Changeset 221 for branches/samba-3.3.x/docs/manpages/smb.conf.5

Timestamp:

May 24, 2009, 7:17:10 AM (16 years ago)

Author:

Herwig Bauernfeind

Message:

Update Samba 3.3 to 3.3.1

File:

• branches/samba-3.3.x/docs/manpages/smb.conf.5 (modified) (26 diffs)

branches/samba-3.3.x/docs/manpages/smb.conf.5

@@ -2 +2 @@
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
-.\"      Date: 01/27/2009
+.\"      Date: 02/24/2009
 .\"    Manual: File Formats and Conventions
 .\"    Source: Samba 3.3
 .\"  Language: English
 .\"
-.TH "SMB\&.CONF" "5" "01/27/2009" "Samba 3\&.3" "File Formats and Conventions"
+.TH "SMB\&.CONF" "5" "02/24/2009" "Samba 3\&.3" "File Formats and Conventions"
 .\" -----------------------------------------------------------------
 .\" * (re)Define some macros
@@ -1047 +1047 @@
 \fBsmbd\fR(8)does on receiving a protocol request of "open for delete" from a Windows client\&. If a Windows client doesn\'t have permissions to delete a file then they expect this to be denied at open time\&. POSIX systems normally only detect restrictions on delete by actually attempting to delete the file or directory\&. As Windows clients can (and do) "back out" a delete request by unsetting the "delete on close" bit Samba cannot delete the file immediately on "open for delete" request as we cannot restore such a deleted file\&. With this parameter set to true (the default) then smbd checks the file system permissions directly on "open for delete" and denies the request without actually deleting the file if the file system permissions would seem to deny it\&. This is not perfect, as it\'s possible a user could have deleted a file without Samba being able to check the permissions correctly, but it is close enough to Windows semantics for mostly correct behaviour\&. Samba will correctly check POSIX ACL semantics in this case\&.
 .sp
-If this parameter is set to "false" Samba doesn\'t check permissions on "open for delete" and allows the open\&. If the user doesn\'t have permission to delete the file this will only be discovered at close time, which is too late for the Windows user tools to display an error message to the user\&. The symptom of this is files that appear to have been deleted "magically" re\-appearing on a Windows explorer refersh\&. This is an extremely advanced protocol option which should not need to be changed\&. This parameter was introduced in its final form in 3\&.0\&.21, an earlier version with slightly different semantics was introduced in 3\&.0\&.20\&. That older version is not documented here\&.
+If this parameter is set to "false" Samba doesn\'t check permissions on "open for delete" and allows the open\&. If the user doesn\'t have permission to delete the file this will only be discovered at close time, which is too late for the Windows user tools to display an error message to the user\&. The symptom of this is files that appear to have been deleted "magically" re\-appearing on a Windows explorer refresh\&. This is an extremely advanced protocol option which should not need to be changed\&. This parameter was introduced in its final form in 3\&.0\&.21, an earlier version with slightly different semantics was introduced in 3\&.0\&.20\&. That older version is not documented here\&.
 .sp
 Default:
@@ -2006 +2006 @@
 and other samba client tools will attempt to authenticate itself to servers using the weaker LANMAN password hash\&. If disabled, only server which support NT password hashes (e\&.g\&. Windows NT/2000, Samba, etc\&.\&.\&. but not Windows 95/98) will be able to be connected from the Samba client\&.
 .sp
-The LANMAN encrypted response is easily broken, due to it\'s case\-insensitive nature, and the choice of algorithm\&. Clients without Windows 95/98 servers are advised to disable this option\&.
+The LANMAN encrypted response is easily broken, due to its case\-insensitive nature, and the choice of algorithm\&. Clients without Windows 95/98 servers are advised to disable this option\&.
 .sp
 Disabling this option will also disable the
@@ -2115 +2115 @@
 .PP
 .RS 4
-This controls whether the client offers or requires the server it talks to to use SMB signing\&. Possible values are
+This controls whether the client is allowed or required to use SMB signing\&. Possible values are
 \fIauto\fR,
 \fImandatory\fR
@@ -3135 +3135 @@
 .PP
 .RS 4
-Hosts running the "Advanced Server for Unix (ASU)" product require some special accomodations such as creating a builting [ADMIN$] share that only supports IPC connections\&. The has been the default behavior in smbd for many years\&. However, certain Microsoft applications such as the Print Migrator tool require that the remote server support an [ADMIN$} file share\&. Disabling this parameter allows for creating an [ADMIN$] file share in smb\&.conf\&.
+Hosts running the "Advanced Server for Unix (ASU)" product require some special accomodations such as creating a builtin [ADMIN$] share that only supports IPC connections\&. The has been the default behavior in smbd for many years\&. However, certain Microsoft applications such as the Print Migrator tool require that the remote server support an [ADMIN$} file share\&. Disabling this parameter allows for creating an [ADMIN$] file share in smb\&.conf\&.
 .sp
 Default:
@@ -3191 +3191 @@
 The first enhancement to browse propagation consists of a regular wildcard query to a Samba WINS server for all Domain Master Browsers, followed by a browse synchronization with each of the returned DMBs\&. The second enhancement consists of a regular randomised browse synchronization with all currently known DMBs\&.
 .sp
-You may wish to disable this option if you have a problem with empty workgroups not disappearing from browse lists\&. Due to the restrictions of the browse protocols these enhancements can cause a empty workgroup to stay around forever which can be annoying\&.
+You may wish to disable this option if you have a problem with empty workgroups not disappearing from browse lists\&. Due to the restrictions of the browse protocols, these enhancements can cause a empty workgroup to stay around forever which can be annoying\&.
 .sp
 In general you should leave this option enabled as it makes cross\-subnet browse propagation much more reliable\&.
@@ -4541 +4541 @@
 will attempt to authenticate users or permit password changes using the LANMAN password hash\&. If disabled, only clients which support NT password hashes (e\&.g\&. Windows NT/2000 clients, smbclient, but not Windows 95/98 or the MS DOS network client) will be able to connect to the Samba host\&.
 .sp
-The LANMAN encrypted response is easily broken, due to it\'s case\-insensitive nature, and the choice of algorithm\&. Servers without Windows 95/98/ME or MS DOS clients are advised to disable this option\&.
+The LANMAN encrypted response is easily broken, due to its case\-insensitive nature, and the choice of algorithm\&. Servers without Windows 95/98/ME or MS DOS clients are advised to disable this option\&.
 .sp
 Unlike the
@@ -4903 +4903 @@
 .RE
 
