full pathname to a script that will be run as root by smbd + 8 under special circumstances described below. + + + + When a user with admin authority or SeAddUserPrivilege rights renames a user (e.g.: from the NT4 User Manager + for Domains), this script will be run to rename the POSIX user. Two variables, %uold and + %unew, will be substituted with the old and new usernames, respectively. The script should + return 0 upon successful completion, and nonzero otherwise. + + + + The script has all responsibility to rename all the necessary data that is accessible in this posix method. + This can mean different requirements for different backends. The tdbsam and smbpasswd backends will take care + of the contents of their respective files, so the script is responsible only for changing the POSIX username, and + other data that may required for your circumstances, such as home directory. Please also consider whether or + not you need to rename the actual home directories themselves. The ldapsam backend will not make any changes, + because of the potential issues with renaming the LDAP naming attribute. In this case the script is + responsible for changing the attribute that samba uses (uid) for locating users, as well as any data that + needs to change for other applications using the same directory. + + + + + + diff --git a/docs-xml/smbdotconf/security/restrictanonymous.xml b/docs-xml/smbdotconf/security/restrictanonymous.xml new file mode 100644 index 0000000..06abe7b --- /dev/null +++ b/docs-xml/smbdotconf/security/restrictanonymous.xml @@ -0,0 +1,38 @@ + + + + The setting of this parameter determines whether SAMR and LSA + DCERPC services can be accessed anonymously. This corresponds + to the following Windows Server registry options: + + + + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous + + + + The option also affects the browse option which is required by + legacy clients which rely on Netbios browsing. While modern + Windows version should be fine with restricting the access + there could still be applications relying on anonymous access. + + + + Setting 1 + will disable anonymous SAMR access. + + + + Setting 2 + will, in addition to restricting SAMR access, disallow anonymous + connections to the IPC$ share in general. + Setting yes on any share + will remove the security advantage. + + + +0 + diff --git a/docs-xml/smbdotconf/security/rootdirectory.xml b/docs-xml/smbdotconf/security/rootdirectory.xml new file mode 100644 index 0000000..0eb7c15 --- /dev/null +++ b/docs-xml/smbdotconf/security/rootdirectory.xml @@ -0,0 +1,35 @@ + +root +root dir + + The server will chroot() (i.e. + Change its root directory) to this directory on startup. This is + not strictly necessary for secure operation. Even without it the + server will deny access to files not in one of the service entries. + It may also check for, and deny access to, soft links to other + parts of the filesystem, or attempts to use ".." in file names + to access other directories (depending on the setting of the + parameter). + + + Adding a root directory entry other + than "/" adds an extra level of security, but at a price. It + absolutely ensures that no access is given to files not in the + sub-tree specified in the root directory + option, including some files needed for + complete operation of the server. To maintain full operability + of the server you will need to mirror some system files + into the root directory tree. In particular + you will need to mirror /etc/passwd (or a + subset of it), and any binaries or configuration files needed for + printing (if required). The set of files that must be mirrored is + operating system dependent. + + + +/homes/smb + diff --git a/docs-xml/smbdotconf/security/sambakcccommand.xml b/docs-xml/smbdotconf/security/sambakcccommand.xml new file mode 100644 index 0000000..af8a28a --- /dev/null +++ b/docs-xml/smbdotconf/security/sambakcccommand.xml @@ -0,0 +1,18 @@ + + + This option specifies the path to the Samba KCC command. + This script is used for replication topology replication. + + + It should not be necessary to modify this option except + for testing purposes or if the samba_kcc + was installed in a non-default location. + + + +&pathconfig.SCRIPTSBINDIR;/samba_kcc +/usr/local/bin/kcc + diff --git a/docs-xml/smbdotconf/security/security.xml b/docs-xml/smbdotconf/security/security.xml new file mode 100644 index 0000000..be2e9fd --- /dev/null +++ b/docs-xml/smbdotconf/security/security.xml @@ -0,0 +1,105 @@ + + + /(yes|true)/ + + + This option affects how clients respond to + Samba and is one of the most important settings in the + smb.conf file. + + Unless is specified, + the default is security = user, as this is + the most common setting, used for a standalone file server or a DC. + + The alternatives to security = user are + security = ads or security = domain + , which support joining Samba to a Windows domain + + You should use security = user and + if you + want to mainly setup shares without a password (guest shares). This + is commonly used for a shared printer server. + + The different settings will now be explained. + + + SECURITY = AUTO + + This is the default security setting in Samba, and causes Samba to consult + the parameter (if set) to determine the security mode. + + SECURITY = USER + + If is not specified, this is the default security setting in Samba. + With user-level security a client must first "log-on" with a + valid username and password (which can be mapped using the + parameter). Encrypted passwords (see the parameter) can also + be used in this security mode. Parameters such as and if set are then applied and + may change the UNIX user to use on this connection, but only after + the user has been successfully authenticated. + + Note that the name of the resource being + requested is not sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the . + See the parameter for details on doing this. + + SECURITY = DOMAIN + + This mode will only work correctly if net + 8 has been used to add this + machine into a Windows NT Domain. It expects the + parameter to be set to yes. In this + mode Samba will try to validate the username/password by passing + it to a Windows NT Primary or Backup Domain Controller, in exactly + the same way that a Windows NT Server would do. + + Note that a valid UNIX user must still + exist as well as the account on the Domain Controller to allow + Samba to have a valid UNIX account to map file access to. + + Note that from the client's point + of view security = domain is the same + as security = user. It only + affects how the server deals with the authentication, + it does not in any way affect what the client sees. + + Note that the name of the resource being + requested is not sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the . + See the parameter for details on doing this. + + See also the parameter and + the parameter. + + SECURITY = ADS + + In this mode, Samba will act as a domain member in an ADS realm. To operate + in this mode, the machine running Samba will need to have Kerberos installed + and configured and Samba will need to be joined to the ADS realm using the + net utility. + + Note that this mode does NOT make Samba operate as a Active Directory Domain + Controller. + + Note that this forces yes + and yes for the primary domain. + + Read the chapter about Domain Membership in the HOWTO for details. + + +realm +encrypt passwords + +AUTO +DOMAIN + diff --git a/docs-xml/smbdotconf/security/securitymask.xml b/docs-xml/smbdotconf/security/securitymask.xml new file mode 100644 index 0000000..e535d32 --- /dev/null +++ b/docs-xml/smbdotconf/security/securitymask.xml @@ -0,0 +1,11 @@ + + + + This parameter has been removed for Samba 4.0.0. + + + diff --git a/docs-xml/smbdotconf/security/serverrole.xml b/docs-xml/smbdotconf/security/serverrole.xml new file mode 100644 index 0000000..4ea4e47 --- /dev/null +++ b/docs-xml/smbdotconf/security/serverrole.xml @@ -0,0 +1,96 @@ + + + This option determines the basic operating mode of a Samba + server and is one of the most important settings in the smb.conf file. + + The default is server role = auto, as causes + Samba to operate according to the setting, or if not + specified as a simple file server that is not connected to any domain. + + The alternatives are + server role = standalone or server role = member server + , which support joining Samba to a Windows domain, along with server role = domain controller, which run Samba as a Windows domain controller. + + You should use server role = standalone and + if you + want to mainly setup shares without a password (guest shares). This + is commonly used for a shared printer server. + + SERVER ROLE = AUTO + + This is the default server role in Samba, and causes Samba to consult + the parameter (if set) to determine the server role, giving compatible behaviours to previous Samba versions. + + SERVER ROLE = STANDALONE + + If is also not specified, this is the default security setting in Samba. + In standalone operation, a client must first "log-on" with a + valid username and password (which can be mapped using the + parameter) stored on this machine. Encrypted passwords (see the parameter) are by default + used in this security mode. Parameters such as and if set are then applied and + may change the UNIX user to use on this connection, but only after + the user has been successfully authenticated. + + SERVER ROLE = MEMBER SERVER + + This mode will only work correctly if net + 8 has been used to add this + machine into a Windows Domain. It expects the + parameter to be set to yes. In this + mode Samba will try to validate the username/password by passing + it to a Windows or Samba Domain Controller, in exactly + the same way that a Windows Server would do. + + Note that a valid UNIX user must still + exist as well as the account on the Domain Controller to allow + Samba to have a valid UNIX account to map file access to. Winbind can provide this. + + SERVER ROLE = CLASSIC PRIMARY DOMAIN CONTROLLER + + This mode of operation runs a classic Samba primary domain + controller, providing domain logon services to Windows and Samba + clients of an NT4-like domain. Clients must be joined to the domain to + create a secure, trusted path across the network. There must