1!== 2!== security_level.txt for Samba release 2.0.10 23 Jun 2001 3!== 4Contributor: Andrew Tridgell 5Updated: June 27, 1997 6Status: Current 7 8Subject: Description of SMB security levels. 9=========================================================================== 10 11Samba supports the following options to the global smb.conf parameter 12"security =": 13 share, user, server 14 15Note: Samba-2.0.0 now adds the "domain" security mode. Please refer to 16the smb.conf man page for usage information and to the document 17docs/textdocs/DOMAIN_MEMBER.txt for further background details. 18 19Of the above, "security = server" means that Samba reports to clients that 20it is running in "user mode" but actually passes off all authentication 21requests to another "user mode" server. This requires an additional 22parameter "password server =" that points to the real authentication server. 23That real authentication server can be another Samba server or can be a 24Windows NT server, the later natively capable of encrypted password support. 25 26Below is a more complete description of security levels. 27=========================================================================== 28 29A SMB server tells the client at startup what "security level" it is 30running. There are two options "share level" and "user level". Which 31of these two the client receives affects the way the client then tries 32to authenticate itself. It does not directly affect (to any great 33extent) the way the Samba server does security. I know this is 34strange, but it fits in with the client/server approach of SMB. In SMB 35everything is initiated and controlled by the client, and the server 36can only tell the client what is available and whether an action is 37allowed. 38 39I'll describe user level security first, as its simpler. In user level 40security the client will send a "session setup" command directly after 41the protocol negotiation. This contains a username and password. The 42server can either accept or reject that username/password 43combination. Note that at this stage the server has no idea what 44share the client will eventually try to connect to, so it can't base 45the "accept/reject" on anything other than: 46 47- the username/password 48- the machine that the client is coming from 49 50If the server accepts the username/password then the client expects to 51be able to mount any share (using a "tree connection") without 52specifying a password. It expects that all access rights will be as 53the username/password specified in the "session setup". 54 55It is also possible for a client to send multiple "session setup" 56requests. When the server responds it gives the client a "uid" to use 57as an authentication tag for that username/password. The client can 58maintain multiple authentication contexts in this way (WinDD is an 59example of an application that does this) 60 61 62Ok, now for share level security. In share level security the client 63authenticates itself separately for each share. It will send a 64password along with each "tree connection" (share mount). It does not 65explicitly send a username with this operation. The client is 66expecting a password to be associated with each share, independent of 67the user. This means that samba has to work out what username the 68client probably wants to use. It is never explicitly sent the 69username. Some commercial SMB servers such as NT actually associate 70passwords directly with shares in share level security, but samba 71always uses the unix authentication scheme where it is a 72username/password that is authenticated, not a "share/password". 73 74Many clients send a "session setup" even if the server is in share 75level security. They normally send a valid username but no 76password. Samba records this username in a list of "possible 77usernames". When the client then does a "tree connection" it also adds 78to this list the name of the share they try to connect to (useful for 79home directories) and any users listed in the "user =" smb.conf 80line. The password is then checked in turn against these "possible 81usernames". If a match is found then the client is authenticated as 82that user. 83 84Finally "server level" security. In server level security the samba 85server reports to the client that it is in user level security. The 86client then does a "session setup" as described earlier. The samba 87server takes the username/password that the client sends and attempts 88to login to the "password server" by sending exactly the same 89username/password that it got from the client. If that server is in 90user level security and accepts the password then samba accepts the 91clients connection. This allows the samba server to use another SMB 92server as the "password server". 93 94You should also note that at the very start of all this, where the 95server tells the client what security level it is in, it also tells 96the client if it supports encryption. If it does then it supplies the 97client with a random "cryptkey". The client will then send all 98passwords in encrypted form. You have to compile samba with encryption 99enabled to support this feature, and you have to maintain a separate 100smbpasswd file with SMB style encrypted passwords. It is 101cryptographically impossible to translate from unix style encryption 102to SMB style encryption, although there are some fairly simple management 103schemes by which the two could be kept in sync. 104