Changeset 740 for vendor/current/docs-xml/smbdotconf

Timestamp:

Nov 14, 2012, 12:59:34 PM (13 years ago)

Author:

Silvan Scherrer

Message:

Samba Server: update vendor to 3.6.0

Location:

vendor/current/docs-xml/smbdotconf

Files:

• base/multicastdnsregister.xml (added)
• locking/posixlocking.xml (modified) (1 diff)
• logon/enableprivileges.xml (modified) (1 diff)
• misc/asyncsmbechohandler.xml (added)
• misc/ctdblocktimewarnthreshold.xml (added)
• misc/logwriteablefilesonexit.xml (added)
• misc/ncalrpcdir.xml (added)
• misc/rpcserver.xml (added)
• misc/timeoffset.xml (modified) (1 diff)
• printing/addportcommand.xml (modified) (1 diff)
• printing/printcapcachetime.xml (modified) (1 diff)
• printing/printnotifybackchannel.xml (added)
• protocol/smb2maxcredits.xml (added)
• protocol/smb2maxread.xml (added)
• protocol/smb2maxtrans.xml (added)
• protocol/smb2maxwrite.xml (added)
• protocol/usespnego.xml (modified) (1 diff)
• security/clientntlmv2auth.xml (modified) (2 diffs)
• security/guestok.xml (modified) (1 diff)
• security/passwordlevel.xml (modified) (1 diff)
• security/passwordserver.xml (modified) (3 diffs)
• security/security.xml (modified) (6 diffs)
• security/sendspengoprincipal.xml (added)
• security/updateencrypted.xml (deleted)
• security/username.xml (modified) (1 diff)
• security/usernamemapcachetime.xml (added)
• tuning/strictallocate.xml (modified) (1 diff)
• winbind/idmapallocbackend.xml (deleted)
• winbind/idmapallocconfig.xml (deleted)
• winbind/idmapbackend.xml (modified) (1 diff)
• winbind/idmapconfig.xml (modified) (4 diffs)
• winbind/idmapgid.xml (modified) (1 diff)
• winbind/idmapuid.xml (modified) (1 diff)
• winbind/winbindmaxclients.xml (added)
• winbind/winbindmaxdomainconnections.xml (added)
• winbind/winbindusedefaultdomain.xml (modified) (1 diff)

vendor/current/docs-xml/smbdotconf/locking/posixlocking.xml

@@ -9 +9 @@
         to map this internal database to POSIX locks. This means that file locks obtained by SMB clients are 
         consistent with those seen by POSIX compliant applications accessing the files via a non-SMB 
-        method (e.g. NFS or local file access). You should never need to disable this parameter.
+        method (e.g. NFS or local file access). It is very unlikely that you need to set this parameter
+        to "no", unless you are sharing from an NFS mount, which is not a good idea in the first place.
         </para>
 </description>

vendor/current/docs-xml/smbdotconf/logon/enableprivileges.xml

@@ -6 +6 @@
 <description>
         <para>
-        This parameter controls whether or not smbd will honor privileges assigned to specific SIDs via either
+        This deprecated parameter controls whether or not smbd will honor privileges assigned to specific SIDs via either
          <command>net rpc rights</command> or one of the Windows user and group manager tools.  This parameter is
         enabled by default. It can be disabled to prevent members of the Domain Admins group from being able to

vendor/current/docs-xml/smbdotconf/misc/timeoffset.xml

@@ -5 +5 @@
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
-        <para>This parameter is a setting in minutes to add 
+        <para>This deprecated parameter is a setting in minutes to add
         to the normal GMT to local time conversion. This is useful if 
         you are serving a lot of PCs that have incorrect daylight 
         saving time handling.</para>
+
+        <note><para>This option is deprecated, and will be removed in the next major release</para></note>
 </description>
 

vendor/current/docs-xml/smbdotconf/printing/addportcommand.xml

@@ -16 +16 @@
     </itemizedlist>
                 
-    <para>The deviceURI is in the for of socket://&lt;hostname&gt;[:&lt;portnumber&gt;]
+    <para>The deviceURI is in the format of socket://&lt;hostname&gt;[:&lt;portnumber&gt;]
         or lpd://&lt;hostname&gt;/&lt;queuename&gt;.</para>
 </description>