be + only one PDC per NetBIOS scope (typically a broadcast network or + clients served by a single WINS server). + + SERVER ROLE = CLASSIC BACKUP DOMAIN CONTROLLER + + This mode of operation runs a classic Samba backup domain + controller, providing domain logon services to Windows and Samba + clients of an NT4-like domain. As a BDC, this allows + multiple Samba servers to provide redundant logon services to a + single NetBIOS scope. + + SERVER ROLE = ACTIVE DIRECTORY DOMAIN CONTROLLER + + This mode of operation runs Samba as an active directory + domain controller, providing domain logon services to Windows and + Samba clients of the domain. This role requires special + configuration, see the Samba4 + HOWTO + + SERVER ROLE = IPA DOMAIN CONTROLLER + + This mode of operation runs Samba in a hybrid mode for IPA + domain controller, providing forest trust to Active Directory. + This role requires special configuration performed by IPA installers + and should not be used manually by any administrator. + + + +security +realm +encrypt passwords + +AUTO +ACTIVE DIRECTORY DOMAIN CONTROLLER + diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml new file mode 100644 index 0000000..5c69f0f --- /dev/null +++ b/docs-xml/smbdotconf/security/serverschannel.xml @@ -0,0 +1,102 @@ + + + + + This option is deprecated and will be removed in future, + as it is a security problem if not set to "yes" (which will be + the hardcoded behavior in future). + + + Avoid using this option! Use explicit 'no' instead! + + + + Samba will log an error in the log files at log level 0 + if legacy a client is rejected or allowed without an explicit, + 'no' option + for the client. The message will indicate + the explicit 'no' + line to be added, if the legacy client software requires it. (The log level can be adjusted with + '1' + in order to complain only at a higher log level). + + + + This allows admins to use "auto" only for a short grace period, + in order to collect the explicit + 'no' options. + + + + See CVE-2020-1472(ZeroLogon), + https://bugzilla.samba.org/show_bug.cgi?id=14497. + + + This option is over-ridden by the option. + + This option is over-ridden by the effective value of 'yes' from + the '' + and/or '' options. + + + +yes + + + + + + If you still have legacy domain members, which required "server schannel = auto" before, + it is possible to specify explicit exception per computer account + by using 'server require schannel:COMPUTERACCOUNT = no' as option. + Note that COMPUTERACCOUNT has to be the sAMAccountName value of + the computer account (including the trailing '$' sign). + + + + Samba will complain in the log files at log level 0, + about the security problem if the option is not set to "no", + but the related computer is actually using the netlogon + secure channel (schannel) feature. + (The log level can be adjusted with + '1' + in order to complain only at a higher log level). + + + + Samba will warn in the log files at log level 5, + if a setting is still needed for the specified computer account. + + + + See CVE-2020-1472(ZeroLogon), + https://bugzilla.samba.org/show_bug.cgi?id=14497. + + + This option overrides the option. + + This option is over-ridden by the effective value of 'yes' from + the '' + and/or '' options. + Which means 'no' + is only useful in combination with 'no' + + + server require schannel:LEGACYCOMPUTER1$ = no + server require schannel seal:LEGACYCOMPUTER1$ = no + server require schannel:NASBOX$ = no + server require schannel seal:NASBOX$ = no + server require schannel:LEGACYCOMPUTER2$ = no + server require schannel seal:LEGACYCOMPUTER2$ = no + + + + diff --git a/docs-xml/smbdotconf/security/serverschannelrequireseal.xml b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml new file mode 100644 index 0000000..0bec67d --- /dev/null +++ b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml @@ -0,0 +1,117 @@ + + + + + This option is deprecated and will be removed in future, + as it is a security problem if not set to "yes" (which will be + the hardcoded behavior in future). + + + + This option controls whether the netlogon server, will reject the usage + of netlogon secure channel without privacy/enryption. + + + + The option is modelled after the registry key available on Windows. + + + + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RequireSeal=2 + + + + Avoid using this option! Use the per computer account specific option + '' instead! + Which is available with the patches for + CVE-2022-38023 + see https://bugzilla.samba.org/show_bug.cgi?id=15240. + + + + Samba will log an error in the log files at log level 0 + if legacy a client is rejected or allowed without an explicit, + 'no' option + for the client. The message will indicate + the explicit 'no' + line to be added, if the legacy client software requires it. (The log level can be adjusted with + '1' + in order to complain only at a higher log level). + + + This allows admins to use "no" only for a short grace period, + in order to collect the explicit + 'no' options. + + + When set to 'yes' this option overrides the + '' and + '' options and implies + 'yes'. + + + + This