From b6e2ddaee1867b49710d22ebcb6c87b2f0a54a29 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 22 Mar 2017 12:11:26 +0100 Subject: docs-xml: document "map untrusted to domain = auto" BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- .../smbdotconf/security/mapuntrustedtodomain.xml | 23 +++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) (limited to 'docs-xml/smbdotconf') diff --git a/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml b/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml index a02948ace4b..095ce6e5760 100644 --- a/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml +++ b/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml @@ -1,9 +1,20 @@ + + With auto + smbd will defer the decision whether the domain name provided by the + client is a valid domain name to the Domain Controller (DC) of + the domain it is a member of, if it is not a DC. If the DC indicates + that the domain portion is unknown, then a local authentication is performed. + Standalone servers always ignore the domain. This is basically the same as + the behavior implemented in Windows. + + By default, and with no, if a client connects to smbd using an untrusted domain name, such as @@ -12,6 +23,11 @@ attempting to authenticate that user. In the case where smbd is acting as a NT4 PDC/BDC this will be DOMAIN\user. In the case where smbd is acting as a domain member server or a standalone server this will be WORKSTATION\user. + While this appears similar to the behaviour of + auto, + the difference is that smbd will use a cached (maybe incomplete) list + of trusted domains in order to classify a domain as "untrusted" + before contacting any DC first. @@ -21,6 +37,11 @@ primary domain before attempting to authenticate that user. This will be DOMAIN\user in all server roles except active directory domain controller. + + + auto was added + with Samba 4.7.0. + no -- cgit v1.2.1