vendor/current/docs-xml/smbdotconf/printing/printcapcachetime.xml

@@ -6 +6 @@
 <description>
     <para>This option specifies the number of seconds before the printing
-    subsystem is again asked for the known printers.  If the value
-    is greater than 60 the initial waiting time is set to 60 seconds
-    to allow an earlier first rescan of the printing subsystem.
+    subsystem is again asked for the known printers.
     </para>
 

vendor/current/docs-xml/smbdotconf/protocol/usespnego.xml

@@ -5 +5 @@
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
-    <para>This variable controls controls whether samba will try 
+    <para>This deprecated variable controls controls whether samba will try
     to use Simple and Protected NEGOciation (as specified by rfc2478) with 
     WindowsXP and Windows2000 clients to agree upon an authentication mechanism. 

vendor/current/docs-xml/smbdotconf/security/clientntlmv2auth.xml

@@ -11 +11 @@
 
     <para>If enabled, only an NTLMv2 and LMv2 response (both much more
-    secure than earlier versions) will be sent.  Many servers
+    secure than earlier versions) will be sent.  Older servers
     (including NT4 &lt; SP4, Win9x and Samba 2.2) are not compatible with
-    NTLMv2.  </para>
+    NTLMv2 when not in an NTLMv2 supporting domain</para>
 
     <para>Similarly, if enabled, NTLMv1, <command
@@ -25 +25 @@
     moreinfo="none">client lanman auth</command>.  </para>
 
-    <para>Note that some sites (particularly
-    those following 'best practice' security polices) only allow NTLMv2
-        responses, and not the weaker LM or NTLM.</para>
+    <para>Note that Windows Vista and later versions already use
+    NTLMv2 by default, and some sites (particularly those following
+    'best practice' security polices) only allow NTLMv2 responses, and
+    not the weaker LM or NTLM.</para>
 </description>
-<value type="default">no</value>
+<value type="default">yes</value>
 </samba:parameter>

vendor/current/docs-xml/smbdotconf/security/guestok.xml

@@ -10 +10 @@
     Privileges will be those of the <smbconfoption name="guest account"/>.</para>
 
-    <para>This paramater nullifies the benifits of setting
+    <para>This parameter nullifies the benefits of setting
     <smbconfoption name="restrict anonymous">2</smbconfoption>
         </para>

vendor/current/docs-xml/smbdotconf/security/passwordlevel.xml

@@ -14 +14 @@
     negotiation request/response.</para>
 
-    <para>This parameter defines the maximum number of characters 
+    <para>This deprecated parameter defines the maximum number of characters
     that may be upper case in passwords.</para>
 

vendor/current/docs-xml/smbdotconf/security/passwordserver.xml

@@ -11 +11 @@
     to do all its username/password validation using a specific remote server.</para>
 
-    <para>This option sets the name or IP address of the password server to use. 
-    New syntax has been added to support defining the port to use when connecting 
-    to the server the case of an ADS realm.  To define a port other than the
-    default LDAP port of 389, add the port number using a colon after the 
-    name or IP address (e.g. 192.168.1.100:389).  If you do not specify a port,
-    Samba will use the standard LDAP port of tcp/389.  Note that port numbers
-    have no effect on password servers for Windows NT 4.0 domains or netbios 
-    connections.</para>
+    <para>If the <parameter moreinfo="none">security</parameter> parameter is set to
+    <constant>domain</constant> or <constant>ads</constant>, then this option
+    <emphasis>should not</emphasis> be used, as the default '*' indicates to Samba
+    to determine the best DC to contact dynamically, just as all other hosts in an
+    AD domain do.  This allows the domain to be maintained without modification to
+    the smb.conf file.  The cryptograpic protection on the authenticated RPC calls
+    used to verify passwords ensures that this default is safe.</para>
 
