We describe user-level security first because its simpler. In user-level security, the client sends a session
setup request directly following protocol negotiation. This request provides a username and password. The
server can either accept or reject that username/password combination. At this stage the server has no idea
what share the client will eventually try to connect to, so it can't base the
accept/reject on anything other than:
the username/password.
the name of the client machine.
If the server accepts the username/password credentials, the client expects to be able to mount shares (using
a tree connection) without further specifying a password. It expects that all access
rights will be as the username/password credentials set that was specified in the initial session
setup.
It is also possible for a client to send multiple session setup
requests. When the server responds, it gives the client a uid to use
as an authentication tag for that username/password. The client can maintain multiple
authentication contexts in this way (WinDD is an example of an application that does this).
Windows networking user account names are case-insensitive, meaning that upper-case and lower-case characters
in the account name are considered equivalent. They are said to be case-preserving, but not case significant.
Windows and LanManager systems previous to Windows NT version 3.10 have case-insensitive passwords that were
not necessarilty case-preserving. All Windows NT family systems treat passwords as case-preserving and
case-sensitive.
Example Configuration
The smb.conf parameter that sets user-level security is: