summaryrefslogtreecommitdiffstats
path: root/docs-xml/smbdotconf/security/aclclaimsevaluation.xml
blob: ab72617facdbdce3fccdc041a40dead295cbdf9b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
<samba:parameter name="acl claims evaluation"
                 context="G"
                 type="enum"
                 enumlist="enum_acl_claims_evaluation"
                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
	<para>This option controls the way Samba handles evaluation of
	security descriptors in Samba, with regards to Active
	Directory Claims.  AD Claims, introduced with Windows 2012,
	are essentially administrator-defined key-value pairs that can
	be set both in Active Directory (communicated via the Kerberos
	PAC) and in the security descriptor themselves.
	</para>

 	<para>Active Directory claims are new with Samba 4.20.
	Because the claims are evaluated against a very flexible
	expression language within the security descriptor, this option provides a mechanism
	to disable this logic if required by the administrator.</para>

	<para>This default behaviour is that claims evaluation is
	enabled in the AD DC only.  Additionally, claims evaluation on
	the AD DC is only enabled if the DC functional level
	is 2012 or later.  See <smbconfoption name="ad dc functional
	level"/>.</para>

	<para>Possible values are :</para>
	<itemizedlist>
	  <listitem>
	    <para><constant>AD DC only</constant>: Enabled for the Samba AD
	    DC (for DC functional level 2012 or higher).</para>
	  </listitem>
	  <listitem>
	    <para><constant>never</constant>: Disabled in all cases.
	    This option disables some but not all of the
	    Authentication Policies and Authentication Policy Silos features of
	    the Windows 2012R2 functional level in the AD DC.</para>
	  </listitem>
	</itemizedlist>
</description>

<value type="default">AD DC only</value>
</samba:parameter>