-    <para>If parameter is a name, it is looked up using the 
-    parameter <smbconfoption name="name resolve order"/> and so may resolved
-    by any method and order described in that parameter.</para>
-
-    <para>The password server must be a machine capable of using 
-    the &quot;LM1.2X002&quot; or the &quot;NT LM 0.12&quot; protocol, and it must be in 
-    user level security mode.</para>
-
-    <note><para>Using a password server  means your UNIX box (running
-    Samba) is only as secure as your  password server. <emphasis>DO NOT
-    CHOOSE A PASSWORD SERVER THAT  YOU DON'T COMPLETELY TRUST</emphasis>.
-    </para></note>
-                
-    <para>Never point a Samba server at itself for password serving.
-    This will cause a loop and could lock up your Samba  server!</para>
-
-    <para>The name of the password server takes the standard 
-    substitutions, but probably the only useful one is <parameter moreinfo="none">%m
-    </parameter>, which means the Samba server will use the incoming 
-    client as the password server. If you use this then you better 
-    trust your clients, and you had better restrict them with hosts allow!</para>
-
-    <para>If the <parameter moreinfo="none">security</parameter> parameter is set to
-    <constant>domain</constant> or <constant>ads</constant>, then the list of machines in this 
-    option must be a list of Primary or Backup Domain controllers for the
-    Domain or the character '*', as the Samba server is effectively
-    in that domain, and will use cryptographically authenticated RPC calls
-    to authenticate the user logging on. The advantage of using <command moreinfo="none">
-    security = domain</command> is that if you list several hosts in the 
-    <parameter moreinfo="none">password server</parameter> option then <command moreinfo="none">smbd
-    </command> will try each in turn till it finds one that responds.  This
-    is useful in case your primary server goes down.</para>
-
-    <para>If the <parameter moreinfo="none">password server</parameter> option is set 
-    to the character '*', then Samba will attempt to auto-locate the 
-    Primary or Backup Domain controllers to authenticate against by 
-    doing a query for the name <constant>WORKGROUP&lt;1C&gt;</constant> 
-    and then contacting each server returned in the list of IP 
-    addresses from the name resolution source. </para>
+    <para><emphasis>It is strongly recommended that you use the
+    default of '*'</emphasis>, however if in your particular
+    environment you have reason to specify a particular DC list, then
+    the list of machines in this option must be a list of names or IP
+    addresses of Domain controllers for the Domain. If you use the
+    default of '*', or list several hosts in the <parameter
+    moreinfo="none">password server</parameter> option then <command
+    moreinfo="none">smbd </command> will try each in turn till it
+    finds one that responds.  This is useful in case your primary
+    server goes down.</para>
 
     <para>If the list of servers contains both names/IP's and the '*'
@@ -66 +36 @@
     this list by locating the closest DC.</para>
                 
+    <para>If parameter is a name, it is looked up using the
+    parameter <smbconfoption name="name resolve order"/> and so may resolved
+    by any method and order described in that parameter.</para>
+
     <para>If the <parameter moreinfo="none">security</parameter> parameter is 
-    set to <constant>server</constant>, then there are different
-    restrictions that <command moreinfo="none">security = domain</command> doesn't 
-    suffer from:</para>
+    set to <constant>server</constant>, these additional restrictions apply:</para>
 
     <itemizedlist>
@@ -83 +55 @@
             
         <listitem>
-            <para>If you are using a Windows NT server as your 
-            password server then you will have to ensure that your users 
+            <para>You will have to ensure that your users
             are able to login from the Samba server, as when in <command moreinfo="none">
             security = server</command>  mode the network logon will appear to 
-            come from there rather than from the users workstation.</para>
+            come from the Samba server rather than from the users workstation.</para>
         </listitem>
+
+        <listitem>
+            <para>The client must not select NTLMv2 authentication.</para>
+        </listitem>
+
+        <listitem>
+          <para>The password server must be a machine capable of using
+          the &quot;LM1.2X002&quot; or the &quot;NT LM 0.12&quot; protocol, and it must be in
+          user level security mode.</para>
+        </listitem>
+
+        <listitem>
+          <para>Using a password server  means your UNIX box (running
+          Samba) is only as secure as (a host masqurading as) your password server. <emphasis>DO NOT
+          CHOOSE A PASSWORD SERVER THAT  YOU DON'T COMPLETELY TRUST</emphasis>.
+          </para>
+        </listitem>
+
+        <listitem>
+          <para>Never point a Samba server at itself for password serving.
+          This will cause a loop and could lock up your Samba  server!</para>
+        </listitem>
+
+        <listitem>
+          <para>The name of the password server takes the standard
+          substitutions, but probably the only useful one is <parameter moreinfo="none">%m
+          </parameter>, which means the Samba server will use the incoming
+          client as the password server. If you use this then you better
+          trust your clients, and you had better restrict them with hosts allow!</para>
+        </listitem>
+
     </itemizedlist>
 </description>

