[SCM] Samba Shared Repository - branch master updated
David Mulder
dmulder at samba.org
Thu Aug 27 17:20:05 UTC 2020
The branch, master has been updated
via 811e2f55290 GPO: Add rsop output for Messages policy
via 2ef88466f49 GPO: Test rsop output for Messages policy
via 1544929feec gpo: Apply Group Policy Login Prompt Message
via b76d55cc908 gpo: Test Group Policy Login Prompt Message
via a4f598fde8c gpo: Apply Group Policy Message of the day
via e8757e0d36c gpo: Test Group Policy Message of the day
via fee00231f69 GPO: Add rsop output for smb.conf policy
via 101b5f17f12 GPO: Test rsop output for smb.conf policy
via 3303869c4b8 gpo: Add CSE for applying smb.conf
via 37661d1aaca gpo: Test Group Policy smb.conf Extension
via cb994befb0c gpo: Add admx files for smb.conf parameters
via ab347c861ce gpo: gp_krb_ext always uses set_kdc_tdb to update
via 5128dc7db32 gpo: Move gp_sec_ext conversion functions to top
via 7d6d160a8ed gpo: Display Security Extension RSOP on ADDC only
via c887f7a7d23 gpo: Fix unapply failure when multiple extensions run
via 7e507dd8865 gpo: Test multiple extention unapply
via 8626910c0ea gpo: Sudoers ext should not crash if policy missing
via 87fe86270e1 gpo: Script ext should not crash if script missing
via 7c6969e9c9c gpo: Cleanup sudoers policy test
via 7acbb440400 gpo: Cleanup script policy test
via 0544237ea2c gpo: Avoid using distutils since it will be deprecated
via 0a7e2e39847 gpo: Clarify the contents of deleted_gpo_list in process_group_policy
via bc38d3afe38 gpo: Add rsop output for Sudoers policy
via 4148af125be gpo: Test rsop output for Sudoers policy
via 5249727f902 Add WHATSNEW section on Client Group Policy
from f8b7ee024ba s3: libsmb: Remove one more ugly sockaddr cast in resolve_name_list() by converting to samba_sockaddr.
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 811e2f55290dc1af2439954f690b8b3c3749b607
Author: David Mulder <dmulder at suse.com>
Date: Wed Aug 19 11:27:26 2020 -0600
GPO: Add rsop output for Messages policy
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Autobuild-User(master): David Mulder <dmulder at samba.org>
Autobuild-Date(master): Thu Aug 27 17:19:48 UTC 2020 on sn-devel-184
commit 2ef88466f49d9c50f37b6e68e08fcda136050ec1
Author: David Mulder <dmulder at suse.com>
Date: Wed Aug 19 11:25:57 2020 -0600
GPO: Test rsop output for Messages policy
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 1544929feecd4062b5f684226717a639a74cdd52
Author: David Mulder <dmulder at suse.com>
Date: Wed Jul 8 15:30:25 2020 -0600
gpo: Apply Group Policy Login Prompt Message
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit b76d55cc9087c6f75b25cc42d862a26b2579d3e0
Author: David Mulder <dmulder at suse.com>
Date: Thu Jul 9 09:53:34 2020 -0600
gpo: Test Group Policy Login Prompt Message
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit a4f598fde8cfa564613108397b0a645277cf0ace
Author: David Mulder <dmulder at suse.com>
Date: Wed Jul 8 15:29:42 2020 -0600
gpo: Apply Group Policy Message of the day
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit e8757e0d36c56d18c8597832dddfd0a7214772f5
Author: David Mulder <dmulder at suse.com>
Date: Thu Jul 9 08:39:41 2020 -0600
gpo: Test Group Policy Message of the day
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit fee00231f6971014ec1c00e5104148e52acf31f3
Author: David Mulder <dmulder at suse.com>
Date: Wed Aug 19 14:23:37 2020 -0600
GPO: Add rsop output for smb.conf policy
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 101b5f17f129cbbc2689de2dcc8d6e6cb164e270
Author: David Mulder <dmulder at suse.com>
Date: Wed Aug 19 13:02:48 2020 -0600
GPO: Test rsop output for smb.conf policy
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 3303869c4b8659904e490e4ca1bc8bbcd340138d
Author: David Mulder <dmulder at suse.com>
Date: Wed Jul 18 11:34:09 2018 -0600
gpo: Add CSE for applying smb.conf
Add an extension that applies smb.conf params
applied via the smb.conf admx files.
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 37661d1aacaa7b761134c3f21a241ee0c1539d21
Author: David Mulder <dmulder at suse.com>
Date: Wed Jul 25 15:24:35 2018 -0600
gpo: Test Group Policy smb.conf Extension
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit cb994befb0c89c8a1182919348540d94c60543ee
Author: David Mulder <dmulder at suse.com>
Date: Tue Jul 17 13:15:38 2018 -0600
gpo: Add admx files for smb.conf parameters
Administrative Template (admx) files are
installed to the sysvol central store, and
apply Group Policy settings to the sysvol, via
the Group Policy Management Console (gpmc).
These admx files add smb.conf settings to the
gpmc.
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit ab347c861ce670d29773599c9d2572a42db0bdcb
Author: David Mulder <dmulder at suse.com>
Date: Fri Aug 7 14:15:30 2020 -0600
gpo: gp_krb_ext always uses set_kdc_tdb to update
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 5128dc7db324c08d036475e46f8edcc99565fed3
Author: David Mulder <dmulder at suse.com>
Date: Fri Aug 7 14:09:27 2020 -0600
gpo: Move gp_sec_ext conversion functions to top
These functions don't actually use self, so can
be moved to top level functions.
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 7d6d160a8ed74ae44e3bbb01818fcf54d18e1fa6
Author: David Mulder <dmulder at suse.com>
Date: Fri Aug 7 11:09:17 2020 -0600
gpo: Display Security Extension RSOP on ADDC only
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit c887f7a7d2303121a3a59fa7161ddf08053c31da
Author: David Mulder <dmulder at suse.com>
Date: Thu Aug 6 17:25:47 2020 -0600
gpo: Fix unapply failure when multiple extensions run
When multiple Group Policy Extensions are present,
only the last executed extension saves it's
changes to the Group Policy Database, due to the
database being loaded seperately for each
extension.
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 7e507dd8865a5108c31782fb8e603fc4dca627d9
Author: David Mulder <dmulder at suse.com>
Date: Thu Aug 6 15:41:13 2020 -0600
gpo: Test multiple extention unapply
Verify that an unapply of multiple extentions
deletes the script files and policy settings.
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 8626910c0eaaac57d95d2b2f8583ee0c732d98c6
Author: David Mulder <dmulder at suse.com>
Date: Fri Aug 7 13:44:55 2020 -0600
gpo: Sudoers ext should not crash if policy missing
If a user has manually removed a policy, the
extension should not crash in an unapply removing
it.
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 87fe86270e16cc06d4d4d6462705b2c3c93a473c
Author: David Mulder <dmulder at suse.com>
Date: Fri Aug 7 13:39:18 2020 -0600
gpo: Script ext should not crash if script missing
If a user has manually removed a script, the
extension should not crash in an unapply removing
it.