option is over-ridden by the option. + + + + +yes + + + + + + + If you still have legacy domain members, which required "server schannel require seal = no" before, + it is possible to specify explicit exception per computer account + by using 'server schannel require seal:COMPUTERACCOUNT = no' as option. + Note that COMPUTERACCOUNT has to be the sAMAccountName value of + the computer account (including the trailing '$' sign). + + + + Samba will log a complaint in the log files at log level 0 + about the security problem if the option is set to "no", + but the related computer does not require it. + (The log level can be adjusted with + '1' + in order to complain only at a higher log level). + + + + Samba will warn in the log files at log level 5, + if a setting is still needed for the specified computer account. + + + + See CVE-2022-38023, + https://bugzilla.samba.org/show_bug.cgi?id=15240. + + + + This option overrides the '' option. + + + + When set to 'yes' this option overrides the + '' and + '' options and implies + 'yes'. + + + + server require schannel seal:LEGACYCOMPUTER1$ = no + server require schannel seal:NASBOX$ = no + server require schannel seal:LEGACYCOMPUTER2$ = no + + + + diff --git a/docs-xml/smbdotconf/security/serversigning.xml b/docs-xml/smbdotconf/security/serversigning.xml new file mode 100644 index 0000000..0b7755a --- /dev/null +++ b/docs-xml/smbdotconf/security/serversigning.xml @@ -0,0 +1,29 @@ + + + + This controls whether the client is allowed or required to use SMB1 and SMB2 signing. Possible values + are default, auto, mandatory + and disabled. + + + By default, and when smb signing is set to + default, smb signing is required when + is active directory + domain controller and disabled otherwise. + + When set to auto, SMB1 signing is offered, but not enforced. + When set to mandatory, SMB1 signing is required and if set + to disabled, SMB signing is not offered either. + + For the SMB2 protocol, by design, signing cannot be disabled. In the case + where SMB2 is negotiated, if this parameter is set to disabled, + it will be treated as auto. Setting it to mandatory + will still require SMB2 clients to use signing. + + +default + diff --git a/docs-xml/smbdotconf/security/serversmbencrypt.xml b/docs-xml/smbdotconf/security/serversmbencrypt.xml new file mode 100644 index 0000000..5f38b46 --- /dev/null +++ b/docs-xml/smbdotconf/security/serversmbencrypt.xml @@ -0,0 +1,241 @@ + + + + This parameter controls whether a remote client is allowed or required + to use SMB encryption. It has different effects depending on whether + the connection uses SMB1 or SMB2 and newer: + + + + + + If the connection uses SMB1, then this option controls the use + of a Samba-specific extension to the SMB protocol introduced in + Samba 3.2 that makes use of the Unix extensions. + + + + + + If the connection uses SMB2 or newer, then this option controls + the use of the SMB-level encryption that is supported in SMB + version 3.0 and above and available in Windows 8 and newer. + + + + + + This parameter can be set globally and on a per-share bases. + Possible values are + + off, + if_required, + desired, + and + required. + A special value is default which is + the implicit default setting of if_required. + + + + + Effects for SMB1 + + + The Samba-specific encryption of SMB1 connections is an + extension to the SMB protocol negotiated as part of the UNIX + extensions. SMB encryption uses the GSSAPI (SSPI on Windows) + ability to encrypt and sign every request/response in a SMB + protocol stream. When enabled it provides a secure method of + SMB/CIFS communication, similar to an ssh protected session, but + using SMB/CIFS authentication to negotiate encryption and + signing keys. Currently this is only supported smbclient of by + Samba 3.2 and newer, and hopefully soon Linux CIFSFS and MacOS/X + clients. Windows clients do not support this feature. + + + This may be set on a per-share + basis, but clients may chose to encrypt the entire session, not + just traffic to a specific share. If this is set to mandatory + then all traffic to a share must + be encrypted once the connection has been made to the share. + The server would return "access denied" to all non-encrypted + requests on such a share. Selecting encrypted traffic reduces + throughput as smaller packet sizes must be used (no huge UNIX + style read/writes allowed) as well as the overhead of encrypting + and signing all the data. + + + + If SMB encryption is selected, Windows style SMB signing (see + the option) is no longer + necessary, as the GSSAPI flags use select both signing and + sealing of the data. + + + + When set to auto or default, SMB encryption is offered, but not + enforced. When set to mandatory, SMB encryption is required and + if set to disabled, SMB encryption can not be negotiated. + + + + + + Effects for SMB2 and newer + + + Native SMB transport encryption is available in SMB version 3.0 + or newer. It is only offered by Samba if + server max protocol is set to + SMB3 or newer. + Clients supporting this type of encryption include + Windows 8 and newer, + Windows server 2012 and newer, + and