Samba Administration Guide - Example Configuration

Samba HowTo Guide
Prev	Home	Next

Note

When Samba is running in server security mode , it is essential that the parameter password server is set to the precise NetBIOS machine name of the target authentication server. Samba cannot determine this from NetBIOS name lookups because the choice of the target authentication server is arbitrary and cannot be determined from a domain name. In essence, a Samba server that is in server security mode is operating in what used to be known as workgroup mode.

Example Configuration

Using MS Windows NT as an Authentication Server

This method involves the additions of the following parameters in the smb.conf file:

encrypt passwords = Yes

security = server

password server = "NetBIOS_name_of_a_DC"

There are two ways of identifying whether or not a username and password pair is valid. One uses the reply information provided as part of the authentication messaging process, the other uses just an error code.

The downside of this mode of configuration is that for security reasons Samba will send the password server a bogus username and a bogus password, and if the remote server fails to reject the bogus username and password pair, then an alternative mode of identification or validation is used. Where a site uses password lockout, after a certain number of failed authentication attempts, this will result in user lockouts.

Use of this mode of authentication requires a standard UNIX account for the user. This account can be blocked to prevent logons by non-SMB/CIFS clients.