Servers

DIY: Understanding Samba security modes

Scratching your head about which Samba security mode to choose? Jack Wallen's description of each option might help make a decision.

The latest Linux desktops offer a very simple way of sharing out files and folders. But for many DIYers, server installations aren't taking advantage of those GUIs, so services like Samba must be configured manually. This usually isn't difficult, although one area that often perplexes the Samba administrator is the security mode. You know what I'm talking about -- you see the line in the smb.conf file that looks like:

security =

and you have the choice between:

  • user
  • share
  • domain
  • ads
  • server

Which do you choose? It's not all that clear, so I am going to demystify these options for you, so the next time you need to configure Samba, this issue won't stop you dead in your tracks.

User

This mode is by far the easiest to understand. This mode means that, if the Samba server accepts the username/password credentials passed by the user attempting to log in, the client will be able to mount the shares on the server. This requires a user account to be enabled on the server, as well as be initialized using the smbpasswd command.

Share

This mode basically means that a client attempts to authenticate against a share and, once authentication succeeds, that user will have access to only that share. Here's how this method functions:

  1. The client sends a mount request to the server with a valid username (username on the Samba server).
  2. Samba caches this username.
  3. Client issues tree connection request, as well as the share with which it wants to connect.
  4. User password is checked against the username. If the password matches, the client is granted access.

Domain

This method is used when accounts are stored on a centralized server -- usually a Windows Domain Controller. This method requires all authentication requests to be passed through the domain controller. This method also requires an additional parameter (along with the "security = domain" line) that looks like:

workgroup = DOMAIN

where DOMAIN is the actual domain on the network.

This method also requires the machine connecting to have joined the domain and requires administrator credentials to do so.

Ads

This is for Active Directory. Samba does include the necessary tools with which to join an AD, but the Active Directory server must be running in Native Mode for this to work. The Samba server will also need to have a working Kerberos system installed, and the smb.conf fill will need the following extra configuration lines:

realm = KERBEROS.REALM
security = ADS

where KERBEROS.REALM is the actual realm configured within the Kerberos configuration file.

Server

This mode is generally thought of as a severe security issue and no longer used. This method sends username/password credentials to yet another server for authentication. The problem with this method is, if that third machine is down, no authentication can take place. The real security issue happens because, once authentication is made, the connection is left open for extended periods of time -- this means there is the possibility of three machines being left open at once.

Conclusion

I hope this explanation makes your choice for your Samba setup easier. Samba is, after all, one of the best friends of the DIYers.

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

2 comments
pgit
pgit

Share level can be configured without passwords or even user names. In fact most often this is the case. (allow null passwords, or allow guest access options) It is true the user is limited to the share this way, but that's good. A user level client would similarly be limited to whatever access that user has on it's server account. Usually that would be the entire /home directory.

sonotsky
sonotsky

Joining a Samba server to an AD domain does require a few more pieces of software; specifically a Kerberos distribution (MIT is the most common and best-documented for Samba-AD purposes; Hiemdal is a popular alternative) and OpenLDAP. On some platforms, other dependencies, like libiconv and SASL, are called for. If you're installing from source, and enable ADS mode, be aware that the devel versions of many of these pieces of software are required for linking. Also, it's important to note that connecting to a Windows 2008 domain requires different smb.conf parameters than when connecting to earlier versions of AD. Lurk the samba-users list, and read through the archives of said list, for more info.