diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 05:31:45 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 05:31:45 +0000 |
| commit | 74aa0bc6779af38018a03fd2cf4419fe85917904 (patch) | |
| tree | 9cb0681aac9a94a49c153d5823e7a55d1513d91f /src/man/ja | |
| parent | Initial commit. (diff) | |
| download | sssd-74aa0bc6779af38018a03fd2cf4419fe85917904.tar.xz sssd-74aa0bc6779af38018a03fd2cf4419fe85917904.zip | |
Adding upstream version 2.9.4.upstream/2.9.4
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/man/ja')
21 files changed, 1597 insertions, 0 deletions
diff --git a/src/man/ja/include/ad_modified_defaults.xml b/src/man/ja/include/ad_modified_defaults.xml new file mode 100644 index 0000000..6ee0537 --- /dev/null +++ b/src/man/ja/include/ad_modified_defaults.xml @@ -0,0 +1,104 @@ +<refsect1 id='modified-default-options'> + <title>MODIFIED DEFAULT OPTIONS</title> + <para> + Certain option defaults do not match their respective backend provider +defaults, these option names and AD provider-specific defaults are listed +below: + </para> + <refsect2 id='krb5_modifications'> + <title>KRB5 Provider</title> + <itemizedlist> + <listitem> + <para> + krb5_validate = true + </para> + </listitem> + <listitem> + <para> + krb5_use_enterprise_principal = true + </para> + </listitem> + </itemizedlist> + </refsect2> + <refsect2 id='ldap_modifications'> + <title>LDAP Provider</title> + <itemizedlist> + <listitem> + <para> + ldap_schema = ad + </para> + </listitem> + <listitem> + <para> + ldap_force_upper_case_realm = true + </para> + </listitem> + <listitem> + <para> + ldap_id_mapping = true + </para> + </listitem> + <listitem> + <para> + ldap_sasl_mech = GSS-SPNEGO + </para> + </listitem> + <listitem> + <para> + ldap_referrals = false + </para> + </listitem> + <listitem> + <para> + ldap_account_expire_policy = ad + </para> + </listitem> + <listitem> + <para> + ldap_use_tokengroups = true + </para> + </listitem> + <listitem> + <para> + ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM) + </para> + <para> + The AD provider looks for a different principal than the LDAP provider by +default, because in an Active Directory environment the principals are +divided into two groups - User Principals and Service Principals. Only User +Principal can be used to obtain a TGT and by default, computer object's +principal is constructed from its sAMAccountName and the AD realm. The +well-known host/hostname@REALM principal is a Service Principal and thus +cannot be used to get a TGT with. + </para> + </listitem> + </itemizedlist> + </refsect2> + <refsect2 id='nss_modifications'> + <title>NSS configuration</title> + <itemizedlist> + <listitem> + <para> + fallback_homedir = /home/%d/%u + </para> + <para> + The AD provider automatically sets "fallback_homedir = /home/%d/%u" to +provide personal home directories for users without the homeDirectory +attribute. If your AD Domain is properly populated with Posix attributes, +and you want to avoid this fallback behavior, you can explicitly set +"fallback_homedir = %o". + </para> + <para> + Note that the system typically expects a home directory in /home/%u +folder. If you decide to use a different directory structure, some other +parts of your system may need adjustments. + </para> + <para> + For example automated creation of home directories in combination with +selinux requires selinux adjustment, otherwise the home directory will be +created with wrong selinux context. + </para> + </listitem> + </itemizedlist> + </refsect2> +</refsect1> diff --git a/src/man/ja/include/autofs_attributes.xml b/src/man/ja/include/autofs_attributes.xml new file mode 100644 index 0000000..0a453aa --- /dev/null +++ b/src/man/ja/include/autofs_attributes.xml @@ -0,0 +1,64 @@ +<variablelist> + <varlistentry> + <term>ldap_autofs_map_object_class (文字列)</term> + <listitem> + <para> + LDAP にある automount マップエントリーのオブジェクトクラスです。 + </para> + <para> + Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_autofs_map_name (文字列)</term> + <listitem> + <para> + LDAP における automount のマップエントリーの名前です。 + </para> + <para> + Default: nisMapName (rfc2307, autofs_provider=ad), otherwise +automountMapName + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_autofs_entry_object_class (文字列)</term> + <listitem> + <para> + The object class of an automount entry in LDAP. The entry usually +corresponds to a mount point. + </para> + <para> + Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_autofs_entry_key (文字列)</term> + <listitem> + <para> + LDAP にある automount エントリーのキーです。エントリーは一般的にマウントポイントと対応します。 + </para> + <para> + Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_autofs_entry_value (文字列)</term> + <listitem> + <para> + LDAP にある automount エントリーのキーです。エントリーは一般的にマウントポイントと対応します。 + </para> + <para> + Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise +automountInformation + </para> + </listitem> + </varlistentry> +</variablelist> diff --git a/src/man/ja/include/autofs_restart.xml b/src/man/ja/include/autofs_restart.xml new file mode 100644 index 0000000..f31efe5 --- /dev/null +++ b/src/man/ja/include/autofs_restart.xml @@ -0,0 +1,5 @@ +<para> + Please note that the automounter only reads the master map on startup, so if +any autofs-related changes are made to the sssd.conf, you typically also +need to restart the automounter daemon after restarting the SSSD. +</para> diff --git a/src/man/ja/include/debug_levels.xml b/src/man/ja/include/debug_levels.xml new file mode 100644 index 0000000..70361f1 --- /dev/null +++ b/src/man/ja/include/debug_levels.xml @@ -0,0 +1,97 @@ +<listitem> + <para> + SSSD supports two representations for specifying the debug level. The +simplest is to specify a decimal value from 0-9, which represents enabling +that level and all lower-level debug messages. The more comprehensive option +is to specify a hexadecimal bitmask to enable or disable specific levels +(such as if you wish to suppress a level). + </para> + <para> + Please note that each SSSD service logs into its own log file. Also please +note that enabling <quote>debug_level</quote> in the <quote>[sssd]</quote> +section only enables debugging just for the sssd process itself, not for the +responder or provider processes. The <quote>debug_level</quote> parameter +should be added to all sections that you wish to produce debug logs from. + </para> + <para> + In addition to changing the log level in the config file using the +<quote>debug_level</quote> parameter, which is persistent, but requires