vendor/current/docs-xml/smbdotconf/security/security.xml

@@ -23 +23 @@
     Windows NT.</para>
 
-    <para>The alternatives are <command moreinfo="none">security = share</command>,
-    <command moreinfo="none">security = server</command> or <command moreinfo="none">security = domain
-    </command>.</para>
+    <para>The alternatives are
+    <command moreinfo="none">security = ads</command> or <command moreinfo="none">security = domain
+    </command>, which support joining Samba to a Windows domain, along with <command moreinfo="none">security = share</command> and <command moreinfo="none">security = server</command>, both of which are deprecated.</para>
 
     <para>In versions of Samba prior to 2.0.0, the default was 
@@ -31 +31 @@
     the only option at one stage.</para>
 
-    <para>There is a bug in WfWg that has relevance to this 
-    setting. When in user or server level security a WfWg client 
-    will totally ignore the username and password you type in the &quot;connect 
-    drive&quot; dialog box. This makes it very difficult (if not impossible) 
-    to connect to a Samba service as anyone except the user that 
-    you are logged into WfWg as.</para>
-
-    <para>If your PCs use usernames that are the same as their 
-    usernames on the UNIX machine then you will want to use 
-    <command moreinfo="none">security = user</command>. If you mostly use usernames 
-    that don't exist on the UNIX box then use <command moreinfo="none">security = 
-    share</command>.</para>
-
-    <para>You should also use <command moreinfo="none">security = share</command> if you 
+    <para>You should use <command moreinfo="none">security = user</command> and
+    <smbconfoption name="map to guest"/> if you
     want to mainly setup shares without a password (guest shares). This 
-    is commonly used for a shared printer server. It is more difficult 
-    to setup guest shares with <command moreinfo="none">security = user</command>, see 
-    the <smbconfoption name="map to guest"/> parameter for details.</para>
+    is commonly used for a shared printer server. </para>
                 
     <para>It is possible to use <command moreinfo="none">smbd</command> in a <emphasis>
@@ -57 +43 @@
 
 
+    <para><anchor id="SECURITYEQUALSUSER"/><emphasis>SECURITY = USER</emphasis></para>
+
+    <para>This is the default security setting in Samba.
+    With user-level security a client must first &quot;log-on&quot; with a
+    valid username and password (which can be mapped using the <smbconfoption name="username map"/>
+    parameter). Encrypted passwords (see the <smbconfoption name="encrypted passwords"/> parameter) can also
+    be used in this security mode. Parameters such as <smbconfoption name="user"/> and <smbconfoption
+        name="guest only"/> if set      are then applied and
+    may change the UNIX user to use on this connection, but only after
+    the user has been successfully authenticated.</para>
+
+    <para><emphasis>Note</emphasis> that the name of the resource being
+    requested is <emphasis>not</emphasis> sent to the server until after
+    the server has successfully authenticated the client. This is why
+    guest shares don't work in user level security without allowing
+    the server to automatically map unknown users into the <smbconfoption name="guest account"/>.
+    See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
+
+    <para>See also the section <link linkend="VALIDATIONSECT">NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+
+    <para><anchor id="SECURITYEQUALSDOMAIN"/><emphasis>SECURITY = DOMAIN</emphasis></para>
+
+    <para>This mode will only work correctly if <citerefentry><refentrytitle>net</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> has been used to add this
+    machine into a Windows NT Domain. It expects the <smbconfoption name="encrypted passwords"/>
+        parameter to be set to <constant>yes</constant>. In this
+    mode Samba will try to validate the username/password by passing
+    it to a Windows NT Primary or Backup Domain Controller, in exactly
+    the same way that a Windows NT Server would do.</para>
+
+    <para><emphasis>Note</emphasis> that a valid UNIX user must still
+    exist as well as the account on the Domain Controller to allow
+    Samba to have a valid UNIX account to map file access to.</para>
+
+    <para><emphasis>Note</emphasis> that from the client's point
+    of view <command moreinfo="none">security = domain</command> is the same
+    as <command moreinfo="none">security = user</command>. It only
+    affects how the server deals with the authentication,
+    it does not in any way affect what the client sees.</para>
+
+    <para><emphasis>Note</emphasis> that the name of the resource being
+    requested is <emphasis>not</emphasis> sent to the server until after
+    the server has successfully authenticated the client. This is why
+    guest shares don't work in user level security without allowing
+    the server to automatically map unknown users into the <smbconfoption name="guest account"/>.
+    See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
+
+    <para>See also the section <link linkend="VALIDATIONSECT">
+    NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+
+    <para>See also the <smbconfoption name="password server"/> parameter and
+         the <smbconfoption name="encrypted passwords"/> parameter.</para>
+
     <para><anchor id="SECURITYEQUALSSHARE"/><emphasis>SECURITY = SHARE</emphasis></para> 
+
+    <note><para>This option is deprecated as it is incompatible with SMB2</para></note>
                 