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 7c6969e9c9cccc1fdf0a668389bc9b3eaa6d2831
Author: David Mulder <dmulder at suse.com>
Date: Fri Aug 7 13:59:32 2020 -0600
gpo: Cleanup sudoers policy test
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 7acbb4404006fa24ef6c66d324f20a7fbe3bf4b9
Author: David Mulder <dmulder at suse.com>
Date: Fri Aug 7 13:58:34 2020 -0600
gpo: Cleanup script policy test
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 0544237ea2c1cf7d507e60e2757653711be5e308
Author: David Mulder <dmulder at suse.com>
Date: Thu Aug 6 15:18:16 2020 -0600
gpo: Avoid using distutils since it will be deprecated
We shouldn't use distutils.spawn.find-executable
here, since its use is discouraged:
https://docs.python.org/3/library/distutils.html
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 0a7e2e39847e89ed62e4ba8e4094f224bc627dc3
Author: David Mulder <dmulder at suse.com>
Date: Thu Aug 6 13:30:36 2020 -0600
gpo: Clarify the contents of deleted_gpo_list in process_group_policy
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit bc38d3afe380c0892e6d5b791cbb19624b43d612
Author: David Mulder <dmulder at suse.com>
Date: Thu Aug 6 12:44:41 2020 -0600
gpo: Add rsop output for Sudoers policy
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 4148af125be5d690682602976f525460e386330e
Author: David Mulder <dmulder at suse.com>
Date: Thu Aug 6 14:53:02 2020 -0600
gpo: Test rsop output for Sudoers policy
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 5249727f90215ef83fc7233a5e721c752b3b223d
Author: David Mulder <dmulder at suse.com>
Date: Thu Aug 6 12:38:14 2020 -0600
Add WHATSNEW section on Client Group Policy
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 22 +
libgpo/admx/en-US/samba.adml | 4610 ++++++++++++++++++++++++++++++++++
libgpo/admx/samba.admx | 2478 ++++++++++++++++++
python/samba/gp_msgs_ext.py | 83 +
python/samba/gp_scripts_ext.py | 11 +-
python/samba/gp_sec_ext.py | 67 +-
python/samba/gp_smb_conf_ext.py | 102 +
python/samba/gp_sudoers_ext.py | 36 +-
python/samba/gpclass.py | 3 +
python/samba/tests/gpo.py | 290 ++-
source4/scripting/bin/samba-gpupdate | 18 +-
11 files changed, 7662 insertions(+), 58 deletions(-)
create mode 100644 python/samba/gp_msgs_ext.py
create mode 100644 python/samba/gp_smb_conf_ext.py
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 23210d351d8..3927c0645f1 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -17,6 +17,28 @@ NEW FEATURES/CHANGES
====================
+Client Group Policy
+-------------------
+This release extends Samba to support Group Policy functionality for Winbind
+clients. Active Directory Administrators can set policies that apply Sudoers
+configuration, and cron jobs to run hourly, daily, weekly or monthly.
+
+To enable the application of Group Policies on a client, set the global
+smb.conf option 'apply group policies' to 'yes'. Policies are applied on an
+interval of every 90 minutes, plus a random offset between 0 and 30 minutes.
+
+Policies applied by Samba are 'non-tattooing', meaning that changes can be
+reverted by executing the `samba-gpupdate --unapply` command. Policies can be
+re-applied using the `samba-gpupdate --force` command.
+To view what policies have been or will be applied to a system, use the
+`samba-gpupdate --rsop` command.
+
+Administration of Samba policy requires that a Samba ADMX template be uploaded
+to the SYSVOL share. The samba-tool command `samba-tool gpo admxload` is
+provided as a convenient method for adding this policy. Once uploaded, policies
+can be modified in the Group Policy Management Editor under Computer
+Configuration/Policies/Administrative Templates.
+
CTDB CHANGES
============
diff --git a/libgpo/admx/en-US/samba.adml b/libgpo/admx/en-US/samba.adml
index 577cb1aa0bb..965af175e24 100755
--- a/libgpo/admx/en-US/samba.adml
+++ b/libgpo/admx/en-US/samba.adml
@@ -1,3 +1,4 @@
+<?xml version="1.0" ?>
<policyDefinitionResources revision="1.0" schemaVersion="1.0">
<displayName>
</displayName>
@@ -18,6 +19,3114 @@
<string id="POL_D298F3BD_44D9_426D_AF11_3163D31582F6_Help">This policy setting allows you to execute commands, either local or on remote storage, monthly.</string>
<string id="POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674_Help">This policy setting allows you to execute commands, either local or on remote storage, weekly.</string>
<string id="POL_DB5DF501_6F87_42D4_9FEC_E7F32C498BD3_Help">This policy configures the sudoers file with the lines specified.</string>
+ <string id="CAT_10827749_64ED_5052_87F7_E81AD421856A">smb.conf</string>
+ <string id="POL_33AAE399_07A8_5CC8_882A_393E4B96B259">additional dns hostnames</string>
+ <string id="POL_33AAE399_07A8_5CC8_882A_393E4B96B259_Help">A list of additional DNS names by which this host can be identified
+
+Example: host2.example.com host3.other.com </string>
+ <string id="POL_3CD2A970_826E_518E_B5F0_5E6725FF354D">bind interfaces only</string>
+ <string id="POL_3CD2A970_826E_518E_B5F0_5E6725FF354D_Help">This global parameter allows the Samba admin
+ to limit what interfaces on a machine will serve SMB requests. It
+ affects file service smbd
+ 8 and name service nmbd
+ 8 in a slightly different ways.
+ For name service it causes nmbd to bind to ports 137 and 138 on the interfaces listed in the parameter. nmbd also binds to the "all addresses" interface (0.0.0.0) on ports 137 and 138 for the purposes of reading broadcast messages. If this option is not set then nmbd will service name requests on all of these sockets. If is set then nmbd will check the source address of any packets coming in on the broadcast sockets and discard any that don't match the broadcast addresses of the interfaces in the parameter list. As unicast packets are received on the other sockets it allows nmbd to refuse to serve names to machines that send packets that arrive through any interfaces not listed in the list. IP Source address spoofing does defeat this simple check, however, so it must not be used seriously as a security feature for nmbd.
+ For file service it causes smbd 8 to bind only to the interface list given in the parameter. This restricts the networks that smbd will serve, to packets coming in on those interfaces. Note that you should not use this parameter for machines that are serving PPP or other intermittent or non-broadcast network interfaces as it will not cope with non-permanent interfaces.
+ If is set and the network address 127.0.0.1 is not added to the parameter list smbpasswd 8 may not work as expected due to the reasons covered below.
+ To change a users SMB password, the smbpasswd by default connects to the localhost - 127.0.0.1 address as an SMB client to issue the password change request. If is set then unless the network address 127.0.0.1 is added to the parameter list then smbpasswd will fail to connect in it's default mode. smbpasswd can be forced to use the primary IP interface of the local host by using its smbpasswd 8 -r remote machine parameter, with remote machine set to the IP name of the primary interface of the local host.</string>
+ <string id="POL_109FA3A4_0F92_5052_A7D9_D4BBCA75F765">config backend</string>
+ <string id="POL_109FA3A4_0F92_5052_A7D9_D4BBCA75F765_Help">This controls the backend for storing the configuration. Possible values are file (the default) and registry. When registry is encountered while loading smb.conf, the configuration read so far is dropped and the global options are read from registry instead. So this triggers a registry only configuration. Share definitions are not read immediately but instead registry shares is set to yes. Note: This option can not be set inside the registry configuration itself.
+
+Example: registry</string>
+ <string id="POL_08734B25_7265_5D0B_B857_B2E831B624F1">dos charset</string>
+ <string id="POL_08734B25_7265_5D0B_B857_B2E831B624F1_Help">DOS SMB clients assume the server has the same charset as they do. This option specifies which charset Samba should talk to DOS clients.