+ldap ssl ads (G)
+.\" ldap ssl ads
+.PP
+.RS 4
+This option is used to define whether or not Samba should use SSL when connecting to the ldap server using
+\fIads\fR
+methods\&. Rpc methods are not affected by this parameter\&. Please note, that this parameter won\'t have any effect if
+\m[blue]\fBldap ssl\fR\m[]
+is set to
+\fIno\fR\&.
+.sp
+See
+smb\&.conf(5)
+for more information on
+\m[blue]\fBldap ssl\fR\m[]\&.
+.sp
+Default:
+\fI\fIldap ssl ads\fR\fR\fI = \fR\fI\FCno\F[]\fR\fI \fR
+.RE
+
 ldap ssl (G)
 .\" ldap ssl
@@ -4915 +4935 @@
 script\&.
 .sp
-LDAP connections should be secured where possible\&. This may be done setting either this parameter to
+LDAP connections should be secured where possible\&. This may be done setting
+\fIeither\fR
+this parameter to
 \fIStart_tls\fR
-or by specifying
+\fIor\fR
+by specifying
 \fIldaps://\fR
 in the URL argument of
@@ -4950 +4973 @@
 .sp
 .RE
+Please note that this parameter does only affect
+\fIrpc\fR
+methods\&. To enable the LDAPv3 StartTLS extended operation (RFC2830) for
+\fIads\fR, set
+\m[blue]\fBldap ssl = yes\fR\m[]
+\fIand\fR
+\m[blue]\fBldap ssl ads = yes\fR\m[]\&. See
+smb\&.conf(5)
+for more information on
+\m[blue]\fBldap ssl ads\fR\m[]\&.
+.sp
 Default:
 \fI\fIldap ssl\fR\fR\fI = \fR\fI\FCstart tls\F[]\fR\fI \fR
@@ -7445 +7479 @@
 By specifying the name of another SMB server or Active Directory domain controller with this option, and using
 \FCsecurity = [ads|domain|server]\F[]
-it is possible to get Samba to to do all its username/password validation using a specific remote server\&.
+it is possible to get Samba to do all its username/password validation using a specific remote server\&.
 .sp
 This option sets the name or IP address of the password server to use\&. New syntax has been added to support defining the port to use when connecting to the server the case of an ADS realm\&. To define a port other than the default LDAP port of 389, add the port number using a colon after the name or IP address (e\&.g\&. 192\&.168\&.1\&.100:389)\&. If you do not specify a port, Samba will use the standard LDAP port of tcp/389\&. Note that port numbers have no effect on password servers for Windows NT 4\&.0 domains or netbios connections\&.
@@ -8225 +8259 @@
 .RS 4
 This option allows you to setup
-\fBnmbd\fR(8)to periodically announce itself to arbitrary IP addresses with an arbitrary workgroup name\&.
+\fBnmbd\fR(8)
+to periodically announce itself to arbitrary IP addresses with an arbitrary workgroup name\&.
 .sp
 This is useful if you want your Samba server to appear in a remote workgroup for which the normal browse propagation rules don\'t work\&. The remote workgroup can be anywhere that you can send IP packets to\&.
@@ -8257 +8292 @@
 the above line would cause
 \FCnmbd\F[]
-to announce itself to the two given IP addresses using the given workgroup names\&. If you leave out the workgroup name then the one given in the
+to announce itself to the two given IP addresses using the given workgroup names\&. If you leave out the workgroup name, then the one given in the
 \m[blue]\fBworkgroup\fR\m[]
 parameter is used instead\&.
@@ -8559 +8594 @@
 if you want to mainly setup shares without a password (guest shares)\&. This is commonly used for a shared printer server\&. It is more difficult to setup guest shares with
 \FCsecurity = user\F[], see the
-\m[blue]\fBmap to guest\fR\m[]parameter for details\&.
+\m[blue]\fBmap to guest\fR\m[]
+parameter for details\&.
 .sp
 It is possible to use
@@ -8572 +8608 @@
 \fISECURITY = SHARE\fR
 .sp
-When clients connect to a share level security server they need not log onto the server with a valid username and password before attempting to connect to a shared resource (although modern clients such as Windows 95/98 and Windows NT will send a logon request with a username but no password when talking to a
