22.7. Samba Security Modes
There are only two types of security modes for Samba, share-level and user-level, which are collectively known as security levels . Share-level security can only be implemented in one way, while user-level security can be implemented in one of four different ways. The different ways of implementing a security level are called security modes .
22.7.1. User-Level Security
User-level security is the default setting for Samba. Even if the
security = user
directive is not listed in the smb.conf
file, it is used by Samba. If the server accepts the client's username/password, the client can then mount multiple shares without specifying a password for each instance. Samba can also accept session-based username/password requests. The client maintains multiple authentication contexts by using a unique UID for each logon.
In
smb.conf
, the security = user
directive that sets user-level security is:
[GLOBAL] ... security = user ...
The following sections describe other implementations of user-level security.
22.7.1.1. Domain Security Mode (User-Level Security)
In domain security mode, the Samba server has a machine account (domain security trust account) and causes all authentication requests to be passed through to the domain controllers. The Samba server is made into a domain member server by using the following directives in
smb.conf
:
[GLOBAL] ... security = domain workgroup = MARKETING ...
22.7.1.2. Active Directory Security Mode (User-Level Security)
If you have an Active Directory environment, it is possible to join the domain as a native Active Directory member. Even if a security policy restricts the use of NT-compatible authentication protocols, the Samba server can join an ADS using Kerberos. Samba in Active Directory member mode can accept Kerberos tickets.
In
smb.conf
, the following directives make Samba an Active Directory member server:
[GLOBAL] ... security = ADS realm = EXAMPLE.COM password server = kerberos.example.com ...
22.7.1.3. Server Security Mode (User-Level Security)
Server security mode was previously used when Samba was not capable of acting as a domain member server.
Note
It is highly recommended to not use this mode since there are numerous security drawbacks.
In
smb.conf
, the following directives enable Samba to operate in server security mode:
[GLOBAL] ... encrypt passwords = Yes security = server password server = "NetBIOS_of_Domain_Controller" ...