In share-level security, the client authenticates itself separately for each share. It sends a password along
with each tree connection request (share mount), but it does not explicitly send a username with this
operation. The client expects a password to be associated with each share, independent of the user. This means
that Samba has to work out what username the client probably wants to use, the SMB server is not explicitly
sent the username. Some commercial SMB servers such as NT actually associate passwords directly with shares
in share-level security, but Samba always uses the UNIX authentication scheme where it is a username/password
pair that is authenticated, not a share/password pair.
To understand the MS Windows networking parallels, think in terms of MS Windows 9x/Me where you can create a
shared folder that provides read-only or full access, with or without a password.
Many clients send a session setup request even if the server is in share-level security. They normally send a valid
username but no password. Samba records this username in a list of possible usernames. When the client then
issues a tree connection request, it also adds to this list the name of the share they try to connect to (useful for
home directories) and any users listed in the
user parameter in the smb.conf file.
The password is then checked in turn against these possible usernames. If a match is found, then the client is
authenticated as that user.
Where the list of possible user names is not provided, Samba makes a UNIX system call to find the user
account that has a password that matches the one provided from the standard account database. On a system that
has no name service switch (NSS) facility, such lookups will be from the /etc/passwd
database. On NSS enabled systems, the lookup will go to the libraries that have been specified in the
nsswitch.conf file. The entries in that file in which the libraries are specified are:
passwd: files nis ldap
shadow: files nis ldap
group: files nis ldap
In the example shown here (not likely to be used in practice) the lookup will check
/etc/passwd and /etc/group , if not found it will check NIS, then
LDAP.
The smb.conf parameter that sets share-level security is:
|