+ The default depends on which charsets you have installed. Samba tries to use charset 850 but falls back to ASCII in case it is not available. Run testparm 1 to check the default on your system.</string>
+ <string id="POL_4CCDFFB7_07DF_58F9_904E_13A024A3F54A">enable core files</string>
+ <string id="POL_4CCDFFB7_07DF_58F9_904E_13A024A3F54A_Help">This parameter specifies whether core dumps should be written on internal exits. Normally set to yes. You should never need to change this.
+
+Example: no</string>
+ <string id="POL_5B751E57_31A9_5EC2_A3CD_A8511D74FCFB">mdns name</string>
+ <string id="POL_5B751E57_31A9_5EC2_A3CD_A8511D74FCFB_Help">This parameter controls the name that multicast DNS support advertises as its' hostname.
+ The default is to use the NETBIOS name which is typically the hostname in all capital letters.
+ A setting of mdns will defer the hostname configuration to the MDNS library that is used.</string>
+ <string id="POL_461A8AAF_F51E_5FF5_9433_A8D25BBCF783">multicast dns register</string>
+ <string id="POL_461A8AAF_F51E_5FF5_9433_A8D25BBCF783_Help">If compiled with proper support for it, Samba will
+ announce itself with multicast DNS services like for example
+ provided by the Avahi daemon.
+ This parameter allows disabling Samba to register itself.</string>
+ <string id="POL_04F98D09_4223_5390_B66F_A6DA05F97FCC">netbios aliases</string>
+ <string id="POL_04F98D09_4223_5390_B66F_A6DA05F97FCC_Help">This is a list of NetBIOS names that nmbd will
+ advertise as additional names by which the Samba server is known. This allows one machine to appear in browse lists under multiple names. If a machine is acting as a browse server
+ or logon server none of these names will be advertised as either browse server or logon servers, only the primary name of the machine will be advertised with these capabilities.
+
+Example: TEST TEST1 TEST2</string>
+ <string id="POL_90CE7832_31B7_51D8_9EF2_92FEF396F49B">netbios name</string>
+ <string id="POL_90CE7832_31B7_51D8_9EF2_92FEF396F49B_Help">This sets the NetBIOS name by which a Samba server is known. By default it is the same as the first component of the host's DNS name. If a machine is a browse server or logon server this name (or the first component of the hosts DNS name) will be the name that these services are advertised under.
+ Note that the maximum length for a NetBIOS name is 15 characters.
+ There is a bug in Samba that breaks operation of browsing and access to shares if the netbios name is set to the literal name PIPE. To avoid this problem, do not name your Samba server PIPE.
+
+Example: MYNAME</string>
+ <string id="POL_3B93FDE1_6461_572C_AD2E_6AEEAE4EA949">netbios scope</string>
+ <string id="POL_3B93FDE1_6461_572C_AD2E_6AEEAE4EA949_Help">This sets the NetBIOS scope that Samba will operate under. This should not be set unless every machine on your LAN also sets this value.</string>
+ <string id="POL_E633B0BE_9CF3_5D79_A9F1_CB782C82A19C">prefork backoff increment</string>
+ <string id="POL_E633B0BE_9CF3_5D79_A9F1_CB782C82A19C_Help">This option specifies the number of seconds added to the delay before a prefork master or worker process is restarted. The restart is initially zero, the prefork backoff increment is added to the delay on each restart up to the value specified by "prefork maximum backoff".
+ Additionally the the backoff for an individual service by using "prefork backoff increment: service name" i.e. "prefork backoff increment:ldap = 2" to set the backoff increment to 2.
+ If the backoff increment is 2 and the maximum backoff is 5. There will be a zero second delay for the first restart. A two second delay for the second restart. A four second delay for the third and any subsequent restarts</string>
+ <string id="POL_B4E848BD_E606_552C_8C9F_3F8CC1AEF191">prefork children</string>
+ <string id="POL_B4E848BD_E606_552C_8C9F_3F8CC1AEF191_Help">This option controls the number of worker processes that are started for each service when prefork process model is enabled (see samba 8 -M) The prefork children are only started for those services that support prefork (currently ldap, kdc and netlogon). For processes that don't support preforking all requests are handled by a single process for that service.
+ This should be set to a small multiple of the number of CPU's available on the server
+ Additionally the number of prefork children can be specified for an individual service by using "prefork children: service name" i.e. "prefork children:ldap = 8" to set the number of ldap worker processes.</string>
+ <string id="POL_D721EFAF_A53D_57B7_9639_3859CF9CE31E">prefork maximum backoff</string>
+ <string id="POL_D721EFAF_A53D_57B7_9639_3859CF9CE31E_Help">This option controls the maximum delay before a failed pre-fork process is restarted.</string>
+ <string id="POL_1630255E_61BA_5686_B3E0_995F8C4DAA5E">realm</string>
+ <string id="POL_1630255E_61BA_5686_B3E0_995F8C4DAA5E_Help">This option specifies the kerberos realm to use. The realm is used as the ADS equivalent of the NT4 domain. It is usually set to the DNS name of the kerberos server.
+
+Example: mysambabox.mycompany.com</string>
+ <string id="POL_E1D45258_0E70_5AF8_AE28_DAB6B318BB8A">server services</string>
+ <string id="POL_E1D45258_0E70_5AF8_AE28_DAB6B318BB8A_Help">This option contains the services that the Samba daemon will run.
+ An entry in the smb.conf file can either override the previous value completely or entries can be removed from or added to it by prefixing them with + or -.
+
+Example: -s3fs, +smb</string>
+ <string id="POL_351CFFDA_9DC3_54FB_BE9A_E434F0DB9955">server string</string>
+ <string id="POL_351CFFDA_9DC3_54FB_BE9A_E434F0DB9955_Help">This controls what string will show up in the printer comment box in print
+ manager and next to the IPC connection in net view. It
+ can be any string that you wish to show to your users. It also sets what will appear in browse lists next to the machine name.
+ A %v will be replaced with the Samba version number.
+ A %h will be replaced with the hostname.
+
+Example: University of GNUs Samba Server</string>
+ <string id="POL_32A7428D_00FC_5203_9943_2BDCDC3D9E0D">share backend</string>
+ <string id="POL_32A7428D_00FC_5203_9943_2BDCDC3D9E0D_Help">This option specifies the backend that will be used to access the configuration of file shares.
+ Traditionally, Samba file shares have been configured in the smb.conf file and this is still the default.
+ At the moment there are no other supported backends.</string>
+ <string id="POL_ABDCEE90_90DE_55C2_A2DC_1C7D017F4B2B">unix charset</string>
+ <string id="POL_ABDCEE90_90DE_55C2_A2DC_1C7D017F4B2B_Help">Specifies the charset the unix machine Samba runs on uses. Samba needs to know this in order to be able to convert text to the charsets other SMB clients use.
+ This is also the charset Samba will use when specifying arguments to scripts that it invokes.
+
+Example: ASCII</string>
+ <string id="POL_D1FAAF87_1E1E_596F_A915_BE72D67A5DC5">workgroup</string>
+ <string id="POL_D1FAAF87_1E1E_596F_A915_BE72D67A5DC5_Help">This controls what workgroup your server will appear to be in when queried by clients. Note that this parameter also controls the Domain name used with the domain setting.