+When clients connect to a share level security server, they need not log onto the server with a valid username and password before attempting to connect to a shared resource (although modern clients such as Windows 95/98 and Windows NT will send a logon request with a username but no password when talking to a
 \FCsecurity = share \F[]
 server)\&. Instead, the clients send authentication information (passwords) on a per\-share basis, at the time they attempt to connect to that share\&.
@@ -8777 +8813 @@
 .ps -1
 .br
-From the client\'s point of view
+From the client\'s point of view,
 \FCsecurity = server\F[]
 is the same as
@@ -8829 +8865 @@
 .sp
 Please note that with this set to
-\FCno\F[]
-you will have to apply the WindowsXP
+\FCno\F[], you will have to apply the WindowsXP
 \FCWinXP_SignOrSeal\&.reg\F[]
 registry patch found in the docs/registry subdirectory of the Samba distribution tarball\&.
@@ -8845 +8880 @@
 .PP
 .RS 4
-This controls whether the server offers or requires the client it talks to to use SMB signing\&. Possible values are
+This controls whether the client is allowed or required to use SMB signing\&. Possible values are
 \fIauto\fR,
 \fImandatory\fR
@@ -9258 +9293 @@
 This is a new feature introduced with Samba 3\&.2 and above\&. It is an extension to the SMB/CIFS protocol negotiated as part of the UNIX extensions\&. SMB encryption uses the GSSAPI (SSPI on Windows) ability to encrypt and sign every request/response in a SMB protocol stream\&. When enabled it provides a secure method of SMB/CIFS communication, similar to an ssh protected session, but using SMB/CIFS authentication to negotiate encryption and signing keys\&. Currently this is only supported by Samba 3\&.2 smbclient, and hopefully soon Linux CIFSFS and MacOS/X clients\&. Windows clients do not support this feature\&.
 .sp
-This controls whether the server offers or requires the client it talks to to use SMB encryption\&. Possible values are
+This controls whether the remote client is allowed or required to use SMB encryption\&. Possible values are
 \fIauto\fR,
 \fImandatory\fR
@@ -9552 +9587 @@
 \fByes\fR, the server will check every read and write access for file locks, and deny access if locks exist\&. This can be slow on some systems\&.
 .sp
-When strict locking is set to Auto (the default), the server performs file lock checks only on non\-oplocked files\&. As most Windows redirectors perform file locking checks locally on oplocked files this is a good trade off for inproved performance\&.
+When strict locking is set to Auto (the default), the server performs file lock checks only on non\-oplocked files\&. As most Windows redirectors perform file locking checks locally on oplocked files this is a good trade off for improved performance\&.
 .sp
 When strict locking is disabled, the server performs file lock checks only when the client explicitly asks for them\&.
@@ -9746 +9781 @@
 .PP
 .RS 4
-This boolean parameter allows a user logging on with a plaintext password to have their encrypted (hashed) password in the smbpasswd file to be updated automatically as they log on\&. This option allows a site to migrate from plaintext password authentication (users authenticate with plaintext password over the wire, and are checked against a UNIX account atabase) to encrypted password authentication (the SMB challenge/response authentication mechanism) without forcing all users to re\-enter their passwords via smbpasswd at the time the change is made\&. This is a convenience option to allow the change over to encrypted passwords to be made over a longer period\&. Once all users have encrypted representations of their passwords in the smbpasswd file this parameter should be set to
