diff options
author | Stefan Metzmacher <metze@samba.org> | 2017-03-22 12:11:26 +0100 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2017-06-16 03:21:29 +0200 |
commit | b6e2ddaee1867b49710d22ebcb6c87b2f0a54a29 (patch) | |
tree | 9154cad8fa1e9dff0cf3e20d7e042a188b2438f3 /docs-xml | |
parent | ab36c1d152e231be644dc7413ad5b6816f45e24f (diff) | |
download | samba-b6e2ddaee1867b49710d22ebcb6c87b2f0a54a29.tar.gz |
docs-xml: document "map untrusted to domain = auto"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'docs-xml')
-rw-r--r-- | docs-xml/smbdotconf/security/mapuntrustedtodomain.xml | 23 |
1 files changed, 22 insertions, 1 deletions
diff --git a/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml b/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml index a02948ace4b..095ce6e5760 100644 --- a/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml +++ b/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml @@ -1,10 +1,21 @@ <samba:parameter name="map untrusted to domain" context="G" - type="boolean" + type="enum" + enumlist="enum_bool_auto" deprecated="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> <para> + With <smbconfoption name="map untrusted to domain">auto</smbconfoption> + smbd will defer the decision whether the domain name provided by the + client is a valid domain name to the Domain Controller (DC) of + the domain it is a member of, if it is not a DC. If the DC indicates + that the domain portion is unknown, then a local authentication is performed. + Standalone servers always ignore the domain. This is basically the same as + the behavior implemented in Windows. + </para> + + <para> By default, and with <smbconfoption name="map untrusted to domain">no</smbconfoption>, if a client connects to smbd using an untrusted domain name, such as BOGUS\user, smbd replaces the BOGUS domain with it's SAM name @@ -12,6 +23,11 @@ attempting to authenticate that user. In the case where smbd is acting as a NT4 PDC/BDC this will be DOMAIN\user. In the case where smbd is acting as a domain member server or a standalone server this will be WORKSTATION\user. + While this appears similar to the behaviour of + <smbconfoption name="map untrusted to domain">auto</smbconfoption>, + the difference is that smbd will use a cached (maybe incomplete) list + of trusted domains in order to classify a domain as "untrusted" + before contacting any DC first. </para> <para> @@ -21,6 +37,11 @@ primary domain before attempting to authenticate that user. This will be DOMAIN\user in all server roles except active directory domain controller. </para> + + <para> + <smbconfoption name="map untrusted to domain">auto</smbconfoption> was added + with Samba 4.7.0. + </para> </description> <value type="default">no</value> |