Authentication is proving that you are who you say you are. You do this every day, during such activities as printing a document or saving a file to a network drive. When things are working correctly, the steps taken by a server to authenticate a request are often taken for granted. You enter a password, and it is used whenever the client machine needs to access a network resource on your behalf. Authentication is a prerequiste to authorization. Authorization is what the server does to verify that the authenticated user should (or should not) gain access to the requested resource (such as the printer or file share).
Chapter 1 described the basic steps necessary to connect to a share. The second step, after negotiating the protocol dialect, is the session setup, a packet exchange in which the client sends some proof of identify. This proof must be validated somehow. In this chapter, you will see how Samba can be configured to verify this request using a set of local user accounts. More advanced authentication environments involving domain controllers are covered in Chapters 9 and 10.
The SMB/CIFS protocol has two security levels: user and share. Samba implements these levels across five security modes defined by the global security parameter in smb.conf.* Only three of these values are relevant to modern Samba servers, all of which are variations of SMB/CIFS user-level authentication. In this chapter, we cover the details of security = user and local accounts. Chapter 10 presents the domain member server modes security=domain and security=ads . Table 5-1 lists the valid security modes as well as their current level of support from Samba developers.
Table 5-1. Samba’s security modes
Authentication model used to
validate incoming requests.
What About the Other Two Security Modes?
The remaining two security modes, security= share and security=server , are historical artifacts from past releases. Both of these implementations are remnants of authentication models primarily used by Windows 9x and earlier hosts. Neither security mode offers functionality beyond that provided by the three recommended security values covered in this chapter. Furthermore, in many instances, the deprecated modes suffer from severe protocol limitations. For this and other reasons, there is a high chance that both will be removed from Samba at some future time. It is strongly suggested that you avoid these two values when building new servers.