| blob | 74ea569b8636c207de56c1ca7a74fe35946159e0 |
1 <samba:parameter name="security"
2 context="G"
3 type="enum"
4 basic="1" advanced="1" wizard="1" developer="1"
5 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
6 <when_value value="security">
7 <requires option="encrypted passwords">/(yes|true)/</requires>
8 </when_value>
9 <description>
10 <para>This option affects how clients respond to
11 Samba and is one of the most important settings in the <filename moreinfo="none">
12 smb.conf</filename> file.</para>
14 <para>The option sets the "security mode bit" in replies to
15 protocol negotiations with <citerefentry><refentrytitle>smbd</refentrytitle>
16 <manvolnum>8</manvolnum></citerefentry> to turn share level security on or off. Clients decide
17 based on this bit whether (and how) to transfer user and password
18 information to the server.</para>
21 <para>The default is <command moreinfo="none">security = user</command>, as this is
22 the most common setting needed when talking to Windows 98 and
23 Windows NT.</para>
25 <para>The alternatives are
26 <command moreinfo="none">security = ads</command> or <command moreinfo="none">security = domain
27 </command>, which support joining Samba to a Windows domain, along with <command moreinfo="none">security = share</command> and <command moreinfo="none">security = server</command>, both of which are deprecated.</para>
29 <para>In versions of Samba prior to 2.0.0, the default was
30 <command moreinfo="none">security = share</command> mainly because that was
31 the only option at one stage.</para>
33 <para>You should use <command moreinfo="none">security = user</command> and
34 <smbconfoption name="map to guest"/> if you
35 want to mainly setup shares without a password (guest shares). This
36 is commonly used for a shared printer server. </para>
38 <para>It is possible to use <command moreinfo="none">smbd</command> in a <emphasis>
39 hybrid mode</emphasis> where it is offers both user and share
40 level security under different <smbconfoption name="NetBIOS aliases"/>. </para>
42 <para>The different settings will now be explained.</para>
45 <para><anchor id="SECURITYEQUALSAUTO"/><emphasis>SECURITY = AUTO</emphasis></para>
47 <para>This is the default security setting in Samba, and causes Samba to consult
48 the <smbconfoption name="server role"/> parameter (if set) to determine the security mode.</para>
50 <para><anchor id="SECURITYEQUALSUSER"/><emphasis>SECURITY = USER</emphasis></para>
52 <para>If <smbconfoption name="server role"/> is not specified, this is the default security setting in Samba.
53 With user-level security a client must first "log-on" with a
54 valid username and password (which can be mapped using the <smbconfoption name="username map"/>
55 parameter). Encrypted passwords (see the <smbconfoption name="encrypted passwords"/> parameter) can also
56 be used in this security mode. Parameters such as <smbconfoption name="user"/> and <smbconfoption
57 name="guest only"/> if set are then applied and
58 may change the UNIX user to use on this connection, but only after
59 the user has been successfully authenticated.</para>
61 <para><emphasis>Note</emphasis> that the name of the resource being
62 requested is <emphasis>not</emphasis> sent to the server until after
63 the server has successfully authenticated the client. This is why
64 guest shares don't work in user level security without allowing
65 the server to automatically map unknown users into the <smbconfoption name="guest account"/>.
66 See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
68 <para>See also the section <link linkend="VALIDATIONSECT">NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
70 <para><anchor id="SECURITYEQUALSDOMAIN"/><emphasis>SECURITY = DOMAIN</emphasis></para>
72 <para>This mode will only work correctly if <citerefentry><refentrytitle>net</refentrytitle>
73 <manvolnum>8</manvolnum></citerefentry> has been used to add this
74 machine into a Windows NT Domain. It expects the <smbconfoption name="encrypted passwords"/>
75 parameter to be set to <constant>yes</constant>. In this
76 mode Samba will try to validate the username/password by passing
77 it to a Windows NT Primary or Backup Domain Controller, in exactly
78 the same way that a Windows NT Server would do.</para>
80 <para><emphasis>Note</emphasis> that a valid UNIX user must still
81 exist as well as the account on the Domain Controller to allow
82 Samba to have a valid UNIX account to map file access to.</para>
84 <para><emphasis>Note</emphasis> that from the client's point
85 of view <command moreinfo="none">security = domain</command> is the same
86 as <command moreinfo="none">security = user</command>. It only
87 affects how the server deals with the authentication,
88 it does not in any way affect what the client sees.</para>
90 <para><emphasis>Note</emphasis> that the name of the resource being
91 requested is <emphasis>not</emphasis> sent to the server until after
92 the server has successfully authenticated the client. This is why
93 guest shares don't work in user level security without allowing
94 the server to automatically map unknown users into the <smbconfoption name="guest account"/>.
