diff options
author | Gerald Carter <jerry@samba.org> | 2002-08-15 13:56:33 +0000 |
---|---|---|
committer | Gerald Carter <jerry@samba.org> | 2002-08-15 13:56:33 +0000 |
commit | 3941058359150a7c2d2084d459620364f1bfacc0 (patch) | |
tree | c7f760ea659c82527f92955d6acdfaff4441315a /docs/docbook/projdoc/security_level.sgml | |
parent | 10712f9a22c539c0f84bca96d73e2cf4d304566e (diff) | |
download | samba-3941058359150a7c2d2084d459620364f1bfacc0.tar.gz samba-3941058359150a7c2d2084d459620364f1bfacc0.tar.bz2 samba-3941058359150a7c2d2084d459620364f1bfacc0.zip |
large set of updates converting some of the textdocs to SGML/DocBook.
I think these were originally from Jelmer, but I've lost
the original message.
Also had some syntax errors in the manpages (does no one regenerate
after making changes to the SGML source?)
Still have some developer specific docs to add from Jelmer in the next
go around....
(This used to be commit 5f673b788314325699a64377d514dda435e6c478)
Diffstat (limited to 'docs/docbook/projdoc/security_level.sgml')
-rw-r--r-- | docs/docbook/projdoc/security_level.sgml | 140 |
1 files changed, 140 insertions, 0 deletions
diff --git a/docs/docbook/projdoc/security_level.sgml b/docs/docbook/projdoc/security_level.sgml new file mode 100644 index 0000000000..46a2ad7fe4 --- /dev/null +++ b/docs/docbook/projdoc/security_level.sgml @@ -0,0 +1,140 @@ +<chapter id="security_levels"> +<chapterinfo> + <author> + <firstname>Andrew</firstname><surname>Tridgell</surname> + <affiliation> + <orgname>Samba Team</orgname> + <address><email>samba@samba.org</email></address> + </affiliation> + </author> +</chapterinfo> + +<title>Security levels</title> + +<sect1> +<title>Introduction</title> + +<para> +Samba supports the following options to the global smb.conf parameter +</para> + +<para><programlisting> +[global] +<ulink url="smb.conf.5.html#SECURITY"><parameter>security</parameter></ulink> = [share|user(default)|domain|ads] +</programlisting></para> + +<para> +Please refer to the smb.conf man page for usage information and to the document +<ulink url="DOMAIN_MEMBER.html">DOMAIN_MEMBER.html</ulink> for further background details +on domain mode security. The Windows 2000 Kerberos domain security model +(security = ads) is described in the <ulink url="ADS-HOWTO.html">ADS-HOWTO.html</ulink>. +</para> + +<para> +Of the above, "security = server" means that Samba reports to clients that +it is running in "user mode" but actually passes off all authentication +requests to another "user mode" server. This requires an additional +parameter "password server =" that points to the real authentication server. +That real authentication server can be another Samba server or can be a +Windows NT server, the later natively capable of encrypted password support. +</para> + +</sect1> + +<sect1> +<title>More complete description of security levels</title> + +<para> +A SMB server tells the client at startup what "security level" it is +running. There are two options "share level" and "user level". Which +of these two the client receives affects the way the client then tries +to authenticate itself. It does not directly affect (to any great +extent) the way the Samba server does security. I know this is +strange, but it fits in with the client/server approach of SMB. In SMB +everything is initiated and controlled by the client, and the server +can only tell the client what is available and whether an action is +allowed. +</para> + +<para> +I'll describe user level security first, as its simpler. In user level +security the client will send a "session setup" command directly after +the protocol negotiation. This contains a username and password. The +server can either accept or reject that username/password +combination. Note that at this stage the server has no idea what +share the client will eventually try to connect to, so it can't base +the "accept/reject" on anything other than: +</para> + +<orderedlist> +<listitem><para>the username/password</para></listitem> +<listitem><para>the machine that the client is coming from</para></listitem> +</orderedlist> + +<para> +If the server accepts the username/password then the client expects to +be able to mount any share (using a "tree connection") without +specifying a password. It expects that all access rights will be as +the username/password specified in the "session setup". +</para> + +<para> +It is also possible for a client to send multiple "session setup" +requests. When the server responds it gives the client a "uid" to use +as an authentication tag for that username/password. The client can +maintain multiple authentication contexts in this way (WinDD is an +example of an application that does this) +</para> + +<para> +Ok, now for share level security. In share level security the client +authenticates itself separately for each share. It will send a +password along with each "tree connection" (share mount). It does not +explicitly send a username with this operation. The client is +expecting a password to be associated with each share, independent of +the user. This means that samba has to work out what username the +client probably wants to use. It is never explicitly sent the +username. Some commercial SMB servers such as NT actually associate +passwords directly with shares in share level security, but samba +always uses the unix authentication scheme where it is a +username/password that is authenticated, not a "share/password". +</para> + +<para> +Many clients send a "session setup" even if the server is in share +level security. They normally send a valid username but no +password. Samba records this username in a list of "possible +usernames". When the client then does a "tree connection" it also adds +to this list the name of the share they try to connect to (useful for +home directories) and any users listed in the "user =" smb.conf +line. The password is then checked in turn against these "possible +usernames". If a match is found then the client is authenticated as +that user. +</para> + +<para> +Finally "server level" security. In server level security the samba +server reports to the client that it is in user level security. The +client then does a "session setup" as described earlier. The samba +server takes the username/password that the client sends and attempts +to login to the "password server" by sending exactly the same +username/password that it got from the client. If that server is in +user level security and accepts the password then samba accepts the +clients connection. This allows the samba server to use another SMB +server as the "password server". +</para> + +<para> +You should also note that at the very start of all this, where the +server tells the client what security level it is in, it also tells +the client if it supports encryption. If it does then it supplies the +client with a random "cryptkey". The client will then send all +passwords in encrypted form. You have to compile samba with encryption +enabled to support this feature, and you have to maintain a separate +smbpasswd file with SMB style encrypted passwords. It is +cryptographically impossible to translate from unix style encryption +to SMB style encryption, although there are some fairly simple management +schemes by which the two could be kept in sync. +</para> +</sect1> +</chapter> |