     <para>When clients connect to a share level security server, they 
@@ -136 +177 @@
     NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
 
-    <para><anchor id="SECURITYEQUALSUSER"/><emphasis>SECURITY = USER</emphasis></para>
-
-    <para>This is the default security setting in Samba 3.0. 
-    With user-level security a client must first &quot;log-on&quot; with a 
-    valid username and password (which can be mapped using the <smbconfoption name="username map"/> 
-    parameter). Encrypted passwords (see the <smbconfoption name="encrypted passwords"/> parameter) can also
-    be used in this security mode. Parameters such as <smbconfoption name="user"/> and <smbconfoption
-        name="guest only"/> if set      are then applied and 
-    may change the UNIX user to use on this connection, but only after 
-    the user has been successfully authenticated.</para>
-
-    <para><emphasis>Note</emphasis> that the name of the resource being 
-    requested is <emphasis>not</emphasis> sent to the server until after 
-    the server has successfully authenticated the client. This is why 
-    guest shares don't work in user level security without allowing 
-    the server to automatically map unknown users into the <smbconfoption name="guest account"/>. 
-    See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
-
-    <para>See also the section <link linkend="VALIDATIONSECT">NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
-
-    <para><anchor id="SECURITYEQUALSDOMAIN"/><emphasis>SECURITY = DOMAIN</emphasis></para>
-
-    <para>This mode will only work correctly if <citerefentry><refentrytitle>net</refentrytitle>
-    <manvolnum>8</manvolnum></citerefentry> has been used to add this
-    machine into a Windows NT Domain. It expects the <smbconfoption name="encrypted passwords"/>
-        parameter to be set to <constant>yes</constant>. In this 
-    mode Samba will try to validate the username/password by passing
-    it to a Windows NT Primary or Backup Domain Controller, in exactly 
-    the same way that a Windows NT Server would do.</para>
-
-    <para><emphasis>Note</emphasis> that a valid UNIX user must still 
-    exist as well as the account on the Domain Controller to allow 
-    Samba to have a valid UNIX account to map file access to.</para>
-
-    <para><emphasis>Note</emphasis> that from the client's point 
-    of view <command moreinfo="none">security = domain</command> is the same 
-    as <command moreinfo="none">security = user</command>. It only 
-    affects how the server deals with the authentication, 
-    it does not in any way affect what the client sees.</para>
-
-    <para><emphasis>Note</emphasis> that the name of the resource being 
-    requested is <emphasis>not</emphasis> sent to the server until after 
-    the server has successfully authenticated the client. This is why 
-    guest shares don't work in user level security without allowing 
-    the server to automatically map unknown users into the <smbconfoption name="guest account"/>. 
-    See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
-
-    <para>See also the section <link linkend="VALIDATIONSECT">
-    NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
-
-    <para>See also the <smbconfoption name="password server"/> parameter and
-         the <smbconfoption name="encrypted passwords"/> parameter.</para>
-
     <para><anchor id="SECURITYEQUALSSERVER"/><emphasis>SECURITY = SERVER</emphasis></para>
 
