12-04-2005, 22:41 #6karfaxPostado originalmente por gmlinux
A única flag que diferencia (a grosso