Samba Security Modes

There are only two types of security modes for Samba, share-level and user-level, which are collectively known as security levels . Share-level security can only be implemented in one way, while user-level security can be implemented in one of four different ways. The different ways of implementing a security level are called security modes .

User-Level Security

User-level security is the default setting for Samba. Even if the security = user directive is not listed in the smb.conf file, it is used by Samba. If the server accepts the client's username/password, the client can then mount multiple shares without specifying a password for each instance. Samba can also accept session-based username/password requests. The client maintains multiple authentication contexts by using a unique UID for each logon.

In smb.conf, the security = user directive that sets user-level security is: 

[GLOBAL]
...
security = user
...

The following sections describe other implementations of user-level security.

Domain Security Mode (User-Level Security)

In domain security mode, the Samba server has a machine account (domain security trust account) and causes all authentication requests to be passed through to the domain controllers. The Samba server is made into a domain member server by using the following directives in smb.conf: 

[GLOBAL]
...
security = domain
workgroup = MARKETING
...

Active Directory Security Mode (User-Level Security)

If you have an Active Directory environment, it is possible to join the domain as a native Active Directory member. Even if a security policy restricts the use of NT-compatible authentication protocols, the Samba server can join an ADS using Kerberos. Samba in Active Directory member mode can accept Kerberos tickets.

In smb.conf, the following directives make Samba an Active Directory member server: 

[GLOBAL]
...
security = ADS
realm = EXAMPLE.COM
password server = kerberos.example.com
...

Server Security Mode (User-Level Security)

Server security mode was previously used when Samba was not capable of acting as a domain member server.

It is highly recommended to not use this mode since there are numerous security drawbacks.

In smb.conf, the following directives enable Samba to operate in server security mode: 

[GLOBAL]
...
encrypt passwords = Yes
security = server
password server = "NetBIOS_of_Domain_Controller"
...

Share-Level Security

With share-level security, the server accepts only a password without an explicit username from the client. The server expects a password for each share, independent of the username. There have been recent reports that Microsoft Windows clients have compatibility issues with share-level security servers. Samba developers strongly discourage use of share-level security.

In smb.conf, the security = share directive that sets share-level security is: 

[GLOBAL]
...
security = share
...