+This boolean parameter allows a user logging on with a plaintext password to have their encrypted (hashed) password in the smbpasswd file to be updated automatically as they log on\&. This option allows a site to migrate from plaintext password authentication (users authenticate with plaintext password over the wire, and are checked against a UNIX account database) to encrypted password authentication (the SMB challenge/response authentication mechanism) without forcing all users to re\-enter their passwords via smbpasswd at the time the change is made\&. This is a convenience option to allow the change over to encrypted passwords to be made over a longer period\&. Once all users have encrypted representations of their passwords in the smbpasswd file this parameter should be set to
 \fBno\fR\&.
 .sp
@@ -9759 +9794 @@
 to work\&.
 .sp
-Note that even when this parameter is set a user authenticating to
+Note that even when this parameter is set, a user authenticating to
 \FCsmbd\F[]
 must still enter a valid password in order to connect correctly, and to update their hashed (smbpasswd) passwords\&.
@@ -9777 +9812 @@
 .sp
 If this parameter is enabled for a printer, then any attempt to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped to PRINTER_ACCESS_USE instead\&. Thus allowing the OpenPrinterEx() call to succeed\&.
-\fIThis parameter MUST not be able enabled on a print share which has valid print driver installed on the Samba server\&.\fR
+\fIThis parameter MUST not be enabled on a print share which has valid print driver installed on the Samba server\&.\fR
 .sp
 Default:
@@ -10125 +10160 @@
 This parameter controls whether user defined shares are allowed to be accessed by non\-authenticated users or not\&. It is the equivalent of allowing people who can create a share the option of setting
 \fIguest ok = yes\fR
-in a share definition\&. Due to the security sensitive nature of this the default is set to off\&.
+in a share definition\&. Due to its security sensitive nature, the default is set to off\&.
 .sp
 Default:
@@ -10197 +10232 @@
 .PP
 .RS 4
-This parameter specifies a list of absolute pathnames the root of which are allowed to be exported by user defined share definitions\&. If the pathname exported doesn\'t start with one of the strings in this list the user defined share will not be allowed\&. This allows the Samba administrator to restrict the directories on the system that can be exported by user defined shares\&.
+This parameter specifies a list of absolute pathnames the root of which are allowed to be exported by user defined share definitions\&. If the pathname to be exported doesn\'t start with one of the strings in this list, the user defined share will not be allowed\&. This allows the Samba administrator to restrict the directories on the system that can be exported by user defined shares\&.
 .sp
 If there is a "usershare prefix deny list" and also a "usershare prefix allow list" the deny list is processed first, followed by the allow list, thus leading to the most restrictive interpretation\&.
@@ -10227 +10262 @@
 .PP
 .RS 4
-User defined shares only have limited possible parameters such as path, guest ok etc\&. This parameter allows usershares to "cloned" from an existing share\&. If "usershare template share" is set to the name of an existing share, then all usershares created have their defaults set from the parameters set on this share\&.
+User defined shares only have limited possible parameters such as path, guest ok, etc\&. This parameter allows usershares to "cloned" from an existing share\&. If "usershare template share" is set to the name of an existing share, then all usershares created have their defaults set from the parameters set on this share\&.
 .sp
 The target share may be set to be invalid for real file sharing by setting the parameter "\-valid = False" on the template share definition\&. This causes it not to be seen as a real exported share but to be able to be used as a template for usershares\&.