summaryrefslogtreecommitdiffstats
path: root/docs/htmldocs/smbd.8.html
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2001-10-10 17:19:10 +0000
committerGerald Carter <jerry@samba.org>2001-10-10 17:19:10 +0000
commitc76bf8ed3275e217d1b691879153fe9137bcbe38 (patch)
treec45103ab10b0455e61766cf52bac0cdea5c0afca /docs/htmldocs/smbd.8.html
parent96c9df577bcffeec1b7d516a5431e54e679bd6b4 (diff)
downloadsamba-c76bf8ed3275e217d1b691879153fe9137bcbe38.tar.gz
samba-c76bf8ed3275e217d1b691879153fe9137bcbe38.tar.xz
samba-c76bf8ed3275e217d1b691879153fe9137bcbe38.zip
mega-merge from 2.2
Diffstat (limited to 'docs/htmldocs/smbd.8.html')
-rw-r--r--docs/htmldocs/smbd.8.html193
1 files changed, 152 insertions, 41 deletions
diff --git a/docs/htmldocs/smbd.8.html b/docs/htmldocs/smbd.8.html
index 35520b05afc..be82ef6d4ec 100644
--- a/docs/htmldocs/smbd.8.html
+++ b/docs/htmldocs/smbd.8.html
@@ -98,12 +98,15 @@ CLASS="FILENAME"
can force a reload by sending a SIGHUP to the server. Reloading
the configuration file will not affect connections to any service
that is already established. Either the user will have to
- disconnect from the service, or smbd killed and restarted.</P
+ disconnect from the service, or <B
+CLASS="COMMAND"
+>smbd</B
+> killed and restarted.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
-NAME="AEN35"
+NAME="AEN36"
></A
><H2
>OPTIONS</H2
@@ -120,9 +123,12 @@ CLASS="VARIABLELIST"
the server to operate as a daemon. That is, it detaches
itself and runs in the background, fielding requests
on the appropriate port. Operating the server as a
- daemon is the recommended way of running smbd for
+ daemon is the recommended way of running <B
+CLASS="COMMAND"
+>smbd</B
+> for
servers that provide more than casual use file and
- print services. This switch is assumed is <B
+ print services. This switch is assumed if <B
CLASS="COMMAND"
>smbd
</B
@@ -153,7 +159,10 @@ CLASS="COMMAND"
>-P</DT
><DD
><P
->Passive option. Causes smbd not to
+>Passive option. Causes <B
+CLASS="COMMAND"
+>smbd</B
+> not to
send any network traffic out. Used for debugging by
the developers only.</P
></DD
@@ -181,7 +190,12 @@ CLASS="COMMAND"
>-d &#60;debug level&#62;</DT
><DD
><P
->debuglevel is an integer
+><TT
+CLASS="REPLACEABLE"
+><I
+>debuglevel</I
+></TT
+> is an integer
from 0 to 10. The default value if this parameter is
not specified is zero.</P
><P
@@ -217,8 +231,11 @@ CLASS="FILENAME"
>-l &#60;log file&#62;</DT
><DD
><P
->If specified, <EM
->log file</EM
+>If specified, <TT
+CLASS="REPLACEABLE"
+><I
+>log file</I
+></TT
>
specifies a log filename into which informational and debug
messages from the running server will be logged. The log
@@ -261,7 +278,12 @@ CLASS="FILENAME"
>-p &#60;port number&#62;</DT
><DD
><P
->port number is a positive integer
+><TT
+CLASS="REPLACEABLE"
+><I
+>port number</I
+></TT
+> is a positive integer
value. The default value if this parameter is not
specified is 139.</P
><P
@@ -309,7 +331,7 @@ CLASS="FILENAME"
><DIV
CLASS="REFSECT1"
><A
-NAME="AEN104"
+NAME="AEN109"
></A
><H2
>FILES</H2
@@ -407,7 +429,7 @@ CLASS="FILENAME"
><DIV
CLASS="REFSECT1"
><A
-NAME="AEN137"
+NAME="AEN142"
></A
><H2
>LIMITATIONS</H2
@@ -426,7 +448,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
-NAME="AEN141"
+NAME="AEN146"
></A
><H2
