/(yes|true)/
This option affects how clients respond to
Samba and is one of the most important settings in the
smb.conf file.
The default is security = user, as this is
the most common setting, used for a standalone file server or a DC.
The alternatives are
security = ads or security = domain
, which support joining Samba to a Windows domain
You should use security = user and
if you
want to mainly setup shares without a password (guest shares). This
is commonly used for a shared printer server.
The different settings will now be explained.
SECURITY = AUTO
This is the default security setting in Samba, and causes Samba to consult
the parameter (if set) to determine the security mode.
SECURITY = USER
If is not specified, this is the default security setting in Samba.
With user-level security a client must first "log-on" with a
valid username and password (which can be mapped using the
parameter). Encrypted passwords (see the parameter) can also
be used in this security mode. Parameters such as and if set are then applied and
may change the UNIX user to use on this connection, but only after
the user has been successfully authenticated.
Note that the name of the resource being
requested is not sent to the server until after
the server has successfully authenticated the client. This is why
guest shares don't work in user level security without allowing
the server to automatically map unknown users into the .
See the parameter for details on doing this.
SECURITY = DOMAIN
This mode will only work correctly if net
8 has been used to add this
machine into a Windows NT Domain. It expects the
parameter to be set to yes. In this
mode Samba will try to validate the username/password by passing
it to a Windows NT Primary or Backup Domain Controller, in exactly
the same way that a Windows NT Server would do.
Note that a valid UNIX user must still
exist as well as the account on the Domain Controller to allow
Samba to have a valid UNIX account to map file access to.
Note that from the client's point
of view security = domain is the same
as security = user. It only
affects how the server deals with the authentication,
it does not in any way affect what the client sees.
Note that the name of the resource being
requested is not sent to the server until after
the server has successfully authenticated the client. This is why
guest shares don't work in user level security without allowing
the server to automatically map unknown users into the .
See the parameter for details on doing this.
See also the parameter and
the parameter.
Note that the name of the resource being
requested is not sent to the server until after
the server has successfully authenticated the client. This is why
guest shares don't work in user level security without allowing
the server to automatically map unknown users into the .
See the parameter for details on doing this.
See also the parameter and the
parameter.
SECURITY = ADS
In this mode, Samba will act as a domain member in an ADS realm. To operate
in this mode, the machine running Samba will need to have Kerberos installed
and configured and Samba will need to be joined to the ADS realm using the
net utility.
Note that this mode does NOT make Samba operate as a Active Directory Domain
Controller.
Read the chapter about Domain Membership in the HOWTO for details.
realm
encrypt passwords
USER
DOMAIN