SSSD +restart, it is also possible to change the debug level on the fly using the +<citerefentry> <refentrytitle>sss_debuglevel</refentrytitle> +<manvolnum>8</manvolnum> </citerefentry> tool. + </para> + <para> + 現在サポートされるデバッグレベル: + </para> + <para> + <emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal +failures. Anything that would prevent SSSD from starting up or causes it to +cease running. + </para> + <para> + <emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + </para> + <para> + <emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An +error announcing that a particular request or operation has failed. + </para> + <para> + <emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These +are the errors that would percolate down to cause the operation failure of +2. + </para> + <para> + <emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings. + </para> + <para> + <emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data. + </para> + <para> + <emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for +operation functions. + </para> + <para> + <emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for +internal control functions. + </para> + <para> + <emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of +function-internal variables that may be interesting. + </para> + <para> + <emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level +tracing information. + </para> + <para> + <emphasis>9</emphasis>, <emphasis>0x20000</emphasis>: Performance and +statistical data, please note that due to the way requests are processed +internally the logged execution time of a request might be longer than it +actually was. + </para> + <para> + <emphasis>10</emphasis>, <emphasis>0x10000</emphasis>: Even more low-level +libldb tracing information. Almost never really required. + </para> + <para> + To log required bitmask debug levels, simply add their numbers together as +shown in following examples: + </para> + <para> + <emphasis>例</emphasis>: 致命的なエラー、重大なエラー、深刻なエラーおよび関数データをログに取得するには 0x0270 +を使用します。 + </para> + <para> + <emphasis>例</emphasis>: 致命的なエラー、設定値の設定、関数データ、内部制御関数のトレースメッセージをログに取得するには +0x1310 を使用します。 + </para> + <para> + <emphasis>Note</emphasis>: The bitmask format of debug levels was introduced +in 1.7.0. + </para> + <para> + <emphasis>Default</emphasis>: 0x0070 (i.e. fatal, critical and serious +failures; corresponds to setting 2 in decimal notation) + </para> +</listitem> diff --git a/src/man/ja/include/debug_levels_tools.xml b/src/man/ja/include/debug_levels_tools.xml new file mode 100644 index 0000000..57f81cc --- /dev/null +++ b/src/man/ja/include/debug_levels_tools.xml @@ -0,0 +1,77 @@ +<listitem> + <para> + SSSD supports two representations for specifying the debug level. The +simplest is to specify a decimal value from 0-9, which represents enabling +that level and all lower-level debug messages. The more comprehensive option +is to specify a hexadecimal bitmask to enable or disable specific levels +(such as if you wish to suppress a level). + </para> + <para> + 現在サポートされるデバッグレベル: + </para> + <para> + <emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal +failures. Anything that would prevent SSSD from starting up or causes it to +cease running. + </para> + <para> + <emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + </para> + <para> + <emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An +error announcing that a particular request or operation has failed. + </para> + <para> + <emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These +are the errors that would percolate down to cause the operation failure of +2. + </para> + <para> + <emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings. + </para> + <para> + <emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data. + </para> + <para> + <emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for +operation functions. + </para> + <para> + <emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for +internal control functions. + </para> + <para> + <emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of +function-internal variables that may be interesting. + </para> + <para> + <emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level +tracing information. + </para> + <para> + <emphasis>10</emphasis>, <emphasis>0x10000</emphasis>: Even more low-level +libldb tracing information. Almost never really required. + </para> + <para> + To log required bitmask debug levels, simply add their numbers together as +shown in following examples: + </para> + <para> + <emphasis>例</emphasis>: 致命的なエラー、重大なエラー、深刻なエラーおよび関数データをログに取得するには 0x0270 +を使用します。 + </para> + <para> + <emphasis>例</emphasis>: 致命的なエラー、設定値の設定、関数データ、内部制御関数のトレースメッセージをログに取得するには +0x1310 を使用します。 + </para> + <para> + <emphasis>Note</emphasis>: The bitmask format of debug levels was introduced +in 1.7.0. + </para> + <para> + <emphasis>Default</emphasis>: 0x0070 (i.e. fatal, critical and serious +failures; corresponds to setting 2 in decimal notation) + </para> +</listitem> diff --git a/src/man/ja/include/failover.xml b/src/man/ja/include/failover.xml new file mode 100644 index 0000000..bd16e22 --- /dev/null +++ b/src/man/ja/include/failover.xml @@ -0,0 +1,118 @@ +<refsect1 id='failover'> + <title>フェイルオーバー</title> + <para> + The failover feature allows back ends to automatically switch to a different +server if the current server fails. + </para> + <refsect2 id='failover_syntax'> + <title>フェイルオーバーの構文</title> + <para> + サーバーの一覧がカンマ区切り一覧として与えられます。カンマの前後で空白はいくつでも許されます。サーバーは性能の順番で一覧化されます。一覧はサーバーをいくつでも含められます。 + </para> + <para> + For each failover-enabled config option, two variants exist: +<emphasis>primary</emphasis> and <emphasis>backup</emphasis>. The idea is +that servers in the primary list are preferred and backup servers are only +searched if no primary servers can be reached. If a backup server is +selected, a timeout of 31 seconds is set. After this timeout SSSD will +periodically try to reconnect to one of the primary servers. If it succeeds, +it will replace the current active (backup) server. + </para> + </refsect2> + <refsect2 id='failover_mechanism'> + <title>フェイルオーバーのメカニズム</title> + <para> + The failover mechanism distinguishes between a machine and a service. The +back end first tries to resolve the hostname of a given machine; if this +resolution attempt fails, the machine is considered offline. No further +attempts are made to connect to this machine for any other service. If the +resolution attempt succeeds, the back end tries to connect to a service on +this machine. If the service connection attempt fails, then only this +particular service is considered offline and the back end automatically +switches over to the next service. The machine is still considered online +and might still be tried for another service. + </para> + <para> + Further connection attempts are made to machines or services marked as +offline after a specified period of time; this is currently hard coded to 30 +seconds. + </para> + <para> + If there are no more machines to try, the back end as a whole switches to +offline mode, and then attempts to reconnect every 30 seconds. + </para> + </refsect2> + <refsect2 id='failover_tuning'> + <title>Failover time outs and tuning</title> + <para> + Resolving a server to connect to can be as simple as running a single DNS +query or can involve several steps, such as finding the correct site or +trying out multiple host names in case some of the configured servers are +not reachable. The more complex scenarios can take some time and SSSD needs +to balance between providing enough time to finish the resolution process +but on the other hand, not trying for too long before falling back to +offline mode. If the SSSD debug logs show that the server resolution is +timing out before a live server is contacted, you can consider changing the +time outs. + </para> + <para> + This section lists the available tunables. Please refer to their description +in the <citerefentry> +<refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum> +</citerefentry>, manual page. <variablelist> + <varlistentry> + <term> + dns_resolver_server_timeout + </term> + <listitem> + <para> + Time in milliseconds that sets how long would SSSD talk to a single DNS +server before trying next one. + </para> + <para> + 初期値: 1000 + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + dns_resolver_op_timeout + </term> + <listitem> + <para> + Time in seconds to tell how long would SSSD try to resolve single DNS query +(e.g. resolution of a hostname or an SRV record) before trying the next +hostname or discovery domain. + </para> + <para> + 初期値: 3 + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + dns_resolver_timeout + </term> + <listitem> + <para> + How long would SSSD try to resolve a failover service. This service +resolution internally might include several steps, such as resolving DNS SRV +queries or locating the site. + </para> + <para> + 初期値: 6 + </para> + </listitem> + </varlistentry> + </variablelist> + </para> + <para> + For LDAP-based providers, the resolve operation is performed as part of an +LDAP connection operation. Therefore, also the +<quote>ldap_opt_timeout</quote> timeout should be set to a larger value than +<quote>dns_resolver_timeout</quote> which in turn should be set to a larger +value than <quote>dns_resolver_op_timeout</quote> which should be larger +than <quote>dns_resolver_server_timeout</quote>. + </para> + </refsect2> +</refsect1> diff --git a/src/man/ja/include/homedir_substring.xml b/src/man/ja/include/homedir_substring.xml new file mode 100644 index 0000000..d7533de --- /dev/null +++ b/src/man/ja/include/homedir_substring.xml @@ -0,0 +1,17 @@ +<varlistentry> + <term>homedir_substring (string)</term> + <listitem> + <para> + The value of this option will be used in the expansion of the +<emphasis>override_homedir</emphasis> option if the template contains the +format string <emphasis>%H</emphasis>. An LDAP directory entry can directly +contain this template so that this option can be used to expand the home +directory path for each client machine (or operating system). It can be set +per-domain or globally in the [nss] section. A value specified in a domain +section will override one set in the [nss] section. + </para> + <para> + Default: /home + </para> + </listitem> +</varlistentry> diff --git a/src/man/ja/include/ipa_modified_defaults.xml b/src/man/ja/include/ipa_modified_defaults.xml new file mode 100644 index 0000000..4ad4b45 --- /dev/null +++ b/src/man/ja/include/ipa_modified_defaults.xml @@ -0,0 +1,123 @@ +<refsect1 id='modified-default-options'> + <title>MODIFIED DEFAULT OPTIONS</title> + <para> + Certain option defaults do not match their respective backend provider +defaults, these option names and IPA provider-specific defaults are listed +below: + </para> + <refsect2 id='krb5_modifications'> + <title>KRB5 Provider</title> + <itemizedlist> + <listitem> + <para> + krb5_validate = true + </para> + </listitem> + <listitem> + <para> + krb5_use_fast = try + </para> + </listitem> + <listitem> + <para> + krb5_canonicalize = true + </para> + </listitem> + </itemizedlist> + </refsect2> + <refsect2 id='ldap_general_modifications'> + <title>LDAP Provider - General</title> + <itemizedlist> + <listitem> + <para> + ldap_schema = ipa_v1 + </para> + </listitem> + <listitem> + <para> + ldap_force_upper_case_realm = true + </para> + </listitem> + <listitem> + <para> + ldap_sasl_mech = GSSAPI + </para> + </listitem> + <listitem> + <para> + ldap_sasl_minssf = 56 + </para> + </listitem> + <listitem> + <para> + ldap_account_expire_policy = ipa + </para> + </listitem> + <listitem> + <para> + ldap_use_tokengroups = true + </para> + </listitem> + </itemizedlist> + </refsect2> + <refsect2 id='ldap_user_modifications'> + <title>LDAP Provider - User options</title> + <itemizedlist> + <listitem> + <para> + ldap_user_member_of = memberOf + </para> + </listitem> + <listitem> + <para> + ldap_user_uuid = ipaUniqueID + </para> + </listitem> + <listitem> + <para> + ldap_user_ssh_public_key = ipaSshPubKey + </para> + </listitem> + <listitem> + <para> + ldap_user_auth_type = ipaUserAuthType + </para> + </listitem> + </itemizedlist> + </refsect2> + <refsect2 id='ldap_group_modifications'> + <title>LDAP Provider - Group options</title> + <itemizedlist> + <listitem> + <para> + ldap_group_object_class = ipaUserGroup + </para> + </listitem> + <listitem> + <para> + ldap_group_object_class_alt = posixGroup + </para> + </listitem> + <listitem> + <para> + ldap_group_member = member + </para> + </listitem> + <listitem> + <para> + ldap_group_uuid = ipaUniqueID + </para> + </listitem> + <listitem> + <para> + ldap_group_objectsid = ipaNTSecurityIdentifier + </para> + </listitem> + <listitem> + <para> + ldap_group_external_member = ipaExternalMember + </para> + </listitem> + </itemizedlist> + </refsect2> +</refsect1> diff --git a/src/man/ja/include/krb5_options.xml b/src/man/ja/include/krb5_options.xml new file mode 100644 index 0000000..65c5246 --- /dev/null +++ b/src/man/ja/include/krb5_options.xml @@ -0,0 +1,148 @@ +<variablelist> + <varlistentry> + <term>krb5_auth_timeout (整数)</term> + <listitem> + <para> + オンライン認証またはパスワード変更要求が中止された後の秒単位のタイムアウトです。