     <para>
-        In this mode Samba will try to validate the username/password by passing it to another SMB server, such as an
+        In this depicted mode Samba will try to validate the username/password by passing it to another SMB server, such as an
         NT box. If this fails it will revert to <command moreinfo="none">security = user</command>. It expects the
         <smbconfoption name="encrypted passwords"/> parameter to be set to <constant>yes</constant>, unless the remote
@@ -204 +192 @@
     significant pitfalls since it is more vulnerable to
     man-in-the-middle attacks and server impersonation.  In particular,
-    this mode of operation can cause significant resource consuption on
+    this mode of operation can cause significant resource consumption on
     the PDC, as it must maintain an active connection for the duration
     of the user's session.  Furthermore, if this connection is lost,
-    there is no way to reestablish it, and futher authentications to the
+    there is no way to reestablish it, and further authentications to the
     Samba server may fail (from a single client, till it disconnects).
+        </para></note>
+
+        <note><para>If the client selects NTLMv2 authentication, then this mode of operation <emphasis>will fail</emphasis>
         </para></note>
 
@@ -216 +207 @@
     only affects how the server deals  with the authentication, it does
         not in any way affect what the  client sees.</para></note>
+
+    <note><para>This option is deprecated, and may be removed in future</para></note>
 
     <para><emphasis>Note</emphasis> that the name of the resource being 

vendor/current/docs-xml/smbdotconf/security/username.xml

@@ -10 +10 @@
     each username in turn (left to right).</para>
 
-    <para>The <parameter moreinfo="none">username</parameter> line is needed only when 
+    <para>The deprecated <parameter moreinfo="none">username</parameter> line is needed only when
     the PC is unable to supply its own username. This is the case 
     for the COREPLUS protocol or where your users have different WfWg 

vendor/current/docs-xml/smbdotconf/tuning/strictallocate.xml

@@ -10 +10 @@
     of actually forcing the disk system to allocate real storage blocks
     when a file is created or extended to be a given size. In UNIX
-    terminology this means that Samba will stop creating sparse files.
-    This can be slow on some systems. When you work with large files like
-    >100MB or so you may even run into problems with clients running into
-    timeouts.</para>
+    terminology this means that Samba will stop creating sparse files.</para>
+
+    <para>This option is really desgined for file systems that support
+    fast allocation of large numbers of blocks such as extent-based file systems.
+    On file systems that don't support extents (most notably ext3) this can
+    make Samba slower. When you work with large files over >100MB on file
+    systems without extents you may even run into problems with clients
+    running into timeouts.</para>
 
     <para>When you have an extent based filesystem it's likely that we can make

vendor/current/docs-xml/smbdotconf/winbind/idmapbackend.xml

@@ -12 +12 @@
         <para>
         This option specifies the default backend that is used when no special
-        configuration set by <smbconfoption name="idmap config"/> matches the
-        specific request.
-        </para>
-
-        <para>
-        This default backend also specifies the place where winbind-generated
-        idmap entries will be stored. So it is highly recommended that you
-        specify a writable backend like <citerefentry>
-        <refentrytitle>idmap_tdb</refentrytitle> <manvolnum>8</manvolnum>
-        </citerefentry> or <citerefentry>
-        <refentrytitle>idmap_ldap</refentrytitle> <manvolnum>8</manvolnum>
-        </citerefentry> as the idmap backend. The <citerefentry>
-        <refentrytitle>idmap_rid</refentrytitle> <manvolnum>8</manvolnum>
-        </citerefentry> and <citerefentry>
-        <refentrytitle>idmap_ad</refentrytitle> <manvolnum>8</manvolnum>
-        </citerefentry> backends are not writable and thus will generate
-        unexpected results if set as idmap backend.
-        </para>
-
-        <para>
-        To use the rid and ad backends, please specify them via the
-        <smbconfoption name="idmap config"/> parameter, possibly also for the
-        domain your machine is member of, specified by <smbconfoption
-        name="workgroup"/>.
-        </para>
-
-        <para>Examples of SID/uid/gid backends include tdb (<citerefentry>
-        <refentrytitle>idmap_tdb</refentrytitle><manvolnum>8</manvolnum></citerefentry>),
-        ldap (<citerefentry><refentrytitle>idmap_ldap</refentrytitle>
-        <manvolnum>8</manvolnum></citerefentry>), rid (<citerefentry>
-        <refentrytitle>idmap_rid</refentrytitle><manvolnum>8</manvolnum></citerefentry>),
-        and ad (<citerefentry><refentrytitle>idmap_ad</refentrytitle>
-        <manvolnum>8</manvolnum></citerefentry>).
+        configuration set, but it is now deprecated in favour of the new
+        spelling <smbconfoption name="idmap config * :  backend"/>.
         </para>
 </description>

