| 1 | <samba:parameter name="security"
|
|---|
| 2 | context="G"
|
|---|
| 3 | type="enum"
|
|---|
| 4 | function="_security"
|
|---|
| 5 | enumlist="enum_security"
|
|---|
| 6 | xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|---|
| 7 | <when_value value="security">
|
|---|
| 8 | <requires option="encrypted passwords">/(yes|true)/</requires>
|
|---|
| 9 | </when_value>
|
|---|
| 10 | <description>
|
|---|
| 11 | <para>This option affects how clients respond to
|
|---|
| 12 | Samba and is one of the most important settings in the <filename moreinfo="none">
|
|---|
| 13 | smb.conf</filename> file.</para>
|
|---|
| 14 |
|
|---|
| 15 | <para>The default is <command moreinfo="none">security = user</command>, as this is
|
|---|
| 16 | the most common setting, used for a standalone file server or a DC.</para>
|
|---|
| 17 |
|
|---|
| 18 | <para>The alternatives are
|
|---|
| 19 | <command moreinfo="none">security = ads</command> or <command moreinfo="none">security = domain
|
|---|
| 20 | </command>, which support joining Samba to a Windows domain</para>
|
|---|
| 21 |
|
|---|
| 22 | <para>You should use <command moreinfo="none">security = user</command> and
|
|---|
| 23 | <smbconfoption name="map to guest"/> if you
|
|---|
| 24 | want to mainly setup shares without a password (guest shares). This
|
|---|
| 25 | is commonly used for a shared printer server. </para>
|
|---|
| 26 |
|
|---|
| 27 | <para>The different settings will now be explained.</para>
|
|---|
| 28 |
|
|---|
| 29 |
|
|---|
| 30 | <para><anchor id="SECURITYEQUALSAUTO"/><emphasis>SECURITY = AUTO</emphasis></para>
|
|---|
| 31 |
|
|---|
| 32 | <para>This is the default security setting in Samba, and causes Samba to consult
|
|---|
| 33 | the <smbconfoption name="server role"/> parameter (if set) to determine the security mode.</para>
|
|---|
| 34 |
|
|---|
| 35 | <para><anchor id="SECURITYEQUALSUSER"/><emphasis>SECURITY = USER</emphasis></para>
|
|---|
| 36 |
|
|---|
| 37 | <para>If <smbconfoption name="server role"/> is not specified, this is the default security setting in Samba.
|
|---|
| 38 | With user-level security a client must first "log-on" with a
|
|---|
| 39 | valid username and password (which can be mapped using the <smbconfoption name="username map"/>
|
|---|
| 40 | parameter). Encrypted passwords (see the <smbconfoption name="encrypted passwords"/> parameter) can also
|
|---|
| 41 | be used in this security mode. Parameters such as <smbconfoption name="user"/> and <smbconfoption
|
|---|
| 42 | name="guest only"/> if set are then applied and
|
|---|
| 43 | may change the UNIX user to use on this connection, but only after
|
|---|
| 44 | the user has been successfully authenticated.</para>
|
|---|
| 45 |
|
|---|
| 46 | <para><emphasis>Note</emphasis> that the name of the resource being
|
|---|
| 47 | requested is <emphasis>not</emphasis> sent to the server until after
|
|---|
| 48 | the server has successfully authenticated the client. This is why
|
|---|
| 49 | guest shares don't work in user level security without allowing
|
|---|
| 50 | the server to automatically map unknown users into the <smbconfoption name="guest account"/>.