smbclient of Samba 4.1 and newer. + + + + The protocol implementation offers various options: + + + + + + The capability to perform SMB encryption can be + negotiated during protocol negotiation. + + + + + + Data encryption can be enabled globally. In that case, + an encryption-capable connection will have all traffic + in all its sessions encrypted. In particular all share + connections will be encrypted. + + + + + + Data encryption can also be enabled per share if not + enabled globally. For an encryption-capable connection, + all connections to an encryption-enabled share will be + encrypted. + + + + + + Encryption can be enforced. This means that session + setups will be denied on non-encryption-capable + connections if data encryption has been enabled + globally. And tree connections will be denied for + non-encryption capable connections to shares with data + encryption enabled. + + + + + + These features can be controlled with settings of + server smb encrypt as follows: + + + + + + Leaving it as default, explicitly setting + default, or setting it to + if_required globally will enable + negotiation of encryption but will not turn on + data encryption globally or per share. + + + + + + Setting it to desired globally + will enable negotiation and will turn on data encryption + on sessions and share connections for those clients + that support it. + + + + + + Setting it to required globally + will enable negotiation and turn on data encryption + on sessions and share connections. Clients that do + not support encryption will be denied access to the + server. + + + + + + Setting it to off globally will + completely disable the encryption feature for all + connections. Setting server smb encrypt = + required for individual shares (while it's + globally off) will deny access to this shares for all + clients. + + + + + + Setting it to desired on a share + will turn on data encryption for this share for clients + that support encryption if negotiation has been + enabled globally. + + + + + + Setting it to required on a share + will enforce data encryption for this share if + negotiation has been enabled globally. I.e. clients that + do not support encryption will be denied access to the + share. + + + Note that this allows per-share enforcing to be + controlled in Samba differently from Windows: + In Windows, RejectUnencryptedAccess + is a global setting, and if it is set, all shares with + data encryption turned on + are automatically enforcing encryption. In order to + achieve the same effect in Samba, one + has to globally set server smb encrypt to + if_required, and then set all shares + that should be encrypted to + required. + Additionally, it is possible in Samba to have some + shares with encryption required + and some other shares with encryption only + desired, which is not possible in + Windows. + + + + + + Setting it to off or + if_required for a share has + no effect. + + + + + + + + +default + diff --git a/docs-xml/smbdotconf/security/serversmbencryptionalgos.xml b/docs-xml/smbdotconf/security/serversmbencryptionalgos.xml new file mode 100644 index 0000000..2dd2db9 --- /dev/null +++ b/docs-xml/smbdotconf/security/serversmbencryptionalgos.xml @@ -0,0 +1,21 @@ + + + This parameter specifies the availability and order of + encryption algorithms which are available for negotiation in the SMB3_11 dialect. + + It is also possible to remove individual algorithms from the default list, + by prefixing them with '-'. This can avoid having to specify a hardcoded list. + + Note: that the removal of AES-128-CCM from the list will result + in SMB3_00 and SMB3_02 being unavailable, as it is the default and only + available algorithm for these dialects. + + + +AES-128-GCM, AES-128-CCM, AES-256-GCM, AES-256-CCM +AES-256-GCM +-AES-128-GCM -AES-128-CCM + diff --git a/docs-xml/smbdotconf/security/serversmbsigningalgos.xml b/docs-xml/smbdotconf/security/serversmbsigningalgos.xml new file mode 100644 index 0000000..7884e60 --- /dev/null +++ b/docs-xml/smbdotconf/security/serversmbsigningalgos.xml @@ -0,0 +1,22 @@ + + + This parameter specifies the availability and order of + signing algorithms which are available for negotiation in the SMB3_11 dialect. + + It is also possible to remove individual algorithms from the default list, + by prefixing them with '-'. This can avoid having to specify a hardcoded list. + + Note: that the removal of AES-128-CMAC from the list will result + in SMB3_00 and SMB3_02 being unavailable, and the removal of HMAC-SHA256 + will result in SMB2_02 and SMB2_10 being unavailable, as these are the default and only + available algorithms for these dialects. + + + +AES-128-GMAC, AES-128-CMAC, HMAC-SHA256 +AES-128-CMAC, HMAC-SHA256 +-AES-128-CMAC + diff --git a/docs-xml/smbdotconf/security/smbencrypt.xml b/docs-xml/smbdotconf/security/smbencrypt.xml new file mode 100644 index 0000000..6027120 --- /dev/null +++ b/docs-xml/smbdotconf/security/smbencrypt.xml @@ -0,0 +1,15 @@ + + + + This is a synonym for . + + + +default + diff --git a/docs-xml/smbdotconf/security/smbpasswdfile.xml b/docs-xml/smbdotconf/security/smbpasswdfile.xml new file mode 100644 