>ENVIRONMENTVARIABLES</H2
@@ -436,12 +458,18 @@ NAME="AEN141"
CLASS="VARIABLELIST"
><DL
><DT
->PRINTER</DT
+><TT
+CLASS="ENVAR"
+>PRINTER</TT
+></DT
><DD
><P
>If no printer name is specified to
printable services, most systems will use the value of
- this variable (or lp if this variable is
+ this variable (or <TT
+CLASS="CONSTANT"
+>lp</TT
+> if this variable is
not defined) as the name of the printer to use. This
is not specific to the server, however.</P
></DD
@@ -451,7 +479,7 @@ CLASS="VARIABLELIST"
><DIV
CLASS="REFSECT1"
><A
-NAME="AEN148"
+NAME="AEN155"
></A
><H2
>INSTALLATION</H2
@@ -469,10 +497,16 @@ CLASS="FILENAME"
program itself should be executable by all, as users may wish to
run the server themselves (in which case it will of course run
with their privileges). The server should NOT be setuid. On some
- systems it may be worthwhile to make smbd setgid to an empty group.
+ systems it may be worthwhile to make <B
+CLASS="COMMAND"
+>smbd</B
+> setgid to an empty group.
This is because some systems may have a security hole where daemon
processes that become a user can be attached to with a debugger.
- Making the smbd file setgid to an empty group may prevent
+ Making the <B
+CLASS="COMMAND"
+>smbd</B
+> file setgid to an empty group may prevent
this hole from being exploited. This security hole and the suggested
fix has only been confirmed on old versions (pre-kernel 2.0) of Linux
at the time this was written. It is possible that this hole only
@@ -567,7 +601,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
-NAME="AEN179"
+NAME="AEN188"
></A
><H2
>RUNNING THE SERVER AS A DAEMON</H2
@@ -622,7 +656,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
-NAME="AEN192"
+NAME="AEN201"
></A
><H2
>RUNNING THE SERVER ON REQUEST</H2
@@ -631,7 +665,10 @@ NAME="AEN192"
CLASS="COMMAND"
>inetd
</B
->, you can arrange to have the smbd server started
+>, you can arrange to have the <B
+CLASS="COMMAND"
+>smbd</B
+> server started
whenever a process attempts to connect to it. This requires several
changes to the startup files on the host machine. If you are
experimenting as an ordinary user rather than as root, you will
@@ -755,7 +792,52 @@ CLASS="COMPUTEROUTPUT"
><DIV
CLASS="REFSECT1"
><A
-NAME="AEN223"
+NAME="AEN233"
+></A
+><H2
+>PAM INTERACTION</H2
+><P
+>Samba uses PAM for authentication (when presented with a plaintext
+ password), for account checking (is this account disabled?) and for
+ session management. The degree too which samba supports PAM is restricted
+ by the limitations of the SMB protocol and the
+ <A
+HREF="smb.conf.5.html#OBEYPAMRESRICTIONS"
+TARGET="_top"
+>obey pam restricions</A
+>
+ smb.conf paramater. When this is set, the following restrictions apply:
+ </P
+><P
+></P
+><UL
+><LI
+><P
+><EM
+>Account Validation</EM
+>: All acccesses to a
+ samba server are checked
+ against PAM to see if the account is vaild, not disabled and is permitted to
+ login at this time. This also applies to encrypted logins.
+ </P
+></LI
+><LI
+><P
+><EM
+>Session Management</EM
+>: When not using share
+ level secuirty, users must pass PAM's session checks before access
+ is granted. Note however, that this is bypassed in share level secuirty.
+ Note also that some older pam configuration files may need a line
+ added for session support.
