DIY: Understanding Samba security modes

Scratching your head about which Samba security mode to choose? Jack Wallen's description of each option might help make a decision.

The latest Linux desktops offer a very simple way of sharing out files and folders. But for many DIYers, server installations aren't taking advantage of those GUIs, so services like Samba must be configured manually. This usually isn't difficult, although one area that often perplexes the Samba administrator is the security mode. You know what I'm talking about -- you see the line in the smb.conf file that looks like:

security =

and you have the choice between:

  • user
  • share
  • domain
  • ads
  • server

Which do you choose? It's not all that clear, so I am going to demystify these options for you, so the next time you need to configure Samba, this issue won't stop you dead in your tracks.


This mode is by far the easiest to understand. This mode means that, if the Samba server accepts the username/password credentials passed by the user attempting to log in, the client will be able to mount the shares on the server. This requires a user account to be enabled on the server, as well as be initialized using the smbpasswd command.


This mode basically means that a client attempts to authenticate against a share and, once authentication succeeds, that user will have access to only that share. Here's how this method functions:

  1. The client sends a mount request to the server with a valid username (username on the Samba server).
  2. Samba caches this username.
  3. Client issues tree connection request, as well as the share with which it wants to connect.
  4. User password is checked against the username. If the password matches, the client is granted access.


This method is used when accounts are stored on a centralized server -- usually a Windows Domain Controller. This method requires all authentication requests to be passed through the domain controller. This method also requires an additional parameter (along with the "security = domain" line) that looks like:

workgroup = DOMAIN

where DOMAIN is the actual domain on the network.

This method also requires the machine connecting to have joined the domain and requires administrator credentials to do so.


This is for Active Directory. Samba does include the necessary tools with which to join an AD, but the Active Directory server must be running in Native Mode for this to work. The Samba server will also need to have a working Kerberos system installed, and the smb.conf fill will need the following extra configuration lines:

security = ADS

where KERBEROS.REALM is the actual realm configured within the Kerberos configuration file.


This mode is generally thought of as a severe security issue and no longer used. This method sends username/password credentials to yet another server for authentication. The problem with this method is, if that third machine is down, no authentication can take place. The real security issue happens because, once authentication is made, the connection is left open for extended periods of time -- this means there is the possibility of three machines being left open at once.


I hope this explanation makes your choice for your Samba setup easier. Samba is, after all, one of the best friends of the DIYers.