1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
5 >Security levels</TITLE
8 CONTENT="Modular DocBook HTML Stylesheet Version 1.77"><LINK
10 TITLE="SAMBA Project Documentation"
11 HREF="samba-howto-collection.html"><LINK
13 TITLE="Debugging Printing Problems"
14 HREF="printingdebug.html"><LINK
16 TITLE="security = domain in Samba 2.x"
17 HREF="domain-security.html"></HEAD
28 SUMMARY="Header navigation table"
37 >SAMBA Project Documentation</TH
45 HREF="printingdebug.html"
59 HREF="domain-security.html"
74 >Chapter 8. Security levels</H1
82 >8.1. Introduction</H1
84 >Samba supports the following options to the global smb.conf parameter</P
87 CLASS="PROGRAMLISTING"
90 HREF="smb.conf.5.html#SECURITY"
98 > = [share|user(default)|domain|ads]</PRE
101 >Please refer to the smb.conf man page for usage information and to the document
103 HREF="DOMAIN_MEMBER.html"
105 >DOMAIN_MEMBER.html</A
106 > for further background details
107 on domain mode security. The Windows 2000 Kerberos domain security model
108 (security = ads) is described in the <A
109 HREF="ADS-HOWTO.html"
114 >Of the above, "security = server" means that Samba reports to clients that
115 it is running in "user mode" but actually passes off all authentication
116 requests to another "user mode" server. This requires an additional
117 parameter "password server =" that points to the real authentication server.
118 That real authentication server can be another Samba server or can be a
119 Windows NT server, the later natively capable of encrypted password support.</P
128 >8.2. More complete description of security levels</H1
130 >A SMB server tells the client at startup what "security level" it is
131 running. There are two options "share level" and "user level". Which
132 of these two the client receives affects the way the client then tries
133 to authenticate itself. It does not directly affect (to any great
134 extent) the way the Samba server does security. I know this is
135 strange, but it fits in with the client/server approach of SMB. In SMB
136 everything is initiated and controlled by the client, and the server
137 can only tell the client what is available and whether an action is
140 >I'll describe user level security first, as its simpler. In user level
141 security the client will send a "session setup" command directly after
142 the protocol negotiation. This contains a username and password. The
143 server can either accept or reject that username/password
144 combination. Note that at this stage the server has no idea what
145 share the client will eventually try to connect to, so it can't base
146 the "accept/reject" on anything other than:</P
153 >the username/password</P
157 >the machine that the client is coming from</P
161 >If the server accepts the username/password then the client expects to
162 be able to mount any share (using a "tree connection") without
163 specifying a password. It expects that all access rights will be as
164 the username/password specified in the "session setup". </P
166 >It is also possible for a client to send multiple "session setup"
167 requests. When the server responds it gives the client a "uid" to use
168 as an authentication tag for that username/password. The client can
169 maintain multiple authentication contexts in this way (WinDD is an
170 example of an application that does this)</P
172 >Ok, now for share level security. In share level security the client
173 authenticates itself separately for each share. It will send a
174 password along with each "tree connection" (share mount). It does not
175 explicitly send a username with this operation. The client is
176 expecting a password to be associated with each share, independent of
177 the user. This means that samba has to work out what username the
178 client probably wants to use. It is never explicitly sent the
179 username. Some commercial SMB servers such as NT actually associate
180 passwords directly with shares in share level security, but samba
181 always uses the unix authentication scheme where it is a
182 username/password that is authenticated, not a "share/password".</P
184 >Many clients send a "session setup" even if the server is in share
185 level security. They normally send a valid username but no
186 password. Samba records this username in a list of "possible
187 usernames". When the client then does a "tree connection" it also adds
188 to this list the name of the share they try to connect to (useful for
189 home directories) and any users listed in the "user =" smb.conf
190 line. The password is then checked in turn against these "possible
191 usernames". If a match is found then the client is authenticated as
194 >Finally "server level" security. In server level security the samba
195 server reports to the client that it is in user level security. The
196 client then does a "session setup" as described earlier. The samba
197 server takes the username/password that the client sends and attempts
198 to login to the "password server" by sending exactly the same
199 username/password that it got from the client. If that server is in
200 user level security and accepts the password then samba accepts the
201 clients connection. This allows the samba server to use another SMB
202 server as the "password server". </P
204 >You should also note that at the very start of all this, where the
205 server tells the client what security level it is in, it also tells
206 the client if it supports encryption. If it does then it supplies the
207 client with a random "cryptkey". The client will then send all
208 passwords in encrypted form. You have to compile samba with encryption
209 enabled to support this feature, and you have to maintain a separate
210 smbpasswd file with SMB style encrypted passwords. It is
211 cryptographically impossible to translate from unix style encryption
212 to SMB style encryption, although there are some fairly simple management
213 schemes by which the two could be kept in sync.</P
221 SUMMARY="Footer navigation table"
232 HREF="printingdebug.html"
241 HREF="samba-howto-collection.html"
250 HREF="domain-security.html"
260 >Debugging Printing Problems</TD
270 >security = domain in Samba 2.x</TD