!==
-!== security_level.txt for Samba release 2.0.0-alpha6 19 Sep 1998
+!== security_level.txt for Samba release 2.0.4 18 May 1999
!==
Contributor: Andrew Tridgell
Updated: June 27, 1997
"security =":
share, user, server
+Note: Samba-2.0.0 now adds the "domain" security mode. Please refer to
+the smb.conf man page for usage information and to the document
+docs/textdocs/DOMAIN_MEMBER.txt for further background details.
+
Of the above, "security = server" means that Samba reports to clients that
it is running in "user mode" but actually passes off all authentication
requests to another "user mode" server. This requires an additional
example of an application that does this)
-Ok, now for share level security. In share level security (the default
-with samba) the client authenticates itself separately for each
-share. It will send a password along with each "tree connection"
-(share mount). It does not explicitly send a username with this
-operation. The client is expecting a password to be associated with
-each share, independent of the user. This means that samba has to work
-out what username the client probably wants to use. It is never
-explicitly sent the username. Some commercial SMB servers such as NT actually
-associate passwords directly with shares in share level security, but
-samba always uses the unix authentication scheme where it is a
+Ok, now for share level security. In share level security the client
+authenticates itself separately for each share. It will send a
+password along with each "tree connection" (share mount). It does not
+explicitly send a username with this operation. The client is
+expecting a password to be associated with each share, independent of
+the user. This means that samba has to work out what username the
+client probably wants to use. It is never explicitly sent the
+username. Some commercial SMB servers such as NT actually associate
+passwords directly with shares in share level security, but samba
+always uses the unix authentication scheme where it is a
username/password that is authenticated, not a "share/password".
Many clients send a "session setup" even if the server is in share