First, a review
Samba through two programs: smbd and nmbd to provide file services to the local area network. Where nmbd is Netbios name resolution program, usually running on the system only one nmbd process; smbd provides file services is a real program, usually each have a client makes a request, Samba server smbd will start a process.
nmbd and smbd share a configuration file: smb.conf. In Debian Etch, this file is located in / etc / samba directory. Samba 60s reread once contents of this file will be automatically every. So, every time you modify this file exist after-hours, you can wait 60s to make the new configuration options to take effect, you can also use /etc/init.d/samba restart script manually restart process. Before the official use of a new process, you can use testparm to check file syntax is correct.
Second, the authentication and permissions
Samba I understand the certification process is divided into two steps.
1. First Samba user name provided by the client, password, and local records in the database comparison, if met, giving clients access to shared resources. This process seems to come into a house first proper key.
2. But he entered the room does not mean you are free to use everything inside the house. Samba according to certain rules to determine whether the client can access a particular file or use other resources (such as printers). Here there are rules inside smb.conf file definition, more importantly, it is based on the Linux file permissions system. smbd process will be more than one step to access the document authenticated users have permissions (which means that the step is passed to the Sambe authenticated user name must have a corresponding entry in the / etc / passwd file server's).
Third, the process of certification
1. Samba client identity authentication, there are four methods: share-level (share-level), the user level (user-level), the server level (server-level), domain authentication (domain-level). The latter three means essentially very similar, except that a different location verification occurs. Under user-level, this process takes place on the Samba server; under server-level occurs on another server; under domain-level, by the PDC or BDC for authentication.
2. share-level and user-level are the two most common means of authentication, user-level is the default Samba configuration.
This difference between the two modes of expression in the client: The following share-level mode client does not need to enter a user name and password as long as you can; the next user-level mode clients to simultaneously enter a user name and password for the job.
In the server side, very little difference between these two models: Samba must use the username and password combination for authentication. Under user-level, Samba client will transfer to the user name and password in the local database records for inspection. Under share-level, because the client does not pass a user name, Samba uses the user name smb.conf file provides a resource section, and compiling Samba process into the default user name and password combination, respectively, then the local records in the database are compared, as long as there is a combination pass verification, in order to let the client application user name corresponding to the user has access to shared resources. If all combinations are not validated, the client is refused access.
In share-level there are exceptional circumstances, if a shared resource set
guest ok = yes
guest only = yes
guest account = a user account
When a client connects, Samba automatically designated account guest account has permissions to clients to access shared resources, then the client does not even need a password.
Fourth, password transmission
Whether share-level or user-level, can be specified in the smb.conf file to explain how the Samba server receives the password sent by the client: The password can be in the form of plain text may also be encrypted form. The client uses the password that is sent in the client operating system has decided, for example, Windows 95 can only send passwords in clear text, Windows XP default password is sent in encrypted form, but can be changed in the registry so that it is sending a clear password. So, if there are several different versions of the client, we need to maintain a simple password database and the encrypted form of the password database on the Samba server.
Use encrypt passwords = yes / no in smb.conf to configure Samba file which explain how the received password.
When Samba is configured in clear text explanation to password transmission, it uses the / etc / passwd as a test basis; when Samba is configured in an encrypted form to explain to the password are passed, it uses smbpasswd as a test basis (Debian Etch in this file is located by default in / etc / samba directory under, but you can specify its location in the smb.conf file.)
(My thoughts: Linux user passwords stored in it / etc / passwd or / etc / shadow file is encrypted, but the encryption algorithm, Windows clients do not support this, the client can not use the same locally. first password encryption algorithm and then sent over the network, but only the password to the Samba server in plain text, after which the Samba server according to / etc / passwd support algorithms to convert the / etc / passwd in the records Compared.
Passwords transmitted in the clear danger is obvious, so Windows will be replaced after the first encrypted password sent to the server, but the problem is different Windows password encryption algorithm used and / etc / passwd using algorithms, Samba can not directly receive plaintext password and / etc / passwd for comparison. And Windows uses a one-way algorithm. This means that the Samba client receives a password to the encrypted transfer can not recover the plaintext password, after further conversion and / etc / passwd for comparison. Sentence is, in the case of an encrypted password, / etc / passwd or / etc / shadow file can not be used as the basis for verification. )
Because smbpasswd file / etc / passwd file is independent, so Samba shared resource can be user password and login password. But smbpasswd file inside each user must have a corresponding record in the / etc / passwd file inside, because once verified, Samba will use the corresponding user permissions to the client to access the corresponding resources.
When the client passes the authentication, you can use a variety of resources provided by the Samba. smb.conf two options browsable, writable to control whether users can browse and write a resource.
At the same time, the client's permission to read and write operations are controlled Linux system. For example: There is a file owner, group, permissions are as follows
rwxr-x --- user_a group_1 somefile
There are three user name and group are:
Username group name
1. When a client is connected to user_a and verify it, he can not only read the file, but also to write to the file;
2. When the client is connected to user_b and verify it, he can only read the file, you can not write;
3. When the client is connected to user_c and verify it, he could neither read the file can not be written to the file.