95 See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
97 <para>See also the section <link linkend="VALIDATIONSECT">
98 NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
100 <para>See also the <smbconfoption name="password server"/> parameter and
101 the <smbconfoption name="encrypted passwords"/> parameter.</para>
103 <para><anchor id="SECURITYEQUALSSHARE"/><emphasis>SECURITY = SHARE</emphasis></para>
105 <note><para>This option is deprecated as it is incompatible with SMB2</para></note>
107 <para>When clients connect to a share level security server, they
108 need not log onto the server with a valid username and password before
109 attempting to connect to a shared resource (although modern clients
110 such as Windows 95/98 and Windows NT will send a logon request with
111 a username but no password when talking to a <command moreinfo="none">security = share
112 </command> server). Instead, the clients send authentication information
113 (passwords) on a per-share basis, at the time they attempt to connect
114 to that share.</para>
116 <para>Note that <command moreinfo="none">smbd</command> <emphasis>ALWAYS</emphasis>
117 uses a valid UNIX user to act on behalf of the client, even in
118 <command moreinfo="none">security = share</command> level security.</para>
120 <para>As clients are not required to send a username to the server
121 in share level security, <command moreinfo="none">smbd</command> uses several
122 techniques to determine the correct UNIX user to use on behalf
123 of the client.</para>
125 <para>A list of possible UNIX usernames to match with the given
126 client password is constructed using the following methods :</para>
128 <itemizedlist>
129 <listitem>
130 <para>If the <smbconfoption name="guest only"/> parameter is set, then all the other
131 stages are missed and only the <smbconfoption name="guest account"/> username is checked.
132 </para>
133 </listitem>
135 <listitem>
136 <para>Is a username is sent with the share connection
137 request, then this username (after mapping - see <smbconfoption name="username map"/>),
138 is added as a potential username.
139 </para>
140 </listitem>
142 <listitem>
143 <para>If the client did a previous <emphasis>logon
144 </emphasis> request (the SessionSetup SMB call) then the
145 username sent in this SMB will be added as a potential username.
146 </para>
147 </listitem>
149 <listitem>
150 <para>The name of the service the client requested is
151 added as a potential username.
152 </para>
153 </listitem>
155 <listitem>
156 <para>The NetBIOS name of the client is added to
157 the list as a potential username.
158 </para>
159 </listitem>
161 <listitem>
162 <para>Any users on the <smbconfoption name="user"/> list are added as potential usernames.
163 </para>
164 </listitem>
165 </itemizedlist>
167 <para>If the <parameter moreinfo="none">guest only</parameter> parameter is
168 not set, then this list is then tried with the supplied password.
169 The first user for whom the password matches will be used as the
170 UNIX user.</para>
172 <para>If the <parameter moreinfo="none">guest only</parameter> parameter is
173 set, or no username can be determined then if the share is marked
174 as available to the <parameter moreinfo="none">guest account</parameter>, then this
175 guest user will be used, otherwise access is denied.</para>
177 <para>Note that it can be <emphasis>very</emphasis> confusing
178 in share-level security as to which UNIX username will eventually
179 be used in granting access.</para>
181 <para>See also the section <link linkend="VALIDATIONSECT">
182 NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
184 <para><anchor id="SECURITYEQUALSSERVER"/><emphasis>SECURITY = SERVER</emphasis></para>
186 <para>
187 In this depicted mode Samba will try to validate the username/password by passing it to another SMB server, such as an
188 NT box. If this fails it will revert to <command moreinfo="none">security = user</command>. It expects the
189 <smbconfoption name="encrypted passwords"/> parameter to be set to <constant>yes</constant>, unless the remote
190 server does not support them. However note that if encrypted passwords have been negotiated then Samba cannot
191 revert back to checking the UNIX password file, it must have a valid <filename
192 moreinfo="none">smbpasswd</filename> file to check users against. See the chapter about the User Database in
193 the Samba HOWTO Collection for details on how to set this up.
194 </para>
196 <note><para>This mode of operation has
197 significant pitfalls since it is more vulnerable to
198 man-in-the-middle attacks and server impersonation. In particular,
199 this mode of operation can cause significant resource consumption on
200 the PDC, as it must maintain an active connection for the duration
201 of the user's session. Furthermore, if this connection is lost,
202 there is no way to reestablish it, and further authentications to the
203 Samba server may fail (from a single client, till it disconnects).
204 </para></note>
206 <note><para>If the client selects NTLMv2 authentication, then this mode of operation <emphasis>will fail</emphasis>
207 </para></note>
209 <note><para>From the client's point of
210 view, <command moreinfo="none">security = server</command> is the
211 same as <command moreinfo="none">security = user</command>. It
212 only affects how the server deals with the authentication, it does
213 not in any way affect what the client sees.</para></note>
215 <note><para>This option is deprecated, and may be removed in future</para></note>
217 <para><emphasis>Note</emphasis> that the name of the resource being
218 requested is <emphasis>not</emphasis> sent to the server until after
219 the server has successfully authenticated the client. This is why
220 guest shares don't work in user level security without allowing
221 the server to automatically map unknown users into the <smbconfoption name="guest account"/>.
222 See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
224 <para>See also the section <link linkend="VALIDATIONSECT">
225 NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
227 <para>See also the <smbconfoption name="password server"/> parameter and the
228 <smbconfoption name="encrypted passwords"/> parameter.</para>
230 <para><anchor id="SECURITYEQUALSADS"/><emphasis>SECURITY = ADS</emphasis></para>
232 <para>In this mode, Samba will act as a domain member in an ADS realm. To operate
233 in this mode, the machine running Samba will need to have Kerberos installed
234 and configured and Samba will need to be joined to the ADS realm using the
235 net utility. </para>
237 <para>Note that this mode does NOT make Samba operate as a Active Directory Domain
238 Controller. </para>
240 <para>Read the chapter about Domain Membership in the HOWTO for details.</para>
241 </description>
243 <related>realm</related>
244 <related>encrypt passwords</related>
246 <value type="default">USER</value>
247 <value type="example">DOMAIN</value>
248 </samba:parameter>