+
+Example: MYGROUP</string>
+ <string id="POL_163183B9_195A_5290_927E_08FBB6C76AA0">interfaces</string>
+ <string id="POL_163183B9_195A_5290_927E_08FBB6C76AA0_Help">This option allows you to override the default network interfaces list that Samba will use for browsing, name registration and other NetBIOS over TCP/IP (NBT) traffic. By default Samba will query the kernel for the list of all active interfaces and use any interfaces except 127.0.0.1 that are broadcast capable.
+ The option takes a list of interface strings. Each string can be in any of the following forms:
+ a network interface name (such as eth0). This may include shell-like wildcards so eth* will match any interface starting with the substring "eth" an IP address. In this case the netmask is determined from the list of interfaces obtained from the kernel an IP/mask pair. a broadcast/mask pair.
+ The "mask" parameters can either be a bit length (such as 24 for a C class network) or a full netmask in dotted decimal form.
+ The "IP" parameters above can either be a full dotted decimal IP address or a hostname which will be looked up via the OS's normal hostname resolution mechanisms.
+ By default Samba enables all active interfaces that are broadcast capable except the loopback adaptor (IP address 127.0.0.1).
+ In order to support SMB3 multi-channel configurations, smbd understands some extra parameters which can be appended after the actual interface with this extended syntax (note that the quoting is important in order to handle the ; and , characters):
+ "interface[;key1=value1[,key2=value2[...]]]"
+ Known keys are speed, capability, and if_index. Speed is specified in bits per second. Known capabilities are RSS and RDMA. The if_index should be used with care: the values must not coincide with indexes used by the kernel. Note that these options are mainly intended for testing and development rather than for production use. At least on Linux systems, these values should be auto-detected, but the settings can serve as last a resort when autodetection is not working or is not available. The specified values overwrite the auto-detected values.
+ The first two example below configures three network interfaces corresponding to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10. The netmasks of the latter two interfaces would be set to 255.255.255.0.
+ The other examples show how per interface extra parameters can be specified. Notice the possible usage of "," and ";", which makes the double quoting necessary.
+
+Example: eth0 192.168.2.10/24 192.168.3.10/255.255.255.0
+
+Example: eth0, 192.168.2.10/24; 192.168.3.10/255.255.255.0
+
+Example: "eth0;if_index=65,speed=1000000000,capability=RSS"
+
+Example: "lo;speed=1000000000" "eth0;capability=RSS"
+
+Example: "lo;speed=1000000000" , "eth0;capability=RSS"
+
+Example: "eth0;capability=RSS" , "rdma1;capability=RDMA" ; "rdma2;capability=RSS,capability=RDMA"</string>
+ <string id="POL_25731B61_FC84_5A83_93AE_296F7D6311C4">browse list</string>
+ <string id="POL_25731B61_FC84_5A83_93AE_296F7D6311C4_Help">This controls whether smbd 8 will serve a browse list to a client doing a NetServerEnum call. Normally set to yes. You should never need to change this.</string>
+ <string id="POL_3E9E3188_6F1A_54F8_8E13_265E2AD1BE71">domain master</string>
+ <string id="POL_3E9E3188_6F1A_54F8_8E13_265E2AD1BE71_Help">Tell smbd 8 to enable WAN-wide browse list collation. Setting this option causes nmbd to claim a special domain specific NetBIOS name that identifies it as a domain master browser for its given . Local master browsers in the same on broadcast-isolated subnets will give this nmbd their local browse lists, and then ask smbd 8 for a complete copy of the browse list for the whole wide area network. Browser clients will then contact their local master browser, and will receive the domain-wide browse list, instead of just the list for their broadcast-isolated subnet.
+ Note that Windows NT Primary Domain Controllers expect to be able to claim this specific special NetBIOS name that identifies them as domain master browsers for that by default (i.e. there is no way to prevent a Windows NT PDC from attempting to do this). This means that if this parameter is set and nmbd claims the special name for a before a Windows NT PDC is able to do so then cross subnet browsing will behave strangely and may fail. If yes, then the default behavior is to enable the parameter. If is not enabled (the default setting), then neither will be enabled by default.
+ When Yes the default setting for this parameter is Yes, with the result that Samba will be a PDC. If No, Samba will function as a BDC. In general, this parameter should be set to 'No' only on a BDC.</string>
+ <string id="POL_E14519D2_9B84_5A1B_B4A4_89F6151BFCE2">enhanced browsing</string>
+ <string id="POL_E14519D2_9B84_5A1B_B4A4_89F6151BFCE2_Help">This option enables a couple of enhancements to cross-subnet browse propagation that have been added in Samba but which are not standard in Microsoft implementations.
+ The first enhancement to browse propagation consists of a regular wildcard query to a Samba WINS server for all Domain Master Browsers, followed by a browse synchronization with each of the returned DMBs. The second enhancement consists of a regular randomised browse synchronization with all currently known DMBs.
+ You may wish to disable this option if you have a problem with empty workgroups not disappearing from browse lists. Due to the restrictions of the browse protocols, these enhancements can cause a empty workgroup to stay around forever which can be annoying.
+ In general you should leave this option enabled as it makes cross-subnet browse propagation much more reliable.</string>
+ <string id="POL_7E8FBFDB_CBDD_5CE7_B101_07AB8AA71209">lm announce</string>
+ <string id="POL_7E8FBFDB_CBDD_5CE7_B101_07AB8AA71209_Help">This parameter determines if nmbd 8 will produce Lanman announce broadcasts that are needed by OS/2 clients in order for them to see the Samba server in their browse list. This parameter can have three values, yes, no, or auto. The default is auto. If set to no Samba will never produce these broadcasts. If set to yes Samba will produce Lanman announce broadcasts at a frequency set by the parameter . If set to auto Samba will not send Lanman announce broadcasts by default but will listen for them. If it hears such a broadcast on the wire it will then start sending them at a frequency set by the parameter .
+
+Example: yes</string>
+ <string id="POL_6D665B21_1F08_5183_B9CD_CFD712C1D4AB">lm interval</string>
+ <string id="POL_6D665B21_1F08_5183_B9CD_CFD712C1D4AB_Help">If Samba is set to produce Lanman announce broadcasts needed by OS/2 clients (see the parameter) then this parameter defines the frequency in seconds with which they will be made. If this is set to zero then no Lanman announcements will be made despite the setting of the parameter.
+
+Example: 120</string>
+ <string id="POL_40EA4C73_20A7_580A_A830_0EDA7FC72B7D">local master</string>
+ <string id="POL_40EA4C73_20A7_580A_A830_0EDA7FC72B7D_Help">This option allows nmbd 8 to try and become a local master browser on a subnet. If set to no then nmbd will not attempt to become a local master browser on a subnet and will also lose in all browsing elections. By default this value is set to yes. Setting this value to yes doesn't mean that Samba will become the local master browser on a subnet, just that nmbd will participate in elections for local master browser.
+ Setting this value to no will cause nmbd never to become a local
+master browser.</string>
+ <string id="POL_95C311BC_3067_5654_A978_70326D928F48">os level</string>
+ <string id="POL_95C311BC_3067_5654_A978_70326D928F48_Help">This integer value controls what level Samba advertises itself as for browse elections. The value of this parameter determines whether nmbd 8 has a chance of becoming a local master browser for the in the local broadcast area.
+ Note: By default, Samba will win a local master browsing election over all Microsoft operating systems except a Windows NT 4.0/2000 Domain Controller. This means that a misconfigured Samba host can effectively isolate a subnet for browsing purposes. This parameter is largely auto-configured in the Samba-3 release series and it is seldom necessary to manually override the default setting. Please refer to the chapter on Network Browsing in the Samba-3 HOWTO document for further information regarding the use of this parameter. Note: The maximum value for this parameter is 255. If you use higher values, counting will start at 0!
