Networking / Beginners

SAMBA Security

Security has been a major concern with the SAMBA server. SAMBA has several options that allow an administrator to set up file sharing safely. SAMBA security can be learned in four levels:

  • Share-level security
  • User-level security
  • Server-level security
  • Domain-level security

Share-Level Security

Every share that is set up in a network workgroup can be either a free share or a share that requires an access password. SAMBA supports both such shares.When a user needs to access a share that requires no password, only the share needs to go with the connect request. However, if a share name requires a password before it allows access, a client would be required to send the sharename and a password.

Note that no username is associated with such a share. There are the two types of share-level security options in SAMBA. Each share requires independent authentication. Therefore, if there are 10 shares set up in a particular server and a single client needs to access them, the client computer must authenticate itself 10 times.

These shares are similar to those in Windows 98 that can be associated with a password. The only difference is that SAMBA uses UNIX authentication of a username and password instead of the Windows authentication combination of a sharename and password. One main advantage of this security mode is that, in order to connect to a SAMBA server, no UNIX accounts are needed for every corresponding Windows account.

User-Level Security

This is a user-based authentication scheme. In this security level, when the user connects to the server, the server has no idea which share the user wants to access. Therefore, no share names are involved until the user is successfully authenticated into the server. The authentication is done only on the basis of a username and password. With user-level security, each client needs to authenticate itself only once, irrespective of how many shares the person wants to access. After logging in, all the shares with required permission become accessible to the user. The SAMBA server verifies each user using the standard authentication with /etc/passwd files. If the shadow suite is installed and enabled, /etc/shadow also is used in addition to /etc/passwd file.

Alternatively, if the encrypt password = yes is set in the smb.conf file, SAMBA uses the smbpasswd file to authenticate users.

An administrator can reduce some workload by keeping /etc/passwd synchronized. However, this should be done only if all users have shell access and shadow suite is not being used. If any users on the computer do not have shell access, this would prevent all those users from also accessing SAMBA share. This is due to the presence of a * in place of the hashed password. Similarly, if the shadow suite is being used, the hashed password field is replaced by a * in the /etc/passwd file.

[Previous] [Contents] [Next]