There are only two types of security modes for Samba, share-level and user-level,
which are collectively known as security
levels. Share-level security can only be implemented in one
way, while user-level security can be implemented in one of four
different ways. The different ways of implementing a security level
are called security modes.
User-level security is the default setting for Samba. Even if
the security = user directive is not
listed in the smb.conf file, it is used by
Samba. If the server accepts the client's username/password, the
client can then mount multiple shares without specifying a password
for each instance. Samba can also accept session-based
username/password requests. The client maintains multiple
authentication contexts by using a unique UID for each logon.
In smb.conf, the security = user directive that sets user-level
security is:
[GLOBAL]
...
security = user
...
|
With share-level security, the server accepts only a password
without an explicit username from the client. The server expects a
password for each share, independent of the username. There have
been recent reports that Microsoft Windows clients have
compatibility issues with share-level security servers. Samba
developers strongly discourage use of share-level security.
In smb.conf, the security = share directive that sets share-level
security is:
[GLOBAL]
...
security = share
...
|
In domain security mode, the Samba server has a machine account
(domain security trust account) and causes all authentication
requests to be passed through to the domain controllers. The Samba
server is made into a domain member server by using the following
directives in smb.conf:
[GLOBAL]
...
security = domain
workgroup = MARKETING
...
|
If you have an Active Directory environment, it is possible to
join the domain as a native Active Directory member. Even if a
security policy restricts the use of NT-compatible authentication
protocols, the Samba server can join an ADS using Kerberos. Samba
in Active Directory member mode can accept Kerberos tickets.
In smb.conf, the following directives
make Samba an Active Directory member server:
[GLOBAL]
...
security = ADS
realm = EXAMPLE.COM
password server = kerberos.example.com
...
|
Server security mode was previously used when Samba was not
capable of acting as a domain member server.
 |
Note |
| |
It is highly recommended to not use this
mode since there are numerous security drawbacks.
|
In smb.conf, the following directives
enable Samba to operate in server security mode:
[GLOBAL]
...
encrypt passwords = Yes
security = server
password server = "NetBIOS_of_Domain_Controller"
...
|