+ </P
+></LI
+></UL
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN244"
></A
><H2
>TESTING THE INSTALLATION</H2
@@ -769,8 +851,18 @@ CLASS="COMMAND"
> will reread their configuration
tables if they receive a HUP signal.</P
><P
->If your machine's name is fred and your
- name is mary, you should now be able to connect
+>If your machine's name is <TT
+CLASS="REPLACEABLE"
+><I
+>fred</I
+></TT
+> and your
+ name is <TT
+CLASS="REPLACEABLE"
+><I
+>mary</I
+></TT
+>, you should now be able to connect
to the service <TT
CLASS="FILENAME"
>\\fred\mary</TT
@@ -803,7 +895,7 @@ CLASS="FILENAME"
><DIV
CLASS="REFSECT1"
><A
-NAME="AEN235"
+NAME="AEN258"
></A
><H2
>VERSION</H2
@@ -814,7 +906,7 @@ NAME="AEN235"
><DIV
CLASS="REFSECT1"
><A
-NAME="AEN238"
+NAME="AEN261"
></A
><H2
>DIAGNOSTICS</H2
@@ -837,19 +929,25 @@ NAME="AEN238"
><DIV
CLASS="REFSECT1"
><A
-NAME="AEN243"
+NAME="AEN266"
></A
><H2
>SIGNALS</H2
><P
->Sending the smbd a SIGHUP will cause it to
- re-load its <TT
+>Sending the <B
+CLASS="COMMAND"
+>smbd</B
+> a SIGHUP will cause it to
+ reload its <TT
CLASS="FILENAME"
>smb.conf</TT
> configuration
file within a short period of time.</P
><P
->To shut down a users smbd process it is recommended
+>To shut down a user's <B
+CLASS="COMMAND"
+>smbd</B
+> process it is recommended
that <B
CLASS="COMMAND"
>SIGKILL (-9)</B
@@ -858,24 +956,37 @@ CLASS="COMMAND"
>
be used, except as a last resort, as this may leave the shared
memory area in an inconsistent state. The safe way to terminate
- an smbd is to send it a SIGTERM (-15) signal and wait for
+ an <B
+CLASS="COMMAND"
+>smbd</B
+> is to send it a SIGTERM (-15) signal and wait for
it to die on its own.</P
><P
->The debug log level of smbd may be raised by sending
- it a SIGUSR1 (<B
+>The debug log level of <B
CLASS="COMMAND"
->kill -USR1 &#60;smbd-pid&#62;</B
->)
- and lowered by sending it a SIGUSR2 (<B
+>smbd</B
+> may be raised
+ or lowered using <A
+HREF="smbcontrol.1.html"
+TARGET="_top"
+><B
CLASS="COMMAND"
->kill -USR2 &#60;smbd-pid&#62;
+>smbcontrol(1)
</B
->). This is to allow transient problems to be diagnosed,
+></A
+> program (SIGUSR[1|2] signals are no longer used in
+ Samba 2.2). This is to allow transient problems to be diagnosed,
whilst still running at a normally low log level.</P
><P
>Note that as the signal handlers send a debug write,
- they are not re-entrant in smbd. This you should wait until
- smbd is in a state of waiting for an incoming smb before
+ they are not re-entrant in <B
+CLASS="COMMAND"
+>smbd</B
+>. This you should wait until
+ <B
+CLASS="COMMAND"
+>smbd</B
+> is in a state of waiting for an incoming SMB before
issuing them. It is possible to make the signal handlers safe
by un-blocking the signals before the select call and re-blocking
them after, however this would affect performance.</P
@@ -883,7 +994,7 @@ CLASS="COMMAND"
><DIV
CLASS="REFSECT1"
><A
-NAME="AEN254"
+NAME="AEN283"
></A
><H2
>SEE ALSO</H2
@@ -949,7 +1060,7 @@ TARGET="_top"
><DIV
CLASS="REFSECT1"
><A
-NAME="AEN271"
+NAME="AEN300"
></A
><H2
>AUTHOR</H2