svn commit: samba-docs r787 - in trunk/smbdotconf: logon security

Thu Jul 28 13:34:08 GMT 2005

Author: jerry
Date: 2005-07-28 13:34:07 +0000 (Thu, 28 Jul 2005)
New Revision: 787

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba-docs&rev=787

Log:
* addminf username map script docs
* removing delete parameters 
* clarifying the usernam map docs and the logon path docs.


Added:
   trunk/smbdotconf/security/usernamemapscript.xml
Removed:
   trunk/smbdotconf/security/minpasswordlength.xml
Modified:
   trunk/smbdotconf/logon/logonpath.xml
   trunk/smbdotconf/security/usernamemap.xml


Changeset:
Modified: trunk/smbdotconf/logon/logonpath.xml
===================================================================

--- trunk/smbdotconf/logon/logonpath.xml	2005-07-27 04:16:45 UTC (rev 786)
+++ trunk/smbdotconf/logon/logonpath.xml	2005-07-28 13:34:07 UTC (rev 787)
@@ -5,7 +5,7 @@
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
 	<para>
-	This parameter specifies the home directory where roaming profiles (NTuser.dat etc files for Windows NT) are 
+	This parameter specifies the directory where roaming profiles (Desktop, NTuser.dat, etc) are 
 	stored.  Contrary to previous versions of these manual pages, it has nothing to do with Win 9X roaming
 	profiles.  To find out how to handle roaming profiles for Win 9X system, see the
 	<smbconfoption name="logon home"/> parameter.
@@ -22,10 +22,7 @@
 	<para>
 	The share and the path must be readable by the user for the preferences and directories to be loaded onto the
 	Windows NT client. The share must be writeable when the user logs in for the first time, in order that the
-	Windows NT client can create the NTuser.dat and other directories.
-	</para>
-
-	<para>
+	Windows NT client can create the NTuser.dat and other directories.  
 	Thereafter, the directories and any of the contents can, if required, be made read-only.  It is not advisable
 	that the NTuser.dat file be made read-only - rename it to NTuser.man to achieve the desired effect (a
 	<emphasis>MAN</emphasis>datory profile).
@@ -34,7 +31,7 @@
 	<para>
 	Windows clients can sometimes maintain a connection to the [homes] share, even though there is no user logged
 	in.  Therefore, it is vital that the logon path does not include a reference to the homes share (i.e. setting
-	this parameter to \%N\%U\profile_path will cause problems).
+	this parameter to \%N\homes\profile_path will cause problems).
 	</para>
 
 	<para>
@@ -43,7 +40,7 @@
 
 	<warning>
         <para>
-        Do not quote the value. Setting this as <quote>\\%N\profile\%U</quote>
+        	Do not quote the value. Setting this as <quote>\\%N\profile\%U</quote>
 		will break profile handling. Where the tdbsam or ldapsam passdb backend
 		is used, at the time the user account is created the value configured
 		for this parameter is written to the passdb backend and that value will
@@ -54,7 +51,7 @@
 		</para>
 	</warning>
 
-	<para>Note that this option is only useful if Samba is set up as a logon server.</para>
+	<para>Note that this option is only useful if Samba is set up as a domain controller.</para>
 
 	<para>
 	Disable the use of roaming profiles by setting the value of this parameter to the empty string. For

Deleted: trunk/smbdotconf/security/minpasswordlength.xml
===================================================================
--- trunk/smbdotconf/security/minpasswordlength.xml	2005-07-27 04:16:45 UTC (rev 786)
+++ trunk/smbdotconf/security/minpasswordlength.xml	2005-07-28 13:34:07 UTC (rev 787)
@@ -1,17 +0,0 @@
-<samba:parameter name="min password length"
-                 context="G"
-				 type="integer"
-                 advanced="1" developer="1"
-				 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-<synonym>min passwd length</synonym>
-<description>
-    <para>This option sets the minimum length in characters of a
-    plaintext password that <command moreinfo="none">smbd</command> will
-    accept when performing  UNIX password changing.</para>
-</description>
-
-<related>unix password sync</related>
-<related>passwd program</related>
-<related>passwd char debug</related>
-<value type="default">5</value>
-</samba:parameter>

Modified: trunk/smbdotconf/security/usernamemap.xml
===================================================================
--- trunk/smbdotconf/security/usernamemap.xml	2005-07-27 04:16:45 UTC (rev 786)
+++ trunk/smbdotconf/security/usernamemap.xml	2005-07-28 13:34:07 UTC (rev 787)
@@ -10,6 +10,13 @@
     that users use on DOS or Windows machines to those that the UNIX 
     box uses. The other is to map multiple users to a single username 
     so that they can more easily share files.</para>
+
+    <para>Please note that for user or share mode security, the
+    username map is applied prior to validating the user credentials.
+    Domain member servers (domain or ads) apply the username map 
+    after the user has been successfully authenticated by the domain
+    controller and require fully qualified enties in the map table
+    (e.g. biddle = DOMAIN\foo).</para>
     
     <para>The map file is parsed line by line. Each line should 
     contain a single UNIX username on the left then a '=' followed 

Added: trunk/smbdotconf/security/usernamemapscript.xml
===================================================================
--- trunk/smbdotconf/security/usernamemapscript.xml	2005-07-27 04:16:45 UTC (rev 786)
+++ trunk/smbdotconf/security/usernamemapscript.xml	2005-07-28 13:34:07 UTC (rev 787)
@@ -0,0 +1,19 @@
+<samba:parameter name="username map script"
+                 context="G"
+		 type="string"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This script is a mutually exclusive alternative to the 
+	<smbconfoption name="username map"/> parameter.  This parameter 
+	specifies and external program or script that must accept a single 
+	command line option (the username transmitted in the authentication
+	request) and return a line line on standard output (the name to which 
+	the account should mapped).  In this way, it is possible to store
+	username map tables in an LDAP or NIS directory services.
+	</para>
+</description>
+
+<value type="default"/>
+<value type="example">/etc/samba/scripts/mapusers.sh</value>
+</samba:parameter>