+
+Example: 65</string>
+ <string id="POL_516D10CE_AECD_50DE_B4F5_D9DBF85FA582">preferred master</string>
+ <string id="POL_516D10CE_AECD_50DE_B4F5_D9DBF85FA582_Help">This boolean parameter controls if nmbd 8 is a preferred master browser for its workgroup.
+ If this is set to yes, on startup, nmbd will force an election, and it will have a slight advantage in winning the election. It is recommended that this parameter is used in conjunction with yes, so that nmbd can guarantee becoming a domain master.
+ Use this option with caution, because if there are several hosts (whether Samba servers, Windows 95 or NT) that are preferred master browsers on the same subnet, they will each periodically and continuously attempt to become the local master browser. This will result in unnecessary broadcast traffic and reduced browsing capabilities.</string>
+ <string id="POL_E468B4EF_D43C_572D_9A57_390D5D22F485">allow dns updates</string>
+ <string id="POL_E468B4EF_D43C_572D_9A57_390D5D22F485_Help">This option determines what kind of updates to the DNS are allowed.
+ DNS updates can either be disallowed completely by setting it to disabled, enabled over secure connections only by setting it to secure only or allowed in all cases by setting it to nonsecure.
+
+Example: disabled</string>
+ <string id="POL_7E805DF0_F3AD_55F6_AC1E_B13987AE73FC">dns forwarder</string>
+ <string id="POL_7E805DF0_F3AD_55F6_AC1E_B13987AE73FC_Help">This option specifies the list of DNS servers that DNS requests will be forwarded to if they can not be handled by Samba itself.
+ The DNS forwarder is only used if the internal DNS server in Samba is used.
+
+Example: 192.168.0.1 192.168.0.2</string>
+ <string id="POL_DE5786B0_C694_53AA_85F2_F9B4EB2F9923">dns update command</string>
+ <string id="POL_DE5786B0_C694_53AA_85F2_F9B4EB2F9923_Help">This option sets the command that is called when there are DNS updates. It should update the local machines DNS names using TSIG-GSS.
+
+Example: /usr/local/sbin/dnsupdate</string>
+ <string id="POL_C5C16F87_0017_5CC1_810B_398855115BC9">dns zone scavenging</string>
+ <string id="POL_C5C16F87_0017_5CC1_810B_398855115BC9_Help">When enabled (the default is disabled) unused dynamic dns records are periodically removed. This option should not be enabled for installations created with versions of samba before 4.9. Doing this will result in the loss of static DNS entries. This is due to a bug in previous versions of samba (BUG 12451) which marked dynamic DNS records as static and static records as dynamic. If one record for a DNS name is static (non-aging) then no other record for that DNS name will be scavenged.</string>
+ <string id="POL_23A4E426_BE59_5616_849E_94C825DDFC5B">gpo update command</string>
+ <string id="POL_23A4E426_BE59_5616_849E_94C825DDFC5B_Help">This option sets the command that is called to apply GPO policies.
+ The samba-gpupdate script applies System Access and Kerberos Policies to the KDC. System Access policies set minPwdAge, maxPwdAge, minPwdLength, and pwdProperties in the samdb. Kerberos Policies set kdc:service ticket lifetime, kdc:user ticket lifetime, and kdc:renewal lifetime in smb.conf.
+
+Example: /usr/local/sbin/gpoupdate</string>
+ <string id="POL_D32F3D0B_74B1_5C8F_81B4_CC9574EAB9B7">machine password timeout</string>
+ <string id="POL_D32F3D0B_74B1_5C8F_81B4_CC9574EAB9B7_Help">If a Samba server is a member of a Windows NT or Active Directory Domain (see the domain and ads parameters), then periodically a running winbindd process will try and change the MACHINE ACCOUNT PASSWORD stored in the TDB called secrets.tdb . This parameter specifies how often this password will be changed, in seconds. The default is one week (expressed in seconds), the same as a Windows NT Domain member server.
+ See also smbpasswd 8, and the domain and ads parameters.</string>
+ <string id="POL_07339CF8_68F5_5B5F_9207_93D2E4526C44">nsupdate command</string>
+ <string id="POL_07339CF8_68F5_5B5F_9207_93D2E4526C44_Help">This option sets the path to the nsupdate command which is used for GSS-TSIG dynamic DNS updates.</string>
+ <string id="POL_D0F6F805_6160_55CF_9B8B_F5AD874B1E2C">spn update command</string>
+ <string id="POL_D0F6F805_6160_55CF_9B8B_F5AD874B1E2C_Help">This option sets the command that for updating servicePrincipalName names from spn_update_list.
+
+Example: /usr/local/sbin/spnupdate</string>
+ <string id="POL_6FFBB02C_6B3E_5D0E_9193_15F9B38E487D">mangle prefix</string>
+ <string id="POL_6FFBB02C_6B3E_5D0E_9193_15F9B38E487D_Help">controls the number of prefix characters from the original name used when generating the mangled names. A larger value will give a weaker hash and therefore more name collisions. The minimum value is 1 and the maximum value is 6.
+ mangle prefix is effective only when mangling method is hash2.
+
+Example: 4</string>
+ <string id="POL_BE8F8AE7_99AC_582E_8105_00326D511339">mangling method</string>
+ <string id="POL_BE8F8AE7_99AC_582E_8105_00326D511339_Help">controls the algorithm used for the generating the mangled names. Can take two different values, "hash" and "hash2". "hash" is the algorithm that was used in Samba for many years and was the default in Samba 2.2.x "hash2" is
+ now the default and is newer and considered a better algorithm (generates less collisions) in
+ the names. Many Win32 applications store the mangled names and so changing to algorithms must not be done lightly as these applications
+ may break unless reinstalled.
+
+Example: hash</string>
+ <string id="POL_62095050_5FA9_5E4F_8792_595D30BEF047">max stat cache size</string>
+ <string id="POL_62095050_5FA9_5E4F_8792_595D30BEF047_Help">This parameter limits the size in memory of any stat cache being used to speed up case insensitive name mappings. It represents the number of kilobyte (1024) units the stat cache can use. A value of zero, meaning unlimited, is not advisable due to increased memory usage. You should not need to change this parameter.
+
+Example: 100</string>
+ <string id="POL_63F6A053_E2E9_57D0_A0F8_003024AD6470">stat cache</string>
+ <string id="POL_63F6A053_E2E9_57D0_A0F8_003024AD6470_Help">This parameter determines if smbd 8 will use a cache in order to speed up case insensitive name mappings. You should never need to change this parameter.</string>
+ <string id="POL_FBDCB316_EDD2_526C_AE9F_32F50A97A72F">client ldap sasl wrapping</string>
+ <string id="POL_FBDCB316_EDD2_526C_AE9F_32F50A97A72F_Help">The defines whether ldap traffic will be signed or signed and encrypted (sealed). Possible values are plain, sign and seal.
+ The values sign and seal are only available if Samba has been compiled against a modern OpenLDAP version (2.3.x or higher). This option is needed in the case of Domain Controllers enforcing the usage of signed LDAP connections (e.g. Windows 2000 SP3 or higher). LDAP sign and seal can be controlled with the registry key "HKLM\System\CurrentControlSet\Services\ NTDS\Parameters\LDAPServerIntegrity" on the Windows server side.
