At this point, we should discuss how Samba authenticates users. Each user who attempts to connect to a share that does not allow guest access must provide a password to make a successful connection. What Samba does with that password - and consequently the strategy Samba will use to handle user authentication - is the arena of the
security configuration option. There are currently four security levels that Samba supports on its network:
share,
user,
server, and
domain.
Share-level security
Each share in the workgroup has one or more passwords associated with it. Anyone who knows a valid password for the share can access it.
User-level security
Each share in the workgroup is configured to allow access from certain users. With each initial tree connection, the Samba server verifies users and their passwords to allow them access to the share.
Server-level security
This is the same as user-level security, except that the Samba server uses a separate SMB server to validate users and their passwords before granting access to the share.
Domain-level security
Samba becomes a member of a Windows domain and uses the domain's primary domain controller (PDC) to perform authentication. Once authenticated, the user is given a special token that allows him or her access to any share with appropriate access rights. With this token, the PDC will not have to revalidate the user's password each time he or she attempts to access another share within the domain.
Each of these security policies can be implemented with the global
security option, as shown in
Table 6.3.