可能ならば、認証要求がオフラインで継続されます。 + </para> + <para> + 初期値: 6 + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>krb5_validate (論理値)</term> + <listitem> + <para> + Verify with the help of krb5_keytab that the TGT obtained has not been +spoofed. The keytab is checked for entries sequentially, and the first entry +with a matching realm is used for validation. If no entry matches the realm, +the last entry in the keytab is used. This process can be used to validate +environments using cross-realm trust by placing the appropriate keytab entry +as the last entry or the only entry in the keytab file. + </para> + <para> + Default: false (IPA and AD provider: true) + </para> + <para> + Please note that the ticket validation is the first step when checking the +PAC (see 'pac_check' in the <citerefentry> +<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> +</citerefentry> manual page for details). If ticket validation is disabled +the PAC checks will be skipped as well. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>krb5_renewable_lifetime (文字列)</term> + <listitem> + <para> + Request a renewable ticket with a total lifetime, given as an integer +immediately followed by a time unit: + </para> + <para> + 秒は <emphasis>s</emphasis> + </para> + <para> + 分は <emphasis>m</emphasis> + </para> + <para> + 時間は <emphasis>h</emphasis> + </para> + <para> + 日は <emphasis>d</emphasis> + </para> + <para> + 単位が指定されていないと、<emphasis>s</emphasis> と仮定されます。 + </para> + <para> + 注: 単位を混在できないことに注意してください。更新可能な生存期間を1時間30分に指定したい場合、'1h30m' の代わりに '90m' を使用します。 + </para> + <para> + 初期値: 設定されません、つまり TGT は更新可能ではありません + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>krb5_lifetime (文字列)</term> + <listitem> + <para> + Request ticket with a lifetime, given as an integer immediately followed by +a time unit: + </para> + <para> + 秒は <emphasis>s</emphasis> + </para> + <para> + 分は <emphasis>m</emphasis> + </para> + <para> + 時間は <emphasis>h</emphasis> + </para> + <para> + 日は <emphasis>d</emphasis> + </para> + <para> + 単位が指定されていないと、<emphasis>s</emphasis> と仮定されます。 + </para> + <para> + 注: 単位を混在できないことに注意してください。更新可能な生存期間を1時間30分に指定したい場合、'1h30m' の代わりに '90m' +を使用してください。 + </para> + <para> + 初期値: 設定されません、つまり KDC において設定されているチケット有効期間の初期値です。 + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>krb5_renew_interval (文字列)</term> + <listitem> + <para> + The time in seconds between two checks if the TGT should be renewed. TGTs +are renewed if about half of their lifetime is exceeded, given as an integer +immediately followed by a time unit: + </para> + <para> + 秒は <emphasis>s</emphasis> + </para> + <para> + 分は <emphasis>m</emphasis> + </para> + <para> + 時間は <emphasis>h</emphasis> + </para> + <para> + 日は <emphasis>d</emphasis> + </para> + <para> + 単位が指定されていないと、<emphasis>s</emphasis> と仮定されます。 + </para> + <para> + 注: 単位を混在できないことに注意してください。更新可能な生存期間を1時間30分に指定したい場合、'1h30m' の代わりに '90m' を使用します。 + </para> + <para> + このオプションが設定されていない場合、または 0 に設定されている場合、自動更新は無効になります。 + </para> + <para> + 初期値: 設定されません + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>krb5_canonicalize (論理値)</term> + <listitem> + <para> + ホストとユーザーのプリンシパルが正規化されるかどうかを指定します。この機能は MIT Kerberos 1.7 およびそれ以降で利用可能です。 + </para> + + <para> + 初期値: false + </para> + </listitem> + </varlistentry> +</variablelist> diff --git a/src/man/ja/include/ldap_id_mapping.xml b/src/man/ja/include/ldap_id_mapping.xml new file mode 100644 index 0000000..e4ec141 --- /dev/null +++ b/src/man/ja/include/ldap_id_mapping.xml @@ -0,0 +1,282 @@ +<refsect1 id='idmap'> + <title>ID マッピング</title> + <para> + The ID-mapping feature allows SSSD to act as a client of Active Directory +without requiring administrators to extend user attributes to support POSIX +attributes for user and group identifiers. + </para> + <para> + NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are +ignored. This is to avoid the possibility of conflicts between +automatically-assigned and manually-assigned values. If you need to use +manually-assigned values, ALL values must be manually-assigned. + </para> + <para> + Please note that changing the ID mapping related configuration options will +cause user and group IDs to change. At the moment, SSSD does not support +changing IDs, so the SSSD database must be removed. Because cached passwords +are also stored in the database, removing the database should only be +performed while the authentication servers are reachable, otherwise users +might get locked out. In order to cache the password, an authentication must +be performed. It is not sufficient to use <citerefentry> +<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> +</citerefentry> to remove the database, rather the process consists of: + <itemizedlist> + <listitem> + <para> + Making sure the remote servers are reachable + </para> + </listitem> + <listitem> + <para> + Stopping the SSSD service + </para> + </listitem> + <listitem> + <para> + Removing the database + </para> + </listitem> + <listitem> + <para> + Starting the SSSD service + </para> + </listitem> + </itemizedlist> + Moreover, as the change of IDs might necessitate the adjustment of other +system properties such as file and directory ownership, it's advisable to +plan ahead and test the ID mapping configuration thoroughly. + </para> + + <refsect2 id='idmap_algorithm'> + <title>マッピング・アルゴリズム</title> + <para> + Active Directory provides an objectSID for every user and group object in +the directory. This objectSID can be broken up into components that +represent the Active Directory domain identity and the relative identifier +(RID) of the user or group object. + </para> + <para> + The SSSD ID-mapping algorithm takes a range of available UIDs and divides it +into equally-sized component sections - called "slices"-. Each slice +represents the space available to an Active Directory domain. + </para> + <para> + When a user or group entry for a particular domain is encountered for the +first time, the SSSD allocates one of the available slices for that +domain. In order to make this slice-assignment repeatable on different +client machines, we select the slice based on the following algorithm: + </para> + <para> + The SID string is passed through the murmurhash3 algorithm to convert it to +a 32-bit hashed