Accounts, Authentication, and Authorization (
Page 1 of 4 )
Authentication and authorization are two of the most vital functions on a network; if they aren't working properly, nobody will be able to get anything done. This article, the first part in a four-part series, explains how to handle authentication and authorization in Samba. It is excerpted from chapter five of Using Samba, Third Edition, written by Gerald Carter, Jay Ts and Robert Eckstein (O'Reilly, 2007; ISBN: 0596007698). Copyright © 2007 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.
Authentication is proving that you are who you say you are. You do this every day, during such activities as printing a document or saving a file to a network drive. When things are working correctly, the steps taken by a server to authenticate a request are often taken for granted. You enter a password, and it is used whenever the client machine needs to access a network resource on your behalf. Authentication is a prerequiste to authorization. Authorization is what the server does to verify that the authenticated user should (or should not) gain access to the requested resource (such as the printer or file share).
Chapter 1 described the basic steps necessary to connect to a share. The second step, after negotiating the protocol dialect, is the session setup, a packet exchange in which the client sends some proof of identify. This proof must be validated somehow. In this chapter, you will see how Samba can be configured to verify this request using a set of local user accounts. More advanced authentication environments involving domain controllers are covered in Chapters 9 and 10.
Security Modes
The SMB/CIFS protocol has two security levels: user and share. Samba implements these levels across five security modes defined by the global security parameter in smb.conf.* Only three of these values are relevant to modern Samba servers, all of which are variations of SMB/CIFS user-level authentication. In this chapter, we cover the details of security = user and local accounts. Chapter 10 presents the domain member server modes security=domain and security=ads . Table 5-1 lists the valid security modes as well as their current level of support from Samba developers.
Table 5-1. Samba’s security modes
|
Parameter
|
Value
|
Description
|
Default
|
Scope
|
|
security
|
user(Chapter 5)
|
Authentication model used to
|
user
|
Global
|
|
ads(Chapter 10)
|
validate incoming requests.
|
|
domain(Chapter 10)
|
|
share(deprecated)
|
|
server(deprecated)
|
What About the Other Two Security Modes?
The remaining two security modes, security= share and security=server , are historical artifacts from past releases. Both of these implementations are remnants of authentication models primarily used by Windows 9x and earlier hosts. Neither security mode offers functionality beyond that provided by the three recommended security values covered in this chapter. Furthermore, in many instances, the deprecated modes suffer from severe protocol limitations. For this and other reasons, there is a high chance that both will be removed from Samba at some future time. It is strongly suggested that you avoid these two values when building new servers.