index 0000000..fab7037 --- /dev/null +++ b/docs-xml/smbdotconf/security/smbpasswdfile.xml @@ -0,0 +1,18 @@ + + + This option sets the path to the encrypted smbpasswd file. By + default the path to the smbpasswd file is compiled into Samba. + + + An example of use is: + +smb passwd file = /etc/samba/smbpasswd + + + + +&pathconfig.SMB_PASSWD_FILE; + diff --git a/docs-xml/smbdotconf/security/tlscafile.xml b/docs-xml/smbdotconf/security/tlscafile.xml new file mode 100644 index 0000000..bcbac62 --- /dev/null +++ b/docs-xml/smbdotconf/security/tlscafile.xml @@ -0,0 +1,20 @@ + + + This option can be set to a file (PEM format) + containing CA certificates of root CAs to trust to sign + certificates or intermediate CA certificates. + This path is relative to if the path + does not start with a /. + + + tls certfile + tls crlfile + tls dh params file + tls enabled + tls keyfile + tls/ca.pem + diff --git a/docs-xml/smbdotconf/security/tlscertfile.xml b/docs-xml/smbdotconf/security/tlscertfile.xml new file mode 100644 index 0000000..cf70954 --- /dev/null +++ b/docs-xml/smbdotconf/security/tlscertfile.xml @@ -0,0 +1,19 @@ + + + This option can be set to a file (PEM format) + containing the RSA certificate. + This path is relative to if the path + does not start with a /. + + + tls keyfile + tls crlfile + tls dh params file + tls enabled + tls cafile + tls/cert.pem + diff --git a/docs-xml/smbdotconf/security/tlscrlfile.xml b/docs-xml/smbdotconf/security/tlscrlfile.xml new file mode 100644 index 0000000..1f42b85 --- /dev/null +++ b/docs-xml/smbdotconf/security/tlscrlfile.xml @@ -0,0 +1,19 @@ + + + This option can be set to a file containing a certificate + revocation list (CRL). + This path is relative to if the path + does not start with a /. + + + tls certfile + tls crlfile + tls dh params file + tls enabled + tls cafile + + diff --git a/docs-xml/smbdotconf/security/tlsdhparamsfile.xml b/docs-xml/smbdotconf/security/tlsdhparamsfile.xml new file mode 100644 index 0000000..5bf59aa --- /dev/null +++ b/docs-xml/smbdotconf/security/tlsdhparamsfile.xml @@ -0,0 +1,20 @@ + + + This option can be set to a file with Diffie-Hellman parameters + which will be used with DH ciphers. + + This path is relative to if the path + does not start with a /. + + + tls certfile + tls crlfile + tls cafile + tls enabled + tls keyfile + + diff --git a/docs-xml/smbdotconf/security/tlsenabled.xml b/docs-xml/smbdotconf/security/tlsenabled.xml new file mode 100644 index 0000000..411b928 --- /dev/null +++ b/docs-xml/smbdotconf/security/tlsenabled.xml @@ -0,0 +1,10 @@ + + + If this option is set to yes, then Samba + will use TLS when possible in communication. + + yes + diff --git a/docs-xml/smbdotconf/security/tlskeyfile.xml b/docs-xml/smbdotconf/security/tlskeyfile.xml new file mode 100644 index 0000000..9caa824 --- /dev/null +++ b/docs-xml/smbdotconf/security/tlskeyfile.xml @@ -0,0 +1,20 @@ + + + This option can be set to a file (PEM format) + containing the RSA private key. This file must be accessible without + a pass-phrase, i.e. it must not be encrypted. + This path is relative to if the path + does not start with a /. + + + tls certfile + tls crlfile + tls dh params file + tls enabled + tls cafile + tls/key.pem + diff --git a/docs-xml/smbdotconf/security/tlspriority.xml b/docs-xml/smbdotconf/security/tlspriority.xml new file mode 100644 index 0000000..471dc25 --- /dev/null +++ b/docs-xml/smbdotconf/security/tlspriority.xml @@ -0,0 +1,19 @@ + + + This option can be set to a string describing the TLS protocols + to be supported in the parts of Samba that use GnuTLS, specifically + the AD DC. + + The string is appended to the default priority list of GnuTLS. + The valid options are described in the + GNUTLS + Priority-Strings documentation at http://gnutls.org/manual/html_node/Priority-Strings.html + + The SSL3.0 protocol will be disabled. + + + NORMAL:-VERS-SSL3.0 + diff --git a/docs-xml/smbdotconf/security/tlsverifypeer.xml b/docs-xml/smbdotconf/security/tlsverifypeer.xml new file mode 100644 index 0000000..4f47dd4 --- /dev/null +++ b/docs-xml/smbdotconf/security/tlsverifypeer.xml @@ -0,0 +1,47 @@ + + + This controls if and how strict the client will verify the peer's certificate and name. + Possible values are (in increasing order): + no_check, + ca_only, + ca_and_name_if_available, + ca_and_name + and + as_strict_as_possible. + + When set to no_check the certificate is not verified at + all, which allows trivial man in the middle attacks. + + + When set to ca_only the certificate is verified to + be signed from a ca specified in the option. + Setting to a valid file is required. + The certificate lifetime is also verified. If the + option is configured, the certificate is also verified against the ca crl. + + + When set to ca_and_name_if_available all checks from + ca_only are performed. In addition, the peer hostname is verified + against the certificate's name, if it is provided by the application layer and + not given as an ip address string. + + + When set to ca_and_name all checks from + ca_and_name_if_available are performed. + In addition the peer hostname needs to be provided and even an ip + address is checked against the certificate's name. + + + When set to as_strict_as_possible all checks from + ca_and_name are performed. In addition the + needs to be configured. + Future versions of Samba may implement additional checks. + + + +as_strict_as_possible + diff --git a/docs-xml/smbdotconf/security/unixpasswordsync.xml b/docs-xml/smbdotconf/security/unixpasswordsync.xml new file mode 100644 index 0000000..89b0158 --- /dev/null +++ b/docs-xml/smbdotconf/security/unixpasswordsync.xml @@ -0,0 +1,26 @@ + + + This boolean parameter controls whether Samba + attempts to synchronize the UNIX password with the SMB password + when the encrypted SMB password in the smbpasswd file is changed. + If this is set to yes the program specified in the passwd + program parameter is called AS ROOT - + to allow the new UNIX password to be set without access to the + old UNIX password (as the SMB password change code has no + access to the old password cleartext, only the new). + + This option has no effect if samba + is running as an active directory domain controller, in that case have a + look at the option and the + samba-tool user syncpasswords command. + + +passwd program +passwd chat +password hash gpg key ids + +no + diff --git a/docs-xml/smbdotconf/security/usernamelevel.xml b/docs-xml/smbdotconf/security/usernamelevel.xml new file mode 100644 index 0000000..f5248c0 --- /dev/null +++ b/docs-xml/smbdotconf/security/usernamelevel.xml @@ -0,0 +1,26 @@ + + + This option helps Samba to try and 'guess' at + the real UNIX username, as many DOS clients send an all-uppercase + username. By default Samba tries all lowercase, followed by the + username with the first letter capitalized, and fails if the + username is not found on the UNIX machine. + + If this parameter is set to non-zero the behavior changes. + This parameter is a number that specifies the number of uppercase + combinations to try while trying to determine the UNIX user name. The + higher the number the more combinations will be tried, but the slower + the discovery of usernames will be. Use this parameter when you have + strange usernames on your UNIX machine, such as AstrangeUser + . + + This parameter is needed only on UNIX systems that have case + sensitive usernames. + + +0 +5 + diff --git a/docs-xml/smbdotconf/security/usernamemap.xml b/docs-xml/smbdotconf/security/usernamemap.xml new file mode 100644 index 0000000..809a54c --- /dev/null +++ b/docs-xml/smbdotconf/security/usernamemap.xml @@ -0,0 +1,130 @@ + + + + This option allows you to specify a file containing a mapping of usernames from the clients to the server. + This can be used for several purposes. The most common is to map usernames that users use on DOS or Windows + machines to those that the UNIX box uses. The other is to map multiple users to a single username so that they + can more easily share files. + + + + Please note that for user mode security, the username map is applied prior to validating the user + credentials. Domain member servers (domain or ads) apply the username map after the user has been + successfully authenticated by the domain controller and require fully qualified entries in the map table (e.g. + biddle = DOMAIN\foo). + + + + The map file is parsed line by line. Each line should contain a single UNIX username on the left then a '=' + followed by a list of usernames on the right. The list of usernames on the right may contain names of the form + @group in which case they will match any UNIX username in that group. The special client name '*' is a + wildcard and matches any name. Each line of the map file may be up to 1023 characters long. + + + + The file is processed on each line by taking the supplied username and comparing it with each username on the + right hand side of the '=' signs. If the supplied name matches any of the names on the right hand side then it + is replaced with the name on the left. Processing then continues with the next line. + + + + If any line begins with a '#' or a ';' then it is ignored. + + + + If any line begins with an '!' then the processing will stop after that line if a mapping was done by the + line. Otherwise mapping continues with every line being processed. Using '!' is most useful when you have a + wildcard mapping line later in the file. + + + + For example to map from the name admin or administrator to the UNIX + name root you would use: + +root = admin administrator + + Or to map anyone in the UNIX group system to the UNIX name sys you would use: + +sys = @system + + + + + You can have as many mappings as you like in a username map file. + + + + + If your system supports the NIS NETGROUP option then the netgroup database is checked before the /etc/group database for matching groups. + + + + You can map Windows usernames that have spaces in them by using double quotes around the name. For example: + +tridge = "Andrew Tridgell" + + would map the windows username "Andrew Tridgell" to the unix username "tridge". + + + + The following example would map mary and fred to the unix user sys, and map the rest to guest. Note the use of the + '!' to tell Samba to stop processing if it