22
22
the most common setting needed when talking to Windows 98 and
25
<para>The alternatives are <command moreinfo="none">security = share</command>,
26
<command moreinfo="none">security = server</command> or <command moreinfo="none">security = domain
25
<para>The alternatives are
26
<command moreinfo="none">security = ads</command> or <command moreinfo="none">security = domain
27
</command>, which support joining Samba to a Windows domain, along with <command moreinfo="none">security = share</command> and <command moreinfo="none">security = server</command>, both of which are deprecated.</para>
29
29
<para>In versions of Samba prior to 2.0.0, the default was
30
30
<command moreinfo="none">security = share</command> mainly because that was
31
31
the only option at one stage.</para>
33
<para>There is a bug in WfWg that has relevance to this
34
setting. When in user or server level security a WfWg client
35
will totally ignore the username and password you type in the "connect
36
drive" dialog box. This makes it very difficult (if not impossible)
37
to connect to a Samba service as anyone except the user that
38
you are logged into WfWg as.</para>
40
<para>If your PCs use usernames that are the same as their
41
usernames on the UNIX machine then you will want to use
42
<command moreinfo="none">security = user</command>. If you mostly use usernames
43
that don't exist on the UNIX box then use <command moreinfo="none">security =
44
share</command>.</para>
46
<para>You should also use <command moreinfo="none">security = share</command> if you
33
<para>You should use <command moreinfo="none">security = user</command> and
34
<smbconfoption name="map to guest"/> if you
47
35
want to mainly setup shares without a password (guest shares). This
48
is commonly used for a shared printer server. It is more difficult
49
to setup guest shares with <command moreinfo="none">security = user</command>, see
50
the <smbconfoption name="map to guest"/> parameter for details.</para>
36
is commonly used for a shared printer server. </para>
52
38
<para>It is possible to use <command moreinfo="none">smbd</command> in a <emphasis>
53
39
hybrid mode</emphasis> where it is offers both user and share
56
42
<para>The different settings will now be explained.</para>
45
<para><anchor id="SECURITYEQUALSUSER"/><emphasis>SECURITY = USER</emphasis></para>
47
<para>This is the default security setting in Samba.
48
With user-level security a client must first "log-on" with a
49
valid username and password (which can be mapped using the <smbconfoption name="username map"/>
50
parameter). Encrypted passwords (see the <smbconfoption name="encrypted passwords"/> parameter) can also
51
be used in this security mode. Parameters such as <smbconfoption name="user"/> and <smbconfoption
52
name="guest only"/> if set are then applied and
53
may change the UNIX user to use on this connection, but only after
54
the user has been successfully authenticated.</para>
56
<para><emphasis>Note</emphasis> that the name of the resource being
57
requested is <emphasis>not</emphasis> sent to the server until after
58
the server has successfully authenticated the client. This is why
59
guest shares don't work in user level security without allowing
60
the server to automatically map unknown users into the <smbconfoption name="guest account"/>.
61
See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
63
<para>See also the section <link linkend="VALIDATIONSECT">NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
65
<para><anchor id="SECURITYEQUALSDOMAIN"/><emphasis>SECURITY = DOMAIN</emphasis></para>
67
<para>This mode will only work correctly if <citerefentry><refentrytitle>net</refentrytitle>
68
<manvolnum>8</manvolnum></citerefentry> has been used to add this
69
machine into a Windows NT Domain. It expects the <smbconfoption name="encrypted passwords"/>
70
parameter to be set to <constant>yes</constant>. In this
71
mode Samba will try to validate the username/password by passing
72
it to a Windows NT Primary or Backup Domain Controller, in exactly
73
the same way that a Windows NT Server would do.</para>
75
<para><emphasis>Note</emphasis> that a valid UNIX user must still
76
exist as well as the account on the Domain Controller to allow
77
Samba to have a valid UNIX account to map file access to.</para>
79
<para><emphasis>Note</emphasis> that from the client's point
80
of view <command moreinfo="none">security = domain</command> is the same
81
as <command moreinfo="none">security = user</command>. It only
82
affects how the server deals with the authentication,
83
it does not in any way affect what the client sees.</para>
85
<para><emphasis>Note</emphasis> that the name of the resource being
86
requested is <emphasis>not</emphasis> sent to the server until after
87
the server has successfully authenticated the client. This is why
88
guest shares don't work in user level security without allowing
89
the server to automatically map unknown users into the <smbconfoption name="guest account"/>.
