Extrait De La Documentation Samba

Extrait de la documentation Samba security (G)

This option affects how clients respond to Samba and is one of the most important settings in the smb.conf file.

The option sets the "security mode bit" in replies to protocol negotiations with smbd to turn share level security on or off. Clients decide based on this bit whether (and how) to transfer user and password information to the server.

The default is "security=user", as this is the most common setting needed when talking to Windows 98 and Windows NT.

The alternatives are "security = share", "security = server" or "security=domain".

*****NOTE THAT THIS DEFAULT IS DIFFERENT IN SAMBA2.0 THAN FOR PREVIOUS VERSIONS OF SAMBA *******.

In previous versions of Samba the default was "security=share" mainly because that was the only option at one stage.

There is a bug in WfWg that has relevance to this setting. When in user or server level security a WfWg client will totally ignore the password you type in the "connect drive" dialog box. This makes it very difficult (if not impossible) to connect to a Samba service as anyone except the user that you are logged into WfWg as.

If your PCs use usernames that are the same as their usernames on the UNIX machine then you will want to use "security = user". If you mostly use usernames that don't exist on the UNIX box then use "security = share".

You should also use security=share if you want to mainly setup shares without a password (guest shares). This is commonly used for a shared printer server. It is more difficult to setup guest shares with security=user, see the "map to guest"parameter for details.

It is possible to use smbd in a "hybrid mode" where it is offers both user and share level security under different NetBIOS aliases. See the NetBIOS aliases and the include parameters for more information.

The different settings will now be explained.

"security=share"

When clients connect to a share level security server then need not log onto the server with a valid username and password before attempting to connect to a shared resource (although modern clients such as Windows 95/98 and Windows NT will send a logon request with a username but no password when talking to a security=share server). Instead, the clients send authentication information (passwords) on a per-share basis, at the time they attempt to connect to that share.

Note that smbd *ALWAYS* uses a valid UNIX user to act on behalf of the client, even in "security=share" level security.

As clients are not required to send a username to the server in share level security, smbd uses several techniques to determine the correct UNIX user to use on behalf of the client.

A list of possible UNIX usernames to match with the given client password is constructed using the following methods :

If the "guest only" parameter is set, then all the other stages are missed and only the "guest account" username is checked.

Doc / Samba 1 Is a username is sent with the share connection request, then this username (after mapping - see "username map"), is added as a potential username.

If the client did a previous "logon" request (the SessionSetup SMB call) then the username sent in this SMB will be added as a potential username.

The name of the service the client requested is added as a potential username.

The NetBIOS name of the client is added to the list as a potential username.

Any users on the "user" list are added as potential usernames.

If the "guest only" parameter is not set, then this list is then tried with the supplied password. The first user for whom the password matches will be used as the UNIX user.

If the "guest only" parameter is set, or no username can be determined then if the share is marked as available to the "guest account", then this guest user will be used, otherwise access is denied.

Note that it can be *very* confusing in share-level security as to which UNIX username will eventually be used in granting access.

See also the section "NOTE ABOUT USERNAME/PASSWORD VALIDATION".

"security=user"

This is the default security setting in Samba2.0. With user-level security a client must first "log-on" with a valid username and password (which can be mapped using the "username map" parameter). Encrypted passwords (see the "encrypted passwords" parameter) can also be used in this security mode. Parameters such as "user" and "guest only", if set are then applied and may change the UNIX user to use on this connection, but only after the user has been successfully authenticated.

Note that the name of the resource being requested is *not* sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in user level security without allowing the server to automatically map unknown users into the "guest account". See the "map to guest" parameter for details on doing this.

"security=server"

In this mode Samba will try to validate the username/password by passing it to another SMB server, such as an NT box. If this fails it will revert to "security = user", but note that if encrypted passwords have been negotiated then Samba cannot revert back to checking the UNIX password file, it must have a valid smbpasswd file to check users against. See the documentation file in the docs/ directory ENCRYPTION.txt for details on how to set this up.

Doc / Samba 2 Note that from the clients point of view "security=server" is the same as "security=user". It only affects how the server deals with the authentication, it does not in any way affect what the client sees.

Note that the name of the resource being requested is *not* sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in server level security without allowing the server to automatically map unknown users into the "guest account". See the "map to guest" parameter for details on doing this.

See also the "password server" parameter. and the "encrypted passwords" parameter.

"security=domain"

This mode will only work correctly if smbpasswd has been used to add this machine into a Windows NT Domain. It expects the "encrypted passwords" parameter to be set to "true". In this mode Samba will try to validate the username/password by passing it to a Windows NT Primary or Backup Domain Controller, in exactly the same way that a Windows NT Server would do.

Note that a valid UNIX user must still exist as well as the account on the Domain Controller to allow Samba to have a valid UNIX account to map file access to.

Note that from the clients point of view "security=domain" is the same as "security=user". It only affects how the server deals with the authentication, it does not in any way affect what the client sees.

Note that the name of the resource being requested is *not* sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in domain level security without allowing the server to automatically map unknown users into the "guest account". See the "map to guest" parameter for details on doing this.

BUG: There is currently a bug in the implementation of "security=domain with respect to multi-byte character set usernames. The communication with a Domain Controller must be done in UNICODE and Samba currently does not widen multi-byte user names to UNICODE correctly, thus a multi-byte username will not be recognized correctly at the Domain Controller. This issue will be addressed in a future release.

See also the "password server" parameter. and the "encrypted passwords" parameter.

Default: security = USER

Example: security = DOMAIN

Doc / Samba 3