1 <samba:parameter xmlns:samba="http://samba.org/common">
2 <term><anchor id="PASSWORDSERVER"/>password server (G)</term>
3 <listitem><para>By specifying the name of another SMB server (such
4 as a WinNT box) with this option, and using <command moreinfo="none">security = domain
5 </command> or <command moreinfo="none">security = server</command> you can get Samba
6 to do all its username/password validation via a remote server.</para>
8 <para>This option sets the name of the password server to use.
9 It must be a NetBIOS name, so if the machine's NetBIOS name is
10 different from its Internet name then you may have to add its NetBIOS
11 name to the lmhosts file which is stored in the same directory
12 as the <filename moreinfo="none">smb.conf</filename> file.</para>
14 <para>The name of the password server is looked up using the
15 parameter <link linkend="NAMERESOLVEORDER"><parameter moreinfo="none">name
16 resolve order</parameter></link> and so may resolved
17 by any method and order described in that parameter.</para>
19 <para>The password server must be a machine capable of using
20 the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in
21 user level security mode.</para>
23 <para><emphasis>NOTE:</emphasis> Using a password server
24 means your UNIX box (running Samba) is only as secure as your
25 password server. <emphasis>DO NOT CHOOSE A PASSWORD SERVER THAT
26 YOU DON'T COMPLETELY TRUST</emphasis>.</para>
28 <para>Never point a Samba server at itself for password
29 serving. This will cause a loop and could lock up your Samba
32 <para>The name of the password server takes the standard
33 substitutions, but probably the only useful one is <parameter moreinfo="none">%m
34 </parameter>, which means the Samba server will use the incoming
35 client as the password server. If you use this then you better
36 trust your clients, and you had better restrict them with hosts allow!</para>
38 <para>If the <parameter moreinfo="none">security</parameter> parameter is set to
39 <constant>domain</constant>, then the list of machines in this
40 option must be a list of Primary or Backup Domain controllers for the
41 Domain or the character '*', as the Samba server is effectively
42 in that domain, and will use cryptographically authenticated RPC calls
43 to authenticate the user logging on. The advantage of using <command moreinfo="none">
44 security = domain</command> is that if you list several hosts in the
45 <parameter moreinfo="none">password server</parameter> option then <command moreinfo="none">smbd
46 </command> will try each in turn till it finds one that responds. This
47 is useful in case your primary server goes down.</para>
49 <para>If the <parameter moreinfo="none">password server</parameter> option is set
50 to the character '*', then Samba will attempt to auto-locate the
51 Primary or Backup Domain controllers to authenticate against by
52 doing a query for the name <constant>WORKGROUP<1C></constant>
53 and then contacting each server returned in the list of IP
54 addresses from the name resolution source. </para>
56 <para>If the list of servers contains both names and the '*'
57 character, the list is treated as a list of preferred
58 domain controllers, but an auto lookup of all remaining DC's
59 will be added to the list as well. Samba will not attempt to optimize
60 this list by locating the closest DC.</para>
62 <para>If the <parameter moreinfo="none">security</parameter> parameter is
63 set to <constant>server</constant>, then there are different
64 restrictions that <command moreinfo="none">security = domain</command> doesn't
68 <listitem><para>You may list several password servers in
69 the <parameter moreinfo="none">password server</parameter> parameter, however if an
70 <command moreinfo="none">smbd</command> makes a connection to a password server,
71 and then the password server fails, no more users will be able
72 to be authenticated from this <command moreinfo="none">smbd</command>. This is a
73 restriction of the SMB/CIFS protocol when in <command moreinfo="none">security = server
74 </command> mode and cannot be fixed in Samba.</para></listitem>
76 <listitem><para>If you are using a Windows NT server as your
77 password server then you will have to ensure that your users
78 are able to login from the Samba server, as when in <command moreinfo="none">
79 security = server</command> mode the network logon will appear to
80 come from there rather than from the users workstation.</para></listitem>
83 <para>See also the <link linkend="SECURITY"><parameter moreinfo="none">security
84 </parameter></link> parameter.</para>
86 <para>Default: <command moreinfo="none">password server = <empty string></command>
88 <para>Example: <command moreinfo="none">password server = NT-PDC, NT-BDC1, NT-BDC2, *
90 <para>Example: <command moreinfo="none">password server = *</command></para>