gets a match on that line: + +!sys = mary fred +guest = * + + + + + Note that the remapping is applied to all occurrences of usernames. Thus if you connect to \\server\fred and + fred is remapped to mary then you will actually be connecting to + \\server\mary and will need to supply a password suitable for mary not + fred. The only exception to this is the + username passed to a Domain Controller (if you have one). The DC will receive whatever username the client + supplies without modification. + + + + Also note that no reverse mapping is done. The main effect this has is with printing. Users who have been + mapped may have trouble deleting print jobs as PrintManager under WfWg will think they don't own the print + job. + + + + Samba versions prior to 3.0.8 would only support reading the fully qualified username + (e.g.: DOMAIN\user) from + the username map when performing a kerberos login from a client. However, when looking up a map entry for a + user authenticated by NTLM[SSP], only the login name would be used for matches. This resulted in inconsistent + behavior sometimes even on the same server. + + + + The following functionality is obeyed in version 3.0.8 and later: + + + + When performing local authentication, the username map is applied to the login name before attempting to authenticate + the connection. + + + + When relying upon a external domain controller for validating authentication requests, smbd will apply the username map + to the fully qualified username (i.e. DOMAIN\user) only after the user has been successfully authenticated. + + + + An example of use is: + +username map = /usr/local/samba/lib/users.map + + + + + +no username map + diff --git a/docs-xml/smbdotconf/security/usernamemapcachetime.xml b/docs-xml/smbdotconf/security/usernamemapcachetime.xml new file mode 100644 index 0000000..974026c --- /dev/null +++ b/docs-xml/smbdotconf/security/usernamemapcachetime.xml @@ -0,0 +1,26 @@ + + + + Mapping usernames with the + or + features of Samba can be relatively expensive. + During login of a user, the mapping is done several times. + In particular, calling the + can slow down logins if external databases have to be queried from + the script being called. + + + + The parameter + controls a mapping cache. It specifies the number of seconds a + mapping from the username map file or script is to be efficiently cached. + The default of 0 means no caching is done. + + + +0 +60 + diff --git a/docs-xml/smbdotconf/security/usernamemapscript.xml b/docs-xml/smbdotconf/security/usernamemapscript.xml new file mode 100644 index 0000000..7123c53 --- /dev/null +++ b/docs-xml/smbdotconf/security/usernamemapscript.xml @@ -0,0 +1,19 @@ + + + This script is a mutually exclusive alternative to the + parameter. This parameter + specifies an external program or script that must accept a single + command line option (the username transmitted in the authentication + request) and return a line on standard output (the name to which + the account should mapped). In this way, it is possible to store + username map tables in an LDAP directory services. + + + + +/etc/samba/scripts/mapusers.sh + diff --git a/docs-xml/smbdotconf/security/validusers.xml b/docs-xml/smbdotconf/security/validusers.xml new file mode 100644 index 0000000..0b681a1 --- /dev/null +++ b/docs-xml/smbdotconf/security/validusers.xml @@ -0,0 +1,38 @@ + + + + This is a list of users that should be allowed to login to this service. Names starting with + '@', '+' and '&' are interpreted using the same rules as described in the + invalid users parameter. + + + + If this is empty (the default) then any user can login. If a username is in both this list + and the invalid users list then access is denied + for that user. + + + + The current servicename is substituted for %S. + This is useful in the [homes] section. + + + Note: When used in the [global] section this + parameter may have unwanted side effects. For example: If samba is configured as a MASTER BROWSER (see + local master, + os level, + domain master, + preferred master) this option + will prevent workstations from being able to browse the network. + + + + +invalid users + +No valid users list (anyone can login) +greg, @pcusers + diff --git a/docs-xml/smbdotconf/security/writeable.xml b/docs-xml/smbdotconf/security/writeable.xml new file mode 100644 index 0000000..5433849 --- /dev/null +++ b/docs-xml/smbdotconf/security/writeable.xml @@ -0,0 +1,14 @@ + +writable +write ok + + Inverted synonym for . + + +no + diff --git a/docs-xml/smbdotconf/security/writelist.xml b/docs-xml/smbdotconf/security/writelist.xml new file mode 100644 index 0000000..a9b9e8b --- /dev/null +++ b/docs-xml/smbdotconf/security/writelist.xml @@ -0,0 +1,24 @@ + + + + This is a list of users that are given read-write access to a service. If the + connecting user is in this list then they will be given write access, no matter + what the option is set to. The list can + include group names using the @group syntax. + + + + Note that if a user is in both the read list and the write list then they will be + given write access. + + + + +read list + + +admin, root, @staff + -- cgit v1.2.3