90
See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
92
<para>See also the section <link linkend="VALIDATIONSECT">
93
NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
95
<para>See also the <smbconfoption name="password server"/> parameter and
96
the <smbconfoption name="encrypted passwords"/> parameter.</para>
59
98
<para><anchor id="SECURITYEQUALSSHARE"/><emphasis>SECURITY = SHARE</emphasis></para>
100
<note><para>This option is deprecated as it is incompatible with SMB2</para></note>
61
102
<para>When clients connect to a share level security server, they
62
103
need not log onto the server with a valid username and password before
135
176
<para>See also the section <link linkend="VALIDATIONSECT">
136
177
NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
138
<para><anchor id="SECURITYEQUALSUSER"/><emphasis>SECURITY = USER</emphasis></para>
140
<para>This is the default security setting in Samba 3.0.
141
With user-level security a client must first "log-on" with a
142
valid username and password (which can be mapped using the <smbconfoption name="username map"/>
143
parameter). Encrypted passwords (see the <smbconfoption name="encrypted passwords"/> parameter) can also
144
be used in this security mode. Parameters such as <smbconfoption name="user"/> and <smbconfoption
145
name="guest only"/> if set are then applied and
146
may change the UNIX user to use on this connection, but only after
147
the user has been successfully authenticated.</para>
149
<para><emphasis>Note</emphasis> that the name of the resource being
150
requested is <emphasis>not</emphasis> sent to the server until after
151
the server has successfully authenticated the client. This is why
152
guest shares don't work in user level security without allowing
153
the server to automatically map unknown users into the <smbconfoption name="guest account"/>.
154
See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
156
<para>See also the section <link linkend="VALIDATIONSECT">NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
158
<para><anchor id="SECURITYEQUALSDOMAIN"/><emphasis>SECURITY = DOMAIN</emphasis></para>
160
<para>This mode will only work correctly if <citerefentry><refentrytitle>net</refentrytitle>
161
<manvolnum>8</manvolnum></citerefentry> has been used to add this
162
machine into a Windows NT Domain. It expects the <smbconfoption name="encrypted passwords"/>
163
parameter to be set to <constant>yes</constant>. In this
164
mode Samba will try to validate the username/password by passing
165
it to a Windows NT Primary or Backup Domain Controller, in exactly
166
the same way that a Windows NT Server would do.</para>
168
<para><emphasis>Note</emphasis> that a valid UNIX user must still
169
exist as well as the account on the Domain Controller to allow
170
Samba to have a valid UNIX account to map file access to.</para>
172
<para><emphasis>Note</emphasis> that from the client's point
173
of view <command moreinfo="none">security = domain</command> is the same
174
as <command moreinfo="none">security = user</command>. It only
175
affects how the server deals with the authentication,
176
it does not in any way affect what the client sees.</para>
178
<para><emphasis>Note</emphasis> that the name of the resource being
179
requested is <emphasis>not</emphasis> sent to the server until after
180
the server has successfully authenticated the client. This is why
181
guest shares don't work in user level security without allowing
182
the server to automatically map unknown users into the <smbconfoption name="guest account"/>.
183
See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
185
<para>See also the section <link linkend="VALIDATIONSECT">
186
NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
188
<para>See also the <smbconfoption name="password server"/> parameter and
189
the <smbconfoption name="encrypted passwords"/> parameter.</para>
191
179
<para><anchor id="SECURITYEQUALSSERVER"/><emphasis>SECURITY = SERVER</emphasis></para>
194
In this mode Samba will try to validate the username/password by passing it to another SMB server, such as an
182
In this depicted mode Samba will try to validate the username/password by passing it to another SMB server, such as an
195
183
NT box. If this fails it will revert to <command moreinfo="none">security = user</command>. It expects the
196
184
<smbconfoption name="encrypted passwords"/> parameter to be set to <constant>yes</constant>, unless the remote
197
185
server does not support them. However note that if encrypted passwords have been negotiated then Samba cannot
203
191
<note><para>This mode of operation has
204
192
significant pitfalls since it is more vulnerable to
205
193
man-in-the-middle attacks and server impersonation. In particular,
206
this mode of operation can cause significant resource consuption on
194
this mode of operation can cause significant resource consumption on
207
195
the PDC, as it must maintain an active connection for the duration
208
196
of the user's session. Furthermore, if this connection is lost,
209
there is no way to reestablish it, and futher authentications to the
197
there is no way to reestablish it, and further authentications to the
210
198
Samba server may fail (from a single client, till it disconnects).
201
<note><para>If the client selects NTLMv2 authentication, then this mode of operation <emphasis>will fail</emphasis>
213
204
<note><para>From the client's point of
214
205
view, <command moreinfo="none">security = server</command> is the
215
206
same as <command moreinfo="none">security = user</command>. It
216
207
only affects how the server deals with the authentication, it does
217
208
not in any way affect what the client sees.</para></note>
210
<note><para>This option is deprecated, and may be removed in future</para></note>
219
212
<para><emphasis>Note</emphasis> that the name of the resource being
220
213
requested is <emphasis>not</emphasis> sent to the server until after
221
214
the server has successfully authenticated the client. This is why