value. We then take the modulus of this value with the total +number of available slices to pick the slice. + </para> + <para> + NOTE: It is possible to encounter collisions in the hash and subsequent +modulus. In these situations, we will select the next available slice, but +it may not be possible to reproduce the same exact set of slices on other +machines (since the order that they are encountered will determine their +slice). In this situation, it is recommended to either switch to using +explicit POSIX attributes in Active Directory (disabling ID-mapping) or +configure a default domain to guarantee that at least one is always +consistent. See <quote>Configuration</quote> for details. + </para> + </refsect2> + + <refsect2 id='idmap_config'> + <title>設定</title> + <para> + 最小の設定 (<quote>[domain/DOMAINNAME]</quote> セクションにおいて): + </para> + <para> +<programlisting> +ldap_id_mapping = True +ldap_schema = ad +</programlisting> + </para> + <para> + The default configuration results in configuring 10,000 slices, each capable +of holding up to 200,000 IDs, starting from 200,000 and going up to +2,000,200,000. This should be sufficient for most deployments. + </para> + <refsect3 id='idmap_advanced_config'> + <title>高度な設定</title> + <variablelist> + <varlistentry> + <term>ldap_idmap_range_min (整数)</term> + <listitem> + <para> + Specifies the lower (inclusive) bound of the range of POSIX IDs to use for +mapping Active Directory user and group SIDs. It is the first POSIX ID which +can be used for the mapping. + </para> + <para> + NOTE: This option is different from <quote>min_id</quote> in that +<quote>min_id</quote> acts to filter the output of requests to this domain, +whereas this option controls the range of ID assignment. This is a subtle +distinction, but the good general advice would be to have +<quote>min_id</quote> be less-than or equal to +<quote>ldap_idmap_range_min</quote> + </para> + <para> + 初期値: 200000 + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>ldap_idmap_range_max (整数)</term> + <listitem> + <para> + Specifies the upper (exclusive) bound of the range of POSIX IDs to use for +mapping Active Directory user and group SIDs. It is the first POSIX ID which +cannot be used for the mapping anymore, i.e. one larger than the last one +which can be used for the mapping. + </para> + <para> + NOTE: This option is different from <quote>max_id</quote> in that +<quote>max_id</quote> acts to filter the output of requests to this domain, +whereas this option controls the range of ID assignment. This is a subtle +distinction, but the good general advice would be to have +<quote>max_id</quote> be greater-than or equal to +<quote>ldap_idmap_range_max</quote> + </para> + <para> + 初期値: 2000200000 + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>ldap_idmap_range_size (整数)</term> + <listitem> + <para> + 各スライスに利用可能な ID +番号を指定します。範囲の大きさが最小値、最大値の中にうまく分けられなければ、できる限り多くの完全なスライスとして作成されます。 + </para> + <para> + NOTE: The value of this option must be at least as large as the highest user +RID planned for use on the Active Directory server. User lookups and login +will fail for any user whose RID is greater than this value. + </para> + <para> + For example, if your most recently-added Active Directory user has +objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, +<quote>ldap_idmap_range_size</quote> must be at least 1108 as range size is +equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1). + </para> + <para> + It is important to plan ahead for future expansion, as changing this value +will result in changing all of the ID mappings on the system, leading to +users with different local IDs than they previously had. + </para> + <para> + 初期値: 200000 + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>ldap_idmap_default_domain_sid (文字列)</term> + <listitem> + <para> + Specify the domain SID of the default domain. This will guarantee that this +domain will always be assigned to slice zero in the ID map, bypassing the +murmurhash algorithm described above. + </para> + <para> + 初期値: 設定されません + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>ldap_idmap_default_domain (文字列)</term> + <listitem> + <para> + 初期ドメインの名前を指定します。 + </para> + <para> + 初期値: 設定されません + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>ldap_idmap_autorid_compat (論理値)</term> + <listitem> + <para> + winbind の <quote>idmap_autorid</quote> アルゴリズムとより同じように振る舞うために ID +マッピングのアルゴリズムの振る舞いを変更します。 + </para> + <para> + When this option is configured, domains will be allocated starting with +slice zero and increasing monotonically with each additional domain. + </para> + <para> + 注記: このアルゴリズムは非決定的です (ユーザーとグループが要求された順番に依存します)。このモードはマシンが実行中の winbind +と互換性が必要ならば、少なくとも一つのドメインが一貫してスライス 0 +に割り当てられることを保証するために、<quote>ldap_idmap_default_domain_sid</quote> +オプションも使用することが推奨されます。 + </para> + <para> + 初期値: 偽 + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>ldap_idmap_helper_table_size (integer)</term> + <listitem> + <para> + Maximal number of secondary slices that is tried when performing mapping +from UNIX id to SID. + </para> + <para> + Note: Additional secondary slices might be generated when SID is being +mapped to UNIX id and RID part of SID is out of range for secondary slices +generated so far. If value of ldap_idmap_helper_table_size is equal to 0 +then no additional secondary slices are generated. + </para> + <para> + 初期値: 10 + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect3> + </refsect2> + + <refsect2 id='well_known_sids'> + <title>Well-Known SIDs</title> + <para> + SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a +special hardcoded meaning. Since the generic users and groups related to +those Well-Known SIDs have no equivalent in a Linux/UNIX environment no +POSIX IDs are available for those objects. + </para> + <para> + The SID name space is organized in authorities which can be seen as +different domains. The authorities for the Well-Known SIDs are + <itemizedlist> + <listitem><para>Null Authority</para></listitem> + <listitem><para>World Authority</para></listitem> + <listitem><para>Local Authority</para></listitem> + <listitem><para>Creator Authority</para></listitem> + <listitem><para>Mandatory Label Authority</para></listitem> + <listitem><para>Authentication Authority</para></listitem> + <listitem><para>NT Authority</para></listitem> + <listitem><para>Built-in</para></listitem> + </itemizedlist> + The capitalized version of these names are used as domain names when +returning the