vendor/current/docs-xml/smbdotconf/winbind/idmapconfig.xml

@@ -7 +7 @@
 
         <para>
-        The idmap config prefix provides a means of managing each trusted
-        domain separately. The idmap config prefix should be followed by the
-        name of the domain, a colon, and a setting specific to the chosen
-        backend. There are three options available for all domains:
+        ID mapping in Samba is the mapping between Windows SIDs and Unix user
+        and group IDs. This is performed by Winbindd with a configurable plugin
+        interface. Samba's ID mapping is configured by options starting with the
+        <smbconfoption name="idmap config"/> prefix.
+        An idmap option consists of the <smbconfoption name="idmap config"/>
+        prefix, followed by a domain name or the asterisk character (*),
+        a colon, and the name of an idmap setting for the chosen domain.
         </para>
 
-        <variablelist>  
+        <para>
+        The idmap configuration is hence divided into groups, one group
+        for each domain to be configured, and one group with the the
+        asterisk instead of a proper domain name, which speifies the
+        default configuration that is used to catch all domains that do
+        not have an explicit idmap configuration of their own.
+        </para>
+
+        <para>
+        There are three general options available:
+        </para>
+
+        <variablelist>
                 <varlistentry>
                 <term>backend = backend_name</term>
                 <listitem><para>
-                        Specifies the name of the idmap plugin to use as the 
-                        SID/uid/gid backend for this domain.
+                This specifies the name of the idmap plugin to use as the
+                SID/uid/gid backend for this domain. The standard backends are
+                tdb
+                (<citerefentry><refentrytitle>idmap_tdb</refentrytitle> <manvolnum>8</manvolnum> </citerefentry>),
+                tdb2
+                (<citerefentry><refentrytitle>idmap_tdb2</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+                ldap
+                (<citerefentry><refentrytitle>idmap_ldap</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+                ,
+                rid
+                (<citerefentry><refentrytitle>idmap_rid</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+                ,
+                hash
+                (<citerefentry><refentrytitle>idmap_hash</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+                ,
+                autorid
+                (<citerefentry><refentrytitle>idmap_autorid</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+                ,
+                ad
+                (<citerefentry><refentrytitle>idmap_ad</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+                ,
+                adex
+                (<citerefentry><refentrytitle>idmap_adex</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+                ,
+                and nss.
+                (<citerefentry><refentrytitle>idmap_nss</refentrytitle> <manvolnum>8</manvolnum></citerefentry>),
+                The corresponding manual pages contain the details, but
+                here is a summary.
+                </para>
+                <para>
+                The first three of these create mappings of their own using
+                internal unixid counters and store the mappings in a database.
+                These are suitable for use in the default idmap configuration.
+                The rid and hash backends use a pure algorithmic calculation
+                to determine the unixid for a SID. The autorid module is a
+                mixture of the tdb and rid backend. It creates ranges for
+                each domain encountered and then uses the rid algorithm for each
+                of these automatically configured domains individually.
+                The ad and adex
+                backends both use unix IDs stored in Active Directory via
+                the standard schema extensions. The nss backend reverses
+                the standard winbindd setup and gets the unixids via names
+                from nsswitch which can be useful in an ldap setup.
                 </para></listitem>
                 </varlistentry>
@@ -24 +80 @@
                 <varlistentry>
                 <term>range = low - high</term>
-                <listitem><para>
+                <listitem><para>
                 Defines the available matching uid and gid range for which the
-                backend is authoritative.  Note that the range commonly
-                matches the allocation range due to the fact that the same
-                backend will store and retrieve SID/uid/gid mapping entries.
-                </para>
+                backend is authoritative. For allocating backends, this also
+                defines the start and the end of the range for allocating
+                new unid IDs.
+                </para>
                 <para>
                 winbind uses this parameter to find the backend that is
-                authoritative for a unix ID to SID mapping, so it must be set
-                for each individually configured domain, and it must be
-                disjoint from the ranges set via <smbconfoption name="idmap
-                uid"/> and <smbconfoption name="idmap gid"/>.
+                authoritative for a unix ID to SID mapping, so it must be set
+                for each individually configured domain and for the default
+                configuration. The configured ranges must be mutually disjoint.
                 </para></listitem>
+                </varlistentry>
 
