In this section, the function and purpose of Samba's security modes are described. An accurate understanding of
how Samba implements each security mode as well as how to configure MS Windows clients for each mode will
significantly reduce user complaints and administrator heartache.
Microsoft Windows networking uses a protocol that was originally called the Server Message Block (SMB)
protocol. Since some time around 1996 the protocol has been better known as the Common Internet Filesystem
(CIFS) protocol.
In the SMB/CIFS networking world, there are only two types of security:
user-level
and
share level
. We refer to these collectively as
security levels
. In
implementing these two security levels, Samba provides flexibilities that are not available with MS Windows
NT4/200x servers. In fact, Samba implements
share-level
security only one way, but has
four ways of implementing
user-level
security. Collectively, we call the Samba
implementations of the security levels
security modes
. They are known as
share
,
user
,
domain
,
ADS
,
and
server
modes. They are documented in this chapter.
An SMB server informs the client, at the time of a session setup, the security level the server is running.
There are two options: share-level and user-level. Which of these two the client receives affects the way the
client then tries to authenticate itself. It does not directly affect (to any great extent) the way the Samba
server does security. This may sound strange, but it fits in with the client/server approach of SMB. In SMB
everything is initiated and controlled by the client, and the server can only tell the client what is
available and whether an action is allowed.
The term client refers to all agents whether it is a Windows workstation, a Windows server,
another Samba server, or any vanilla SMB or CIFS client application (e.g.,
smbclient
) that
make use of services provided by an SMB/CIFS server.
|