blob: ab72617facdbdce3fccdc041a40dead295cbdf9b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
<samba:parameter name="acl claims evaluation"
context="G"
type="enum"
enumlist="enum_acl_claims_evaluation"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>This option controls the way Samba handles evaluation of
security descriptors in Samba, with regards to Active
Directory Claims. AD Claims, introduced with Windows 2012,
are essentially administrator-defined key-value pairs that can
be set both in Active Directory (communicated via the Kerberos
PAC) and in the security descriptor themselves.
</para>
<para>Active Directory claims are new with Samba 4.20.
Because the claims are evaluated against a very flexible
expression language within the security descriptor, this option provides a mechanism
to disable this logic if required by the administrator.</para>
<para>This default behaviour is that claims evaluation is
enabled in the AD DC only. Additionally, claims evaluation on
the AD DC is only enabled if the DC functional level
is 2012 or later. See <smbconfoption name="ad dc functional
level"/>.</para>
<para>Possible values are :</para>
<itemizedlist>
<listitem>
<para><constant>AD DC only</constant>: Enabled for the Samba AD
DC (for DC functional level 2012 or higher).</para>
</listitem>
<listitem>
<para><constant>never</constant>: Disabled in all cases.
This option disables some but not all of the
Authentication Policies and Authentication Policy Silos features of
the Windows 2012R2 functional level in the AD DC.</para>
</listitem>
</itemizedlist>
</description>
<value type="default">AD DC only</value>
</samba:parameter>
|