|
|---|
| 51 | See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
|
|---|
| 52 |
|
|---|
| 53 | <para><anchor id="SECURITYEQUALSDOMAIN"/><emphasis>SECURITY = DOMAIN</emphasis></para>
|
|---|
| 54 |
|
|---|
| 55 | <para>This mode will only work correctly if <citerefentry><refentrytitle>net</refentrytitle>
|
|---|
| 56 | <manvolnum>8</manvolnum></citerefentry> has been used to add this
|
|---|
| 57 | machine into a Windows NT Domain. It expects the <smbconfoption name="encrypted passwords"/>
|
|---|
| 58 | parameter to be set to <constant>yes</constant>. In this
|
|---|
| 59 | mode Samba will try to validate the username/password by passing
|
|---|
| 60 | it to a Windows NT Primary or Backup Domain Controller, in exactly
|
|---|
| 61 | the same way that a Windows NT Server would do.</para>
|
|---|
| 62 |
|
|---|
| 63 | <para><emphasis>Note</emphasis> that a valid UNIX user must still
|
|---|
| 64 | exist as well as the account on the Domain Controller to allow
|
|---|
| 65 | Samba to have a valid UNIX account to map file access to.</para>
|
|---|
| 66 |
|
|---|
| 67 | <para><emphasis>Note</emphasis> that from the client's point
|
|---|
| 68 | of view <command moreinfo="none">security = domain</command> is the same
|
|---|
| 69 | as <command moreinfo="none">security = user</command>. It only
|
|---|
| 70 | affects how the server deals with the authentication,
|
|---|
| 71 | it does not in any way affect what the client sees.</para>
|
|---|
| 72 |
|
|---|
| 73 | <para><emphasis>Note</emphasis> that the name of the resource being
|
|---|
| 74 | requested is <emphasis>not</emphasis> sent to the server until after
|
|---|
| 75 | the server has successfully authenticated the client. This is why
|
|---|
| 76 | guest shares don't work in user level security without allowing
|
|---|
| 77 | the server to automatically map unknown users into the <smbconfoption name="guest account"/>.
|
|---|
| 78 | See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
|
|---|
| 79 |
|
|---|
| 80 | <para>See also the <smbconfoption name="password server"/> parameter and
|
|---|
| 81 | the <smbconfoption name="encrypted passwords"/> parameter.</para>
|
|---|
| 82 |
|
|---|
| 83 |
|
|---|
| 84 | <para><emphasis>Note</emphasis> that the name of the resource being
|
|---|
| 85 | requested is <emphasis>not</emphasis> sent to the server until after
|
|---|
| 86 | the server has successfully authenticated the client. This is why
|
|---|
| 87 | guest shares don't work in user level security without allowing
|
|---|
| 88 | the server to automatically map unknown users into the <smbconfoption name="guest account"/>.
|
|---|
| 89 | See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
|
|---|
| 90 |
|
|---|
| 91 | <para>See also the <smbconfoption name="password server"/> parameter and the
|
|---|
| 92 | <smbconfoption name="encrypted passwords"/> parameter.</para>
|
|---|
| 93 |
|
|---|
| 94 | <para><anchor id="SECURITYEQUALSADS"/><emphasis>SECURITY = ADS</emphasis></para>
|
|---|
| 95 |
|
|---|
| 96 | <para>In this mode, Samba will act as a domain member in an ADS realm. To operate
|
|---|
| 97 | in this mode, the machine running Samba will need to have Kerberos installed
|
|---|
| 98 | and configured and Samba will need to be joined to the ADS realm using the
|
|---|
| 99 | net utility. </para>
|
|---|
| 100 |
|
|---|
| 101 | <para>Note that this mode does NOT make Samba operate as a Active Directory Domain
|
|---|
| 102 | Controller. </para>
|
|---|
| 103 |
|
|---|
| 104 | <para>Note that this forces <smbconfoption name="require strong key">yes</smbconfoption>
|
|---|
| 105 | and <smbconfoption name="client schannel">yes</smbconfoption> for the primary domain.</para>
|
|---|
| 106 |
|
|---|
| 107 | <para>Read the chapter about Domain Membership in the HOWTO for details.</para>
|
|---|
| 108 | </description>
|
|---|
| 109 |
|
|---|
| 110 | <related>realm</related>
|
|---|
| 111 | <related>encrypt passwords</related>
|
|---|
| 112 |
|
|---|
| 113 | <value type="default">AUTO</value>
|
|---|
| 114 | <value type="example">DOMAIN</value>
|
|---|
| 115 | </samba:parameter>
|
|---|
