There is a network security level settings in Windows systems. In the SAMBA server, also introduced the concept of this level of security. Each security level corresponds to a set of default security policies. In the SAMBA server, the security level is divided into four, respectively, share, User, Server, and Domain. As a system administrator needs to understand the difference between these four levels of security, and deployment with security requirements based on the enterprise network, to select the appropriate level of security.
First, the introduction of various security levels and for the environment.
1, Domian security level. This is the SAMBA server in the highest level of security. When set to this level of security, the SAMBA server itself does not have to verify the client's identity. The work of these dedicated to the domain controller, or other server to handle. In previous articles, I remember said use SAMBA server as a matchmaker biggest advantage Windwos client and server Linux is the Linux operating system can be added to Microsoft's domain. That is, the SAMBA server deployed Linux operating system support for Microsoft domain environment. Therefore, if the enterprise network environment is now a domain environment, you can use this level of security. SAMBA server system administrators to join Microsoft's domain and let the domain controller responsible for the authentication of the client. Microsoft can make a domain controller is responsible for the server to interact with the client, handling user login, authentication, directory search, and other related operations, to provide a relatively high degree of safety. The security level used for this purpose, then there is a pre-condition that the enterprise network management domain has been achieved.
2, Servder security level and User level of security. The two security levels are very similar, and I will be described here together. User level security is the default security level SAMBA server, he said before the user access to the server, you must first log in with a valid username and password. That is, clients must have a valid user name and password to be able to access it. Another issue to note is that the system administrator needs to clear the authentication time. Some systems authenticate against a specific time occurs when the file access. That is, the client without a password, you can access shared files list information. However, to access a specific file, you need to provide a password for the job. But the User security level is different. At this level of security, authentication occurs at the time of connection. This means that the client can not provide a valid user name and password, then even if the list information can not be accessed.
Server security level in the User security level before and Domian level of security. SAMBA client when accessing the server, but also need to provide a valid user name and password information. Except that in this level of security, there will be an additional charge of the stand-alone server to verify the identity. Domian with this level of security is very similar. Only in this level of security is not mandatory domain environment. But to take this level of security, then, with the Domain security level there is a big difference. That is, under Server security level, if it fails on another server authentication, then the server will automatically be downgraded to the level of safety User. Then use User security level that set the authentication mechanism. Visible, for the client, two possible User and Server security level is no different. But the system administrator, but can make a big fuss in them. As it can be based on different security levels, set different access policies, access rights, and so on.
Under normal circumstances, if the enterprise security requirements are relatively high, and has a separate authentication server to complete mail and other applications and services, you might consider using the Server level. And you can limit the server level by using the User not enable SAMBA password file.
3, Share security level. This level is the lowest SAMBA server security level. At this time the client connects to SAMBA server does not need to provide a user name and password authentication information, you can access shared resources on the Linux server. While this level of security more convenient way, but obviously very difficult to guarantee their safety. In the log information, it is difficult to reflect the access to the information in the client. However, the system administrator should be noted that, at this time if its use who command in the Linux system to query the user login information, you will find some inexplicable users. This is mainly because the share security level, the client does not need any account number and password to access. But this time SAMBA will automatically provide a valid Unix account to play table identity of the client. So the system administrator will see some strange account information in the who list. Because of this level of lack of security, and I do not recommend that you use this level of security. Two, SAMBA password file action and maintenance.
Speaking Server security level, when I talked about can not enable SAMBA password file system to reduce the limit from Server security level to User level. Why can so deal with it?
This is mainly because the account and password with the Linux operating system account and password file SAMBA server is not generic. That is, the client in a timely manner with a Linux operating system user name and password, without the SAMBA server's user name and password, the client still can not properly connect to the Linux operating system. For this reason some system administrators often have a similar question, enter the correct account number and password in the Linux authentication window, but the system will still prompt for password error and reject the login. Why enter the correct user name and password are still unable to log in to the SAMBA server? This is mainly because the SAMBA server password file with the Linux operating system password file is not universal. Use this client Linux operating system account password data is not able to log on to the SAMBA server.
But if the system administrator needs to maintain two sets of passwords (SAMBA server password with the Linux operating system password), it is very troublesome. Is it possible to unify their passwords? The answer is yes. To otherwise SAMBA server availability will be greatly reduced. In fact, realization of the principle is very simple, just put the Linux operating system account again SAMBA server can be re-established. The case, use the account and password Linux system can log in to the SAMBA server (in fact, they are using the password file is still different, just two servers in the same user name and password only). But manually create these user name and password information, it is clearly more time consuming. In fact, designers SAMBA server has to consider this problem. Establishing SAMBA password file when no need to manually enter account information. Here I gave you a gadget, the name of this tool is called "mksmbpasswd.sh". This is a script, the main purpose is to read the Linux operating system password file, then the password file in the user name and password information according to certain rules converted to the SAMBA password file.
Using this script when issues need to be considered a privilege. As a result of habit, when deploying SAMBA server, we tend to be habitual specifically set up a user name and groups, such as SAMBA. Then use this user name and group to deploy the SAMBA server. This is mainly used to distinguish from other applications, to achieve independent management. But this time If you use this script, then, because of the need to access the Linux operating system password file. To do this we need to root privileged user to execute this command. SAMBA's identity can not be run. Some first deployment SAMBA server's system administrator may often make this mistake. For this reason I am here to remind you, must take root privileged user to execute the command, otherwise the system will prompt an error message, unable to establish SAMBA password file.
Also note that the password file creation, SAMBA server without rebooting, its password file is now in force. But for a client, it is different. As at the time of testing, we found it impossible to take advantage of the system administrator account name and password to log in to the Linux system SAMBA server. Later examination revealed the password file is in trouble. So immediately on the password file maintenance, joined the username and password information Linux operating system. But then the client still can not log in to the SAMBA server. The need to restart the client before we can log on. The specific reason I was not very clear, we have time, then you can research and exchange it.
Finally, it should be emphasized that, SAMBA server password file with the Linux operating system password file is not the same file, but they are not synchronized with one another. For this reason, if the Linux operating system as an employee of a home account, then still need to use the above script to manually synchronize the SAMBA password file. Or manually created an identical account. However, according to my understanding, in subsequent SAMBA server version, its designers may directly file Linux system user name and password as a SAMBA server password file. This let us wait and see!