fully qualified name of a Well-Known SID. + </para> + <para> + Since some utilities allow to modify SID based access control information +with the help of a name instead of using the SID directly SSSD supports to +look up the SID by the name as well. To avoid collisions only the fully +qualified names can be used to look up Well-Known SIDs. As a result the +domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, +<quote>LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, +<quote>MANDATORY LABEL AUTHORITY</quote>, <quote>AUTHENTICATION +AUTHORITY</quote>, <quote>NT AUTHORITY</quote> and <quote>BUILTIN</quote> +should not be used as domain names in <filename>sssd.conf</filename>. + </para> + </refsect2> + +</refsect1> diff --git a/src/man/ja/include/ldap_search_bases.xml b/src/man/ja/include/ldap_search_bases.xml new file mode 100644 index 0000000..9b3118b --- /dev/null +++ b/src/man/ja/include/ldap_search_bases.xml @@ -0,0 +1,30 @@ +<listitem> + <para> + オプションのベース DN。この属性の種別に対する LDAP 検索を制限する、検索範囲および LDAP フィルター。 + </para> + <para> + 構文: <programlisting> +search_base[?scope?[filter][?search_base?scope?[filter]]*] +</programlisting> + </para> + <para> + The scope can be one of "base", "onelevel" or "subtree". The scope functions +as specified in section 4.5.1.2 of http://tools.ietf.org/html/rfc4511 + </para> + <para> + フィルターは http://www.ietf.org/rfc/rfc2254.txt により指定されたような有効な LDAP +検索フィルターである必要があります。 + </para> + <para> + For examples of this syntax, please refer to the +<quote>ldap_search_base</quote> examples section. + </para> + <para> + 初期値: <emphasis>ldap_search_base</emphasis> の値 + </para> + <para> + Please note that specifying scope or filter is not supported for searches +against an Active Directory Server that might yield a large number of +results and trigger the Range Retrieval extension in the response. + </para> +</listitem> diff --git a/src/man/ja/include/local.xml b/src/man/ja/include/local.xml new file mode 100644 index 0000000..d293c3b --- /dev/null +++ b/src/man/ja/include/local.xml @@ -0,0 +1,17 @@ +<refsect1 id='local'> + <title>ローカルドメイン</title> + <para> + In order to function correctly, a domain with +<quote>id_provider=local</quote> must be created and the SSSD must be +running. + </para> + <para> + The administrator might want to use the SSSD local users instead of +traditional UNIX users in cases where the group nesting (see <citerefentry> +<refentrytitle>sss_groupadd</refentrytitle> <manvolnum>8</manvolnum> +</citerefentry>) is needed. The local users are also useful for testing and +development of the SSSD without having to deploy a full remote server. The +<command>sss_user*</command> and <command>sss_group*</command> tools use a +local LDB storage to store users and groups. + </para> +</refsect1> diff --git a/src/man/ja/include/override_homedir.xml b/src/man/ja/include/override_homedir.xml new file mode 100644 index 0000000..13bafd7 --- /dev/null +++ b/src/man/ja/include/override_homedir.xml @@ -0,0 +1,77 @@ +<varlistentry> +<term>override_homedir (文字列)</term> +<listitem> + <para> + ユーザーのホームディレクトリーを上書きします。絶対パスまたはテンプレートを提供できます。テンプレートでは、以下のシーケンスが置換されます: +<variablelist> + <varlistentry> + <term>%u</term> + <listitem><para>ログイン名</para></listitem> + </varlistentry> + <varlistentry> + <term>%U</term> + <listitem><para>UID 番号</para></listitem> + </varlistentry> + <varlistentry> + <term>%d</term> + <listitem><para>ドメイン名</para></listitem> + </varlistentry> + <varlistentry> + <term>%f</term> + <listitem><para>完全修飾ユーザー名 (user@domain)</para></listitem> + </varlistentry> + <varlistentry> + <term>%l</term> + <listitem><para>The first letter of the login name.</para></listitem> + </varlistentry> + <varlistentry> + <term>%P</term> + <listitem><para>UPN - User Principal Name (name@REALM)</para></listitem> + </varlistentry> + <varlistentry> + <term>%o</term> + <listitem><para> + The original home directory retrieved from the identity provider. + </para></listitem> + </varlistentry> + <varlistentry> + <term>%h</term> + <listitem><para> + The original home directory retrieved from the identity provider, but in +lower case. + </para></listitem> + </varlistentry> + <varlistentry> + <term>%H</term> + <listitem><para> + The value of configure option <emphasis>homedir_substring</emphasis>. + </para></listitem> + </varlistentry> + <varlistentry> + <term>%%</term> + <listitem><para>文字 '%'</para> + </listitem> + </varlistentry> + </variablelist> + </para> + <para> + このオプションはドメインごとに設定できます。 + </para> + <para> + 例: <programlisting> +override_homedir = /home/%u + </programlisting> + </para> + <para> + 初期値: 設定なし (SSSD は LDAP から取得された値を使用します) + </para> + <para> + Please note, the home directory from a specific override for the user, +either locally (see +<citerefentry><refentrytitle>sss_override</refentrytitle> +<manvolnum>8</manvolnum></citerefentry>) or centrally managed IPA +id-overrides, has a higher precedence and will be used instead of the value +given by override_homedir. + </para> +</listitem> +</varlistentry> diff --git a/src/man/ja/include/param_help.xml b/src/man/ja/include/param_help.xml new file mode 100644 index 0000000..49af3ff --- /dev/null +++ b/src/man/ja/include/param_help.xml @@ -0,0 +1,10 @@ +<varlistentry> + <term> + <option>-?</option>,<option>--help</option> + </term> + <listitem> + <para> + ヘルプメッセージを表示して終了します。 + </para> + </listitem> +</varlistentry> diff --git a/src/man/ja/include/param_help_py.xml b/src/man/ja/include/param_help_py.xml new file mode 100644 index 0000000..c239492 --- /dev/null +++ b/src/man/ja/include/param_help_py.xml @@ -0,0 +1,10 @@ +<varlistentry> + <term> + <option>-h</option>,<option>--help</option> + </term> + <listitem> + <para> + ヘルプメッセージを表示して終了します。 + </para> + </listitem> +</varlistentry> diff --git a/src/man/ja/include/seealso.xml b/src/man/ja/include/seealso.xml new file mode 100644 index 0000000..82d0d32 --- /dev/null +++ b/src/man/ja/include/seealso.xml @@ -0,0 +1,49 @@ + <refsect1 id='see_also'> + <title>関連項目</title> + <para> + <citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> +</citerefentry>, <citerefentry> +<refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum> +</citerefentry>, <citerefentry> +<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> +</citerefentry>, <citerefentry> +<refentrytitle>sssd-ldap-attributes</refentrytitle><manvolnum>5</manvolnum> +</citerefentry>, <citerefentry> +<refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum> +</citerefentry>, <citerefentry> +<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> +</citerefentry>, <citerefentry> +<refentrytitle>sssd-ipa</refentrytitle><manvolnum>5</manvolnum> +</citerefentry>, <citerefentry> +<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> +</citerefentry>, <phrase condition="with_files_provider"> <citerefentry> +<refentrytitle>sssd-files</refentrytitle><manvolnum>5</manvolnum> +</citerefentry>, </phrase> <phrase condition="with_sudo"> <citerefentry> +<refentrytitle>sssd-sudo</refentrytitle> <manvolnum>5</manvolnum> +</citerefentry>, </phrase> <citerefentry> +<refentrytitle>sssd-session-recording</refentrytitle> +<manvolnum>5</manvolnum> </citerefentry>, <citerefentry> +<refentrytitle>sss_cache</refentrytitle><manvolnum>8</manvolnum> +</citerefentry>, <citerefentry> +<refentrytitle>sss_debuglevel</refentrytitle><manvolnum>8</manvolnum> +</citerefentry>, <citerefentry> +<refentrytitle>sss_obfuscate</refentrytitle><manvolnum>8</manvolnum> +</citerefentry>, <citerefentry> +<refentrytitle>sss_seed</refentrytitle><manvolnum>8</manvolnum> +</citerefentry>, <citerefentry> +<refentrytitle>sssd_krb5_locator_plugin</refentrytitle><manvolnum>8</manvolnum> +</citerefentry>, <phrase condition="with_ssh"> <citerefentry> +<refentrytitle>sss_ssh_authorizedkeys</refentrytitle> +<manvolnum>8</manvolnum> </citerefentry>, <citerefentry> +<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> +<manvolnum>8</manvolnum> </citerefentry>, </phrase> <phrase +condition="with_ifp"> <citerefentry> <refentrytitle>sssd-ifp</refentrytitle> +<manvolnum>5</manvolnum> </citerefentry>, </phrase> <citerefentry> +<refentrytitle>pam_sss</refentrytitle><manvolnum>8</manvolnum> +</citerefentry>. <citerefentry> +<refentrytitle>sss_rpcidmapd</refentrytitle> <manvolnum>5</manvolnum> +</citerefentry> <phrase condition="with_stap"> <citerefentry> +<refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</manvolnum> +</citerefentry> </phrase> + </para> + </refsect1> diff --git a/src/man/ja/include/service_discovery.xml b/src/man/ja/include/service_discovery.xml new file mode 100644 index 0000000..1e0efb9 --- /dev/null +++ b/src/man/ja/include/service_discovery.xml @@ -0,0 +1,37 @@ +<refsect1 id='service_discovery'> + <title>サービス探索</title> + <para> + The service discovery feature allows back ends to automatically find the +appropriate servers to connect to using a special DNS query. This feature is +not supported for backup servers. + </para> + <refsect2 id='configuration'> + <title>設定</title> + <para> + 何もサーバーが指定されていなければ、バックエンドがサーバーを見つけようとするために、サービス探索を自動的に使用します。オプションとして、サーバーの一覧に特別なキーワード +<quote>_srv_</quote> +を挿入することにより、ユーザーが固定サーバーアドレスおよびサービス探索のどちらも使用することを選択できます。これは設定の順番が維持されます。たとえば、ユーザーができる限りサービス探索を使用し、DNS +を使用してサーバーを探索できないときに特定のサーバーにフォールバックしたい場合、この機能は有用です。 + </para> + </refsect2> + <refsect2 id='domain_name'> + <title>ドメイン名</title> + <para> + 詳細は <citerefentry> <refentrytitle>sssd.conf</refentrytitle> +<manvolnum>5</manvolnum> </citerefentry> マニュアルページにある +<quote>dns_discovery_domain</quote> パラメーターを参照してください。 + </para> + </refsect2> + <refsect2 id='search_protocol'> + <title>プロトコル</title> + <para> + 問い合わせは通常プロトコルとして _tcp を指定します。その他はそれぞれのオプションの説明にドキュメント化されています。 + </para> + </refsect2> + <refsect2 id='reference'> + <title>関連項目</title> + <para> + サービス検索メカニズムに関する詳細は RFC 2782 を参照してください。 + </para> + </refsect2> +</refsect1> diff --git a/src/man/ja/include/upstream.xml b/src/man/ja/include/upstream.xml new file mode 100644 index 0000000..2a4ad16 --- /dev/null +++ b/src/man/ja/include/upstream.xml @@ -0,0 +1,3 @@ +<refentryinfo> +<productname>SSSD</productname> <orgname>The SSSD upstream - +https://github.com/SSSD/sssd/</orgname></refentryinfo> diff --git a/src/man/ja/sss_obfuscate.8.xml b/src/man/ja/sss_obfuscate.8.xml new file mode 100644 index 0000000..9bf071f --- /dev/null +++ b/src/man/ja/sss_obfuscate.8.xml @@ -0,0 +1,91 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" +"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> +<reference> +<title>SSSD マニュアル ページ</title> +<refentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" /> + + <refmeta> + <refentrytitle>sss_obfuscate</refentrytitle> + <manvolnum>8</manvolnum> + </refmeta> + + <refnamediv id='name'> + <refname>sss_obfuscate</refname> + <refpurpose>平文パスワードをわかりにくくする</refpurpose> + </refnamediv> + + <refsynopsisdiv id='synopsis'> + <cmdsynopsis> +<command>sss_obfuscate</command> <arg choice='opt'> +<replaceable>options</replaceable> </arg> <arg +choice='plain'><replaceable>[PASSWORD]</replaceable></arg></cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id='description'> + <title>概要</title> + <para> + <command>sss_obfuscate</command> は、与えられたパスワードを人間が読みにくい形式に変換して、SSSD +設定ファイルの適切なドメインセクションに置きます。 + </para> + <para> + 平文のパスワードは、標準入力から読み込まれます、または対話的に入力されます。解読しにくくされたパスワードが指定された SSSD ドメインの +<quote>ldap_default_authtok</quote> パラメータに置かれます。また +<quote>ldap_default_authtok_type</quote> パラメーターが +<quote>obfuscated_password</quote> に設定されます。これらのパラメーターの詳細は <citerefentry> +<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> +</citerefentry> を参照してください。 + </para> + <para> + パスワードをわかりにくくすることは、攻撃者がパスワードをリバースエンジニアリングできるので +<emphasis>実際にセキュリティの便益</emphasis> は提供されません。クライアントサイド証明書や GSSAPI +のようなより良い認証機構を使用することを <emphasis>強く</emphasis> 推奨します。 + </para> + </refsect1> + + <refsect1 id='options'> + <title>オプション</title> + <variablelist remap='IP'> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/param_help_py.xml" /> + <varlistentry> + <term> + <option>-s</option>,<option>--stdin</option> + </term> + <listitem> + <para> + 解読しにくくするパスワードが標準入力から読み込まれます。 + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-d</option>,<option>--domain</option> +<replaceable>DOMAIN</replaceable> + </term> + <listitem> + <para> + パスワードに使用する SSSD ドメインです。名前の初期値は <quote>default</quote> です。 + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable> + </term> + <listitem> + <para> + 位置パラメーターにより指定された設定ファイルを読み込みます。 + </para> + <para> + 初期値: <filename>/etc/sssd/sssd.conf</filename> + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" /> + +</refentry> +</reference> diff --git a/src/man/ja/sss_ssh_knownhostsproxy.1.xml b/src/man/ja/sss_ssh_knownhostsproxy.1.xml new file mode 100644 index 0000000..4790c28 --- /dev/null +++ b/src/man/ja/sss_ssh_knownhostsproxy.1.xml @@ -0,0 +1,103 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" +"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> +<reference> +<title>SSSD マニュアル ページ</title> +<refentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" /> + + <refmeta> + <refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> + <manvolnum>1</manvolnum> + </refmeta> + + <refnamediv id='name'> + <refname>sss_ssh_knownhostsproxy</refname> + <refpurpose>OpenSSH ホストキーを取得します</refpurpose> + </refnamediv> + + <refsynopsisdiv id='synopsis'> + <cmdsynopsis> +<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> +<replaceable>options</replaceable> </arg> <arg +choice='plain'><replaceable>HOST</replaceable></arg> <arg +choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg></cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id='description'> + <title>概要</title> + <para> + <command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for +host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH +known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section +of <citerefentry><refentrytitle>sshd</refentrytitle> +<manvolnum>8</manvolnum></citerefentry> for more information) +<filename>/var/lib/sss/pubconf/known_hosts</filename> and establishes the +connection to the host. + </para> + <para> + <replaceable>PROXY_COMMAND</replaceable> +が指定されていると、ソケットを開く代わりにホストへの接続を作成するために使用されます。 + </para> + <para> + <citerefentry><refentrytitle>ssh</refentrytitle> +<manvolnum>1</manvolnum></citerefentry> は +<citerefentry><refentrytitle>ssh</refentrytitle> +<manvolnum>1</manvolnum></citerefentry> 設定に対して以下のディレクティブを使用することにより、ホストキー認証に +<command>sss_ssh_knownhostsproxy</command> を使用するために設定できます: <programlisting> +ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h +GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts +</programlisting> + </para> + </refsect1> + + <refsect1 id='options'> + <title>オプション</title> + <variablelist remap='IP'> + <varlistentry> + <term> + <option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable> + </term> + <listitem> + <para> + ホストに接続するためにポート <replaceable>PORT</replaceable> を使用します。初期値ではポート 22 が使用されます。 + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-d</option>,<option>--domain</option> +<replaceable>DOMAIN</replaceable> + </term> + <listitem> + <para> + SSSD ドメイン <replaceable>DOMAIN</replaceable> においてホスト公開鍵を検索します。 + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-k</option>,<option>--pubkey</option> + </term> + <listitem> + <para> + Print the host ssh public keys for host <replaceable>HOST</replaceable>. + </para> + </listitem> + </varlistentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/param_help.xml" /> + </variablelist> + </refsect1> + + <refsect1 id='exit_status'> + <title>終了コード</title> + <para> + In case of success, an exit value of 0 is returned. Otherwise, 1 is +returned. + </para> + </refsect1> + + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" /> + +</refentry> +</reference> diff --git a/src/man/ja/sssd-simple.5.xml b/src/man/ja/sssd-simple.5.xml new file mode 100644 index 0000000..abb4fea --- /dev/null +++ b/src/man/ja/sssd-simple.5.xml @@ -0,0 +1,135 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" +"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> +<reference> +<title>SSSD マニュアル ページ</title> +<refentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" /> + + <refmeta> + <refentrytitle>sssd-simple</refentrytitle> + <manvolnum>5</manvolnum> + <refmiscinfo class="manual">ファイル形式および変換</refmiscinfo> + </refmeta> + + <refnamediv id='name'> + <refname>sssd-simple</refname> + <refpurpose>SSSD の 'simple' アクセス制御プロバイダーの設定ファイルです。</refpurpose> + </refnamediv> + + <refsect1 id='description'> + <title>概要</title> + <para> + このマニュアルは <citerefentry> <refentrytitle>sssd</refentrytitle> +<manvolnum>8</manvolnum> </citerefentry> に対して簡単なアクセス制御の設定を説明しています。詳細は +<citerefentry> <refentrytitle>sssd.conf</refentrytitle> +<manvolnum>5</manvolnum> </citerefentry> マニュアルページの <quote>ファイル形式</quote> +セクションを参照してください。 + </para> + <para> + シンプルアクセスプロバイダーは、ユーザー名またはグループ名のアクセスまたは拒否の一覧に基づいてアクセスを許可または拒否します。以下の例を適用します: + <itemizedlist> + <listitem> + <para>すべての一覧が空白ならば、アクセスが認められます</para> + </listitem> + <listitem> + <para> + 何らかの一覧が提供されていると、許可(allow)、拒否(deny)の順に評価されます。拒否ルールに一致するすべてのものは、許可ルールに一致するすべてのものを更新することを意味します。 + </para> + </listitem> + <listitem> + <para> + "allow" 一覧が提供されていると、すべてのユーザーはこの一覧に表れなければ拒否されます。 + </para> + </listitem> + <listitem> + <para> + "deny" 一覧のみが提供されていると、ユーザーがこの一覧に表れない限り、すべてのユーザーがアクセスを許可されます。 + </para> + </listitem> + </itemizedlist> + </para> + </refsect1> + + <refsect1 id='configuration-options'> + <title>設定オプション</title> + <para>SSSD ドメインの設定に関する詳細は <citerefentry> <refentrytitle>sssd.conf</refentrytitle> +<manvolnum>5</manvolnum> </citerefentry> マニュアルページの <quote>ドメインセクション</quote> +のセクションを参照してください。 <variablelist> + <varlistentry> + <term>simple_allow_users (文字列)</term> + <listitem> + <para> + ログインが許可されたユーザーのカンマ区切り一覧です。 + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>simple_deny_users (文字列)</term> + <listitem> + <para> + アクセスが明示的に拒否されたユーザーのカンマ区切り一覧です。 + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>simple_allow_groups (文字列)</term> + <listitem> + <para> + ログインが許可されたグループのカンマ区切り一覧です。この SSSD ドメインの中のグループのみに適用されます。ローカルグループは評価されません。 + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>simple_deny_groups (文字列)</term> + <listitem> + <para> + アクセスが明示的に拒否されたグループのカンマ区切り一覧です。この SSSD ドメインの中のグループのみに適用されます。ローカルグループは評価されません。 + </para> + </listitem> + </varlistentry> + </variablelist> + </para> + <para> + Specifying no values for any of the lists is equivalent to skipping it +entirely. Beware of this while generating parameters for the simple provider +using automated scripts. + </para> + <para> + simple_allow_users と simple_deny_users がどちらも定義されると、設定エラーになることに注意してください。 + </para> + </refsect1> + + <refsect1 id='example'> + <title>例</title> + <para> + 以下の例は、SSSD が正しく設定され、example.com が <replaceable>[sssd]</replaceable> +セクションにあるドメインの 1 つであると仮定します。この例はアクセスプロバイダー固有の簡単なオプションのみを示します。 + </para> + <para> +<programlisting> +[domain/example.com] +access_provider = simple +simple_allow_users = user1, user2 +</programlisting> + </para> + </refsect1> + + <refsect1 id='notes'> + <title>注記</title> + <para> + The complete group membership hierarchy is resolved before the access check, +thus even nested groups can be included in the access lists. Please be +aware that the <quote>ldap_group_nesting_level</quote> option may impact the +results and should be set to a sufficient value. (<citerefentry> +<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> +</citerefentry>) option. + </para> + </refsect1> + + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" /> + +</refentry> +</reference> |