1 <samba:parameter name="security"
4 basic="1" advanced="1" wizard="1" developer="1"
5 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
6 <when_value value="security">
7 <requires option="encrypted passwords">/(yes|true)/</requires>
10 <para>This option affects how clients respond to
11 Samba and is one of the most important settings in the <filename moreinfo="none">
12 smb.conf</filename> file.</para>
14 <para>The default is <command moreinfo="none">security = user</command>, as this is
15 the most common setting, used for a standalone file server or a DC.</para>
17 <para>The alternatives are
18 <command moreinfo="none">security = ads</command> or <command moreinfo="none">security = domain
19 </command>, which support joining Samba to a Windows domain</para>
21 <para>You should use <command moreinfo="none">security = user</command> and
22 <smbconfoption name="map to guest"/> if you
23 want to mainly setup shares without a password (guest shares). This
24 is commonly used for a shared printer server. </para>
26 <para>The different settings will now be explained.</para>
29 <para><anchor id="SECURITYEQUALSAUTO"/><emphasis>SECURITY = AUTO</emphasis></para>
31 <para>This is the default security setting in Samba, and causes Samba to consult
32 the <smbconfoption name="server role"/> parameter (if set) to determine the security mode.</para>
34 <para><anchor id="SECURITYEQUALSUSER"/><emphasis>SECURITY = USER</emphasis></para>
36 <para>If <smbconfoption name="server role"/> is not specified, this is the default security setting in Samba.
37 With user-level security a client must first "log-on" with a
38 valid username and password (which can be mapped using the <smbconfoption name="username map"/>
39 parameter). Encrypted passwords (see the <smbconfoption name="encrypted passwords"/> parameter) can also
40 be used in this security mode. Parameters such as <smbconfoption name="user"/> and <smbconfoption
41 name="guest only"/> if set are then applied and
42 may change the UNIX user to use on this connection, but only after
43 the user has been successfully authenticated.</para>
45 <para><emphasis>Note</emphasis> that the name of the resource being
46 requested is <emphasis>not</emphasis> sent to the server until after
47 the server has successfully authenticated the client. This is why
48 guest shares don't work in user level security without allowing
49 the server to automatically map unknown users into the <smbconfoption name="guest account"/>.
50 See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
52 <para><anchor id="SECURITYEQUALSDOMAIN"/><emphasis>SECURITY = DOMAIN</emphasis></para>
54 <para>This mode will only work correctly if <citerefentry><refentrytitle>net</refentrytitle>
55 <manvolnum>8</manvolnum></citerefentry> has been used to add this
56 machine into a Windows NT Domain. It expects the <smbconfoption name="encrypted passwords"/>
57 parameter to be set to <constant>yes</constant>. In this
58 mode Samba will try to validate the username/password by passing
59 it to a Windows NT Primary or Backup Domain Controller, in exactly
60 the same way that a Windows NT Server would do.</para>
62 <para><emphasis>Note</emphasis> that a valid UNIX user must still
63 exist as well as the account on the Domain Controller to allow
64 Samba to have a valid UNIX account to map file access to.</para>
66 <para><emphasis>Note</emphasis> that from the client's point
67 of view <command moreinfo="none">security = domain</command> is the same
68 as <command moreinfo="none">security = user</command>. It only
69 affects how the server deals with the authentication,
70 it does not in any way affect what the client sees.</para>
72 <para><emphasis>Note</emphasis> that the name of the resource being
73 requested is <emphasis>not</emphasis> sent to the server until after
74 the server has successfully authenticated the client. This is why
75 guest shares don't work in user level security without allowing
76 the server to automatically map unknown users into the <smbconfoption name="guest account"/>.
77 See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
79 <para>See also the <smbconfoption name="password server"/> parameter and
80 the <smbconfoption name="encrypted passwords"/> parameter.</para>
83 <para><emphasis>Note</emphasis> that the name of the resource being
84 requested is <emphasis>not</emphasis> sent to the server until after
85 the server has successfully authenticated the client. This is why
86 guest shares don't work in user level security without allowing
87 the server to automatically map unknown users into the <smbconfoption name="guest account"/>.
88 See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
90 <para>See also the <smbconfoption name="password server"/> parameter and the
91 <smbconfoption name="encrypted passwords"/> parameter.</para>
93 <para><anchor id="SECURITYEQUALSADS"/><emphasis>SECURITY = ADS</emphasis></para>
95 <para>In this mode, Samba will act as a domain member in an ADS realm. To operate
96 in this mode, the machine running Samba will need to have Kerberos installed
97 and configured and Samba will need to be joined to the ADS realm using the
100 <para>Note that this mode does NOT make Samba operate as a Active Directory Domain
103 <para>Read the chapter about Domain Membership in the HOWTO for details.</para>
106 <related>realm</related>
107 <related>encrypt passwords</related>
109 <value type="default">USER</value>
110 <value type="example">DOMAIN</value>