/(yes|true)/ This option affects how clients respond to Samba and is one of the most important settings in the smb.conf file. The default is security = user, as this is the most common setting, used for a standalone file server or a DC. The alternatives are security = ads or security = domain , which support joining Samba to a Windows domain, along with security = server, which is deprecated. You should use security = user and if you want to mainly setup shares without a password (guest shares). This is commonly used for a shared printer server. The different settings will now be explained. SECURITY = AUTO This is the default security setting in Samba, and causes Samba to consult the parameter (if set) to determine the security mode. SECURITY = USER If is not specified, this is the default security setting in Samba. With user-level security a client must first "log-on" with a valid username and password (which can be mapped using the parameter). Encrypted passwords (see the parameter) can also be used in this security mode. Parameters such as and if set are then applied and may change the UNIX user to use on this connection, but only after the user has been successfully authenticated. Note that the name of the resource being requested is not sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in user level security without allowing the server to automatically map unknown users into the . See the parameter for details on doing this. SECURITY = DOMAIN This mode will only work correctly if net 8 has been used to add this machine into a Windows NT Domain. It expects the parameter to be set to yes. In this mode Samba will try to validate the username/password by passing it to a Windows NT Primary or Backup Domain Controller, in exactly the same way that a Windows NT Server would do. Note that a valid UNIX user must still exist as well as the account on the Domain Controller to allow Samba to have a valid UNIX account to map file access to. Note that from the client's point of view security = domain is the same as security = user. It only affects how the server deals with the authentication, it does not in any way affect what the client sees. Note that the name of the resource being requested is not sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in user level security without allowing the server to automatically map unknown users into the . See the parameter for details on doing this. See also the parameter and the parameter. SECURITY = SERVER In this depicted mode Samba will try to validate the username/password by passing it to another SMB server, such as an NT box. If this fails it will revert to security = user. It expects the parameter to be set to yes, unless the remote server does not support them. However note that if encrypted passwords have been negotiated then Samba cannot revert back to checking the UNIX password file, it must have a valid smbpasswd file to check users against. See the chapter about the User Database in the Samba HOWTO Collection for details on how to set this up. This mode of operation has significant pitfalls since it is more vulnerable to man-in-the-middle attacks and server impersonation. In particular, this mode of operation can cause significant resource consumption on the PDC, as it must maintain an active connection for the duration of the user's session. Furthermore, if this connection is lost, there is no way to reestablish it, and further authentications to the Samba server may fail (from a single client, till it disconnects). If the client selects NTLMv2 authentication, then this mode of operation will fail From the client's point of view, security = server is the same as security = user. It only affects how the server deals with the authentication, it does not in any way affect what the client sees. This option is deprecated, and may be removed in future Note that the name of the resource being requested is not sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in user level security without allowing the server to automatically map unknown users into the . See the parameter for details on doing this. See also the parameter and the parameter. SECURITY = ADS In this mode, Samba will act as a domain member in an ADS realm. To operate in this mode, the machine running Samba will need to have Kerberos installed and configured and Samba will need to be joined to the ADS realm using the net utility. Note that this mode does NOT make Samba operate as a Active Directory Domain Controller. Read the chapter about Domain Membership in the HOWTO for details. realm encrypt passwords USER DOMAIN