+                <varlistentry>
+                <term>read only = yes|no</term>
+                <listitem><para>
+                This option can be used to turn the writing backends
+                tdb, tdb2, and ldap into read only mode. This can be useful
+                e.g. in cases where a pre-filled database exists that should
+                not be extended automatically.
+                </para></listitem>
                 </varlistentry>
         </variablelist>
@@ -44 +108 @@
         The following example illustrates how to configure the <citerefentry>
         <refentrytitle>idmap_ad</refentrytitle> <manvolnum>8</manvolnum>
-        </citerefentry> for the CORP domain and the
+        </citerefentry> backend for the CORP domain and the
         <citerefentry><refentrytitle>idmap_tdb</refentrytitle>
         <manvolnum>8</manvolnum></citerefentry> backend for all other
@@ -54 +118 @@
 
         <programlisting>
-        idmap backend = tdb
-        idmap uid = 1000000-1999999
-        idmap gid = 1000000-1999999
+        idmap config * : backend = tdb
+        idmap config * : range = 1000000-1999999
 
         idmap config CORP : backend  = ad

vendor/current/docs-xml/smbdotconf/winbind/idmapgid.xml

@@ -6 +6 @@
                 <synonym>winbind gid</synonym>
 <description>
-        <para>The idmap gid parameter specifies the range of group ids 
-        that are allocated for the purpose of mapping UNX groups to NT group 
-        SIDs. This range of group ids should have no 
-        existing local or NIS groups within it as strange conflicts can 
-        occur otherwise.</para>
-
-        <para>See also the <smbconfoption name="idmap backend"/>, and
-        <smbconfoption name="idmap config"/> options.
+        <para>
+        The idmap gid parameter specifies the range of group ids
+        for the default idmap configuration. It is now deprecated
+        in favour of <smbconfoption name="idmap config * : range"/>.
         </para>
 
+        <para>See the <smbconfoption name="idmap config"/> option.</para>
 </description>
 

vendor/current/docs-xml/smbdotconf/winbind/idmapuid.xml

@@ -7 +7 @@
 <description>
         <para>
-        The idmap uid parameter specifies the range of user ids that are 
-        allocated for use in mapping UNIX users to NT user SIDs. This 
-        range of ids should have no existing local
-        or NIS users within it as strange conflicts can occur otherwise.</para>
+        The idmap uid parameter specifies the range of user ids for
+        the default idmap configuration. It is now deprecated in favour
+        of <smbconfoption name="idmap config * : range"/>.
+        </para>
 
-        <para>See also the <smbconfoption name="idmap backend"/> and
-        <smbconfoption name="idmap config"/> options.
-        </para>
+        <para>See the <smbconfoption name="idmap config"/> option.</para>
 </description>
 

vendor/current/docs-xml/smbdotconf/winbind/winbindusedefaultdomain.xml

@@ -10 +10 @@
         without domain component in their username. Users without a domain
         component are treated as is part of the winbindd server's own
-        domain. While this does not benifit Windows users, it makes SSH, FTP and
+        domain. While this does not benefit Windows users, it makes SSH, FTP and
         e-mail function in a way much closer to the way they
         would in a native unix system.</para>
+        <para>This option should be avoided if possible. It can cause confusion
+        about responsibilities for a user or group. In many situations it is
+        not clear whether winbind or /etc/passwd should be seen as authoritative
+        for a user, likewise for groups.</para>
 </description>