+ Depending on the used KRB5 library (MIT and older Heimdal versions) it is possible that the message "integrity only" is not supported. In this case, sign is just an alias for seal.
+ The default value is sign. That implies synchronizing the time with the KDC in the case of using Kerberos.</string>
+ <string id="POL_712CFB73_7887_55DD_975B_48DEDBDB9441">ldap admin dn</string>
+ <string id="POL_712CFB73_7887_55DD_975B_48DEDBDB9441_Help">The defines the Distinguished Name (DN) name used by Samba to contact the ldap server when retrieving user account information. The is used in conjunction with the admin dn password stored in the private/secrets.tdb file. See the smbpasswd 8 man page for more information on how to accomplish this.
+ The requires a fully specified DN. The is not appended to the .</string>
+ <string id="POL_CEAB52CA_95EB_5DE5_863B_2399BEF5C727">ldap connection timeout</string>
+ <string id="POL_CEAB52CA_95EB_5DE5_863B_2399BEF5C727_Help">This parameter tells the LDAP library calls which timeout in seconds they should honor during initial connection establishments to LDAP servers. It is very useful in failover scenarios in particular. If one or more LDAP servers are not reachable at all, we do not have to wait until TCP timeouts are over. This feature must be supported by your LDAP library.
+ This parameter is different from which affects operations on LDAP servers using an existing connection and not establishing an initial connection.</string>
+ <string id="POL_4750A945_176C_5FFF_AB50_DF2BE31C3FBB">ldap delete dn</string>
+ <string id="POL_4750A945_176C_5FFF_AB50_DF2BE31C3FBB_Help">This parameter specifies whether a delete operation in the ldapsam deletes the complete entry or only the attributes specific to Samba.</string>
+ <string id="POL_27BBF4DB_E2AE_58D3_8018_E83C4B185A3C">ldap deref</string>
+ <string id="POL_27BBF4DB_E2AE_58D3_8018_E83C4B185A3C_Help">This option controls whether Samba should tell the LDAP library to use a certain alias dereferencing method. The default is auto, which means that the default setting of the ldap client library will be kept. Other possible values are never, finding, searching and always. Grab your LDAP manual for more information.
+
+Example: searching</string>
+ <string id="POL_B383A7ED_F6A4_5BD3_B85E_E6B6527D8D79">ldap follow referral</string>
+ <string id="POL_B383A7ED_F6A4_5BD3_B85E_E6B6527D8D79_Help">This option controls whether to follow LDAP referrals or not when searching for entries in the LDAP database. Possible values are on to enable following referrals, off to disable this, and auto, to use the libldap default settings. libldap's choice of following referrals or not is set in /etc/openldap/ldap.conf with the REFERRALS parameter as documented in ldap.conf(5).
+
+Example: off</string>
+ <string id="POL_E31CD0A8_5A4A_5657_8ACA_123A200C6E06">ldap group suffix</string>
+ <string id="POL_E31CD0A8_5A4A_5657_8ACA_123A200C6E06_Help">This parameter specifies the suffix that is used for groups when these are added to the LDAP directory. If this parameter is unset, the value of will be used instead. The suffix string is pre-pended to the
+ string so use a partial DN.
+
+Example: ou=Groups</string>
+ <string id="POL_FC4495FC_4C6E_50C8_9B37_08D9955A883B">ldap idmap suffix</string>
+ <string id="POL_FC4495FC_4C6E_50C8_9B37_08D9955A883B_Help">This parameters specifies the suffix that is used when storing idmap mappings. If this parameter is unset, the value of will be used instead. The suffix string is pre-pended to the string so use a partial DN.
+
+Example: ou=Idmap</string>
+ <string id="POL_2ED1402F_4CF6_5CED_BE40_9B112E1238DC">ldap machine suffix</string>
+ <string id="POL_2ED1402F_4CF6_5CED_BE40_9B112E1238DC_Help">It specifies where machines should be added to the ldap tree. If this parameter is unset, the value of will be used instead. The suffix string is pre-pended to the string so use a partial DN.
+
+Example: ou=Computers</string>
+ <string id="POL_12C5B04D_D734_576A_99F1_7475BC9E90D7">ldap page size</string>
+ <string id="POL_12C5B04D_D734_576A_99F1_7475BC9E90D7_Help">This parameter specifies the number of entries per page.
+ If the LDAP server supports paged results, clients can request subsets of search results (pages) instead of the entire list. This parameter specifies the size of these pages.
+
+Example: 512</string>
+ <string id="POL_DB427B53_CF02_5410_AE37_5BD4E8B968CE">ldap passwd sync</string>
+ <string id="POL_DB427B53_CF02_5410_AE37_5BD4E8B968CE_Help">This option is used to define whether or not Samba should sync the LDAP password with the NT and LM hashes for normal accounts (NOT for workstation, server or domain trusts) on a password change via SAMBA.
+ The can be set to one of three values: Yes = Try to update the LDAP, NT and LM passwords and update the pwdLastSet time. No = Update NT and LM passwords and update the pwdLastSet time.
+ Only = Only update the LDAP password and let the LDAP server do the rest.</string>
+ <string id="POL_0C51A40C_E06E_5A0A_B160_5EB21289B17D">ldap replication sleep</string>
+ <string id="POL_0C51A40C_E06E_5A0A_B160_5EB21289B17D_Help">When Samba is asked to write to a read-only LDAP replica, we are redirected to talk to the read-write master server. This server then replicates our changes back to the 'local' server, however the replication might take some seconds, especially over slow links. Certain client activities, particularly domain joins, can become confused by the 'success' that does not immediately change the LDAP back-end's data.
+ This option simply causes Samba to wait a short time, to allow the LDAP server to catch up. If you have a particularly high-latency network, you may wish to time the LDAP replication with a network sniffer, and increase this value accordingly. Be aware that no checking is performed that the data has actually replicated.
+ The value is specified in milliseconds, the maximum value is 5000 (5 seconds).</string>
+ <string id="POL_763BAFE2_3FE0_5C25_B3DC_34AE48F2F569">ldapsam:editposix</string>
+ <string id="POL_763BAFE2_3FE0_5C25_B3DC_34AE48F2F569_Help">Editposix is an option that leverages ldapsam:trusted to make it simpler to manage a domain controller eliminating the need to set up custom scripts to add and manage the posix users and groups. This option will instead directly manipulate the ldap tree to create, remove and modify user and group entries. This option also requires a running winbindd as it is used to allocate new uids/gids on user/group creation. The allocation range must be therefore configured.
+ To use this option, a basic ldap tree must be provided and the ldap suffix parameters must be properly configured. On virgin servers the default users and groups (Administrator, Guest, Domain Users, Domain Admins, Domain Guests) can be precreated with the command net sam provision. To run this command the ldap server must be running, Winbindd must be running and the smb.conf ldap options must be properly configured.
+ The typical ldap setup used with the yes option is usually sufficient to use yes as well.
+ An example configuration can be the following:
+ encrypt passwords = true passdb backend = ldapsam
+ ldapsam:trusted=yes ldapsam:editposix=yes
+ ldap admin dn = cn=admin,dc=samba,dc=org ldap delete dn = yes ldap group suffix = ou=groups ldap idmap suffix = ou=idmap ldap machine suffix = ou=computers ldap user suffix = ou=users ldap suffix = dc=samba,dc=org
+ idmap backend = ldap:"ldap://localhost"
+ idmap uid = 5000-50000 idmap gid = 5000-50000
+ This configuration assumes a directory layout like described in the following ldif:
+ dn: dc=samba,dc=org objectClass: top objectClass: dcObject objectClass: organization o: samba.org dc: samba
+ dn: cn=admin,dc=samba,dc=org objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword: secret
+ dn: ou=users,dc=samba,dc=org objectClass: top objectClass: organizationalUnit ou: users
+ dn: ou=groups,dc=samba,dc=org objectClass: top objectClass: organizationalUnit ou: groups
+ dn: ou=idmap,dc=samba,dc=org objectClass: top objectClass: organizationalUnit ou: idmap
+ dn: ou=computers,dc=samba,dc=org objectClass: top objectClass: organizationalUnit ou: computers</string>
+ <string id="POL_F7979912_0010_5656_BC3A_08876A56418C">ldapsam:trusted</string>
+ <string id="POL_F7979912_0010_5656_BC3A_08876A56418C_Help">By default, Samba as a Domain Controller with an LDAP backend needs to use the Unix-style NSS subsystem to access user and group information. Due to the way Unix stores user information in /etc/passwd and /etc/group this inevitably leads to inefficiencies. One important question a user needs to know is the list of groups he is member of. The plain UNIX model involves a complete enumeration of the file /etc/group and its NSS counterparts in LDAP. UNIX has optimized functions to enumerate group membership. Sadly, other functions that are used to deal with user and group attributes lack such optimization.
+ To make Samba scale well in large environments, the yes option assumes that the complete user and group database that is relevant to Samba is stored in LDAP with the standard posixAccount/posixGroup attributes. It further assumes that the Samba auxiliary object classes are stored together with the POSIX data in the same LDAP object. If these assumptions are met, yes can be activated and Samba can bypass the NSS system to query user group memberships. Optimized LDAP queries can greatly speed up domain logon and administration tasks. Depending on the size of the LDAP database a factor of 100 or more for common queries is easily achieved.</string>
+ <string id="POL_04D79AF3_042D_5ABC_BE8F_4C6628E0F703">ldap server require strong auth</string>
+ <string id="POL_04D79AF3_042D_5ABC_BE8F_4C6628E0F703_Help">The defines whether the ldap server requires ldap traffic to be signed or signed and encrypted (sealed). Possible values are no, allow_sasl_over_tls and yes.
+ A value of no allows simple and sasl binds over all transports.
+ A value of allow_sasl_over_tls allows simple and sasl binds (without sign or seal) over TLS encrypted connections. Unencrypted connections only allow sasl binds with sign or seal.
+ A value of yes allows only simple binds over TLS encrypted connections. Unencrypted connections only allow sasl binds with sign or seal.</string>
+ <string id="POL_5B8B9520_4858_5C2F_AA85_F972FF86784A">ldap ssl</string>
+ <string id="POL_5B8B9520_4858_5C2F_AA85_F972FF86784A_Help">This option is used to define whether or not Samba should use SSL when connecting to the ldap server This is NOT related to Samba's previous SSL support which was enabled by specifying the --with-ssl option to the configure script.
+ LDAP connections should be secured where possible. This may be done setting either this parameter to start tls or by specifying ldaps:// in
+ the URL argument of .
+ The can be set to one of two values: Off = Never use SSL when querying the directory.
+ start tls = Use the LDAPv3 StartTLS extended operation (RFC2830) for communicating with the directory server. Please note that this parameter does only affect rpc methods. To enable the LDAPv3 StartTLS extended operation (RFC2830) for ads, set start tls and yes. See smb.conf5 for more information on .</string>
+ <string id="POL_42494B88_7254_5F5F_B738_D5D10BCFBC6C">ldap ssl ads</string>
+ <string id="POL_42494B88_7254_5F5F_B738_D5D10BCFBC6C_Help">This option is used to define whether or not Samba should use SSL when connecting to the ldap server using ads methods. Rpc methods are not affected by this parameter. Please note, that this parameter won't have any effect if is set to no.
+ See smb.conf5 for more information on .</string>
+ <string id="POL_9B071174_FBD3_5CA8_82AA_3BD1EB7BCF45">ldap suffix</string>
+ <string id="POL_9B071174_FBD3_5CA8_82AA_3BD1EB7BCF45_Help">Specifies the base for all ldap suffixes and for storing the sambaDomain object.
+ The ldap suffix will be appended to the values specified for the , , , and the . Each of these should be given only a DN relative to the .
+
+Example: dc=samba,dc=org</string>
+ <string id="POL_40F4D046_B9E1_53B0_9DC9_1AE4DE9B1976">ldap timeout</string>
+ <string id="POL_40F4D046_B9E1_53B0_9DC9_1AE4DE9B1976_Help">This parameter defines the number of seconds that Samba should use as timeout for LDAP operations.</string>
+ <string id="POL_26984E46_7C64_57A4_B4BF_C2C2B13C330E">ldap user suffix</string>
+ <string id="POL_26984E46_7C64_57A4_B4BF_C2C2B13C330E_Help">This parameter specifies where users are added to the tree. If this parameter is unset, the value of will be used instead. The suffix string is pre-pended to the string so use a partial DN.
+
+Example: ou=people</string>
+ <string id="POL_AB95F2C5_BFBC_5955_8062_8B446AF7E84C">ldap max anonymous request size</string>
+ <string id="POL_AB95F2C5_BFBC_5955_8062_8B446AF7E84C_Help">This parameter specifies the maximum permitted size (in bytes) for an LDAP request received on an anonymous connection.
+ If the request size exceeds this limit the request will be rejected.
+
+Example: 500000</string>
+ <string id="POL_23FFECD5_A3C4_566C_AEB3_015F25B1A978">ldap max authenticated request size</string>
+ <string id="POL_23FFECD5_A3C4_566C_AEB3_015F25B1A978_Help">This parameter specifies the maximum permitted size (in bytes) for an LDAP request received on an authenticated connection.
+ If the request size exceeds this limit the request will be rejected.
+
+Example: 4194304</string>
+ <string id="POL_F7C651B1_70B4_5047_BC65_2E4D382CBD15">ldap max search request size</string>
+ <string id="POL_F7C651B1_70B4_5047_BC65_2E4D382CBD15_Help">This parameter specifies the maximum permitted size (in bytes) for an LDAP search request.
+ If the request size exceeds this limit the request will be rejected.
+
+Example: 4194304</string>
+ <string id="POL_B3B2B9CC_3DBC_5C45_AA31_7C1E52AFEFAF">lock spin time</string>
+ <string id="POL_B3B2B9CC_3DBC_5C45_AA31_7C1E52AFEFAF_Help">The time in milliseconds that smbd should keep waiting to see if a failed lock request can be granted. This parameter has changed in default value from Samba 3.0.23 from 10 to 200. The associated parameter is no longer used in Samba 3.0.24. You should not need to change the value of this parameter.</string>
+ <string id="POL_4A0366F2_6815_5654_8DC2_F68E840E53F4">oplock break wait time</string>
+ <string id="POL_4A0366F2_6815_5654_8DC2_F68E840E53F4_Help">This is a tuning parameter added due to bugs in both Windows 9x and WinNT. If Samba responds to a client too quickly when that client issues an SMB that can cause an oplock break request, then the network client can fail and not respond to the break request. This tuning parameter (which is set in milliseconds) is the amount of time Samba will wait before sending an oplock break request to such (broken) clients.
+ DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE.</string>
+ <string id="POL_B49FAE41_B4C1_5AFA_870E_9E1C35F9A96F">smb2 leases</string>
+ <string id="POL_B49FAE41_B4C1_5AFA_870E_9E1C35F9A96F_Help">This boolean option tells smbd whether to globally negotiate SMB2 leases on file open requests. Leasing is an SMB2-only feature which allows clients to aggressively cache files locally above and beyond the caching allowed by SMB1 oplocks.
+ This is only available with yes and no.
+ Note that the write cache won't be used for file handles with a smb2 write lease.</string>
+ <string id="POL_1E9B5BE6_8C81_5141_88CD_B5AC0E8D964B">debug class</string>
+ <string id="POL_1E9B5BE6_8C81_5141_88CD_B5AC0E8D964B_Help">With this boolean parameter enabled, the debug class (DBGC_CLASS)
+ will be displayed in the debug header.
+
+
+ For more information about currently available debug classes, see
+ section about .</string>
+ <string id="POL_07D2E039_C5A0_5123_BD71_0C74E2569310">debug hires timestamp</string>
+ <string id="POL_07D2E039_C5A0_5123_BD71_0C74E2569310_Help">Sometimes the timestamps in the log messages are needed with a resolution of higher that seconds, this
+ boolean parameter adds microsecond resolution to the timestamp message header when turned on.
+
+
+
+ Note that the parameter must be on for this to have an effect.</string>
+ <string id="POL_E066DF4A_5BA1_5B35_A96F_90DE6CF27132">debug pid</string>
+ <string id="POL_E066DF4A_5BA1_5B35_A96F_90DE6CF27132_Help">When using only one log file for more then one forked smbd
+ 8-process there may be hard to follow which process outputs which
+ message. This boolean parameter is adds the process-id to the timestamp message headers in the
+ logfile when turned on.
+
+
+
+ Note that the parameter must be on for this to have an effect.</string>
+ <string id="POL_4B4EF8B5_3526_5583_8174_E3E332727970">debug prefix timestamp</string>
+ <string id="POL_4B4EF8B5_3526_5583_8174_E3E332727970_Help">With this option enabled, the timestamp message header is prefixed to the debug message without the
+ filename and function information that is included with the
+ parameter. This gives timestamps to the messages without adding an additional line.
+
+
+
+ Note that this parameter overrides the parameter.</string>
+ <string id="POL_571A8B87_3CCC_5725_BA33_BDEE367BB740">debug uid</string>
+ <string id="POL_571A8B87_3CCC_5725_BA33_BDEE367BB740_Help">Samba is sometimes run as root and sometime run as the connected user, this boolean parameter inserts the
+ current euid, egid, uid and gid to the timestamp message headers in the log file if turned on.
+
+
+ Note that the parameter must be on for this to have an effect.</string>
+ <string id="POL_2167CEE9_B2C9_5574_8F7D_F38DA9EBBFF1">ldap debug level</string>
+ <string id="POL_2167CEE9_B2C9_5574_8F7D_F38DA9EBBFF1_Help">This parameter controls the debug level of the LDAP library calls. In the case of OpenLDAP, it is the same bit-field as understood by the server and documented in the slapd.conf 5 manpage. A typical useful value will be 1 for tracing function calls. The debug output from the LDAP libraries appears with the prefix [LDAP] in Samba's logging output. The level at which LDAP logging is printed is controlled by the parameter ldap debug threshold.
+
+Example: 1</string>
+ <string id="POL_F324946B_9B0D_53F0_AD4F_56800DD63085">ldap debug threshold</string>
+ <string id="POL_F324946B_9B0D_53F0_AD4F_56800DD63085_Help">This parameter controls the Samba debug level at which the ldap library debug output is printed in the Samba logs. See the description of ldap debug level for details.
+
+Example: 5</string>
+ <string id="POL_3A601C55_A5EB_5E86_817B_38DACFD45CF9">log file</string>
+ <string id="POL_3A601C55_A5EB_5E86_817B_38DACFD45CF9_Help">This option allows you to override the name of the Samba log file (also known as the debug file).
+
+
+
+ This option takes the standard substitutions, allowing you to have separate log files for each user or machine.
+
+Example: /usr/local/samba/var/log.%m</string>
+ <string id="POL_A3E0303F_93B5_5C1F_8C01_362881F843CC">logging</string>
+ <string id="POL_A3E0303F_93B5_5C1F_8C01_362881F843CC_Help">This parameter configures logging backends. Multiple
+ backends can be specified at the same time, with different log
+ levels for each backend. The parameter is a list of backends,
+ where each backend is specified as backend[:option][@loglevel].
+
+ The 'option' parameter can be used to pass backend-specific
+ options.
+
+ The log level for a backend is optional, if it is not set for
+ a backend, all messages are sent to this backend. The parameter
+ determines overall log levels,
+ while the log levels specified here define what is sent to the
+ individual backends.
+
+ When is set, it overrides the
+ and parameters.
+
+ Some backends are only available when Samba has been compiled
+ with the additional libraries. The overall list of logging backends:
+
+
+ syslog
+ file
+ systemd
+ lttng
+ gpfs
+ ringbuf
+
+
+ The ringbuf backend supports an
+ optional size argument to change the buffer size used, the default is 1 MB:
+ ringbuf:size=NBYTES
+
+Example: syslog at 1 file</string>
+ <string id="POL_E077BD91_3587_5DBA_A7CB_13044D97E451">log level</string>
+ <string id="POL_E077BD91_3587_5DBA_A7CB_13044D97E451_Help">The value of the parameter (a string) allows the debug level (logging level) to be specified in the
+ smb.conf file.
+
+
+ This parameter has been extended since the 2.2.x
+ series, now it allows one to specify the debug level for multiple
+ debug classes and distinct logfiles for debug classes. This is to give
+ greater flexibility in the configuration of the system. The following
+ debug classes are currently implemented:
+
+
+ all tdb printdrivers lanman smb smb2 smb2_credits rpc_parse rpc_srv rpc_cli passdb sam auth winbind vfs idmap quota acls locking msdfs dmapi registry
+ scavenger
+ dns
+ ldb
+ tevent
+ auth_audit
+ auth_json_audit
+ kerberos
+ dsdb_audit
+ dsdb_json_audit
+ dsdb_password_audit
+ dsdb_password_json_audit
+ dsdb_transaction_audit
+ dsdb_transaction_json_audit
+
+
+ To configure the logging for specific classes to go into a different
+ file then , you can append
+ @PATH to the class, eg log level = 1
+ full_audit:1@/var/log/audit.log.
+
+ Authentication and authorization audit information is logged
+ under the auth_audit, and if Samba was not compiled with
+ --without-json, a JSON representation is logged under
+ auth_json_audit.
+
+ Support is comprehensive for all authentication and authorisation
+ of user accounts in the Samba Active Directory Domain Controller,
+ as well as the implicit authentication in password changes. In
+ the file server, NTLM authentication, SMB and RPC authorization is
+ covered.
+
+ Log levels for auth_audit and auth_audit_json are:
+ 2: Authentication Failure 3: Authentication Success 4: Authorization Success 5: Anonymous Authentication and Authorization Success
+
+
+ Changes to the sam.ldb database are logged
+ under the dsdb_audit and a JSON representation is logged under
+ dsdb_json_audit.
+
+ Password changes and Password resets are logged under
+ dsdb_password_audit and a JSON representation is logged under the
+ dsdb_password_json_audit.
+
+ Transaction rollbacks and prepare commit failures are logged under
--
Samba Shared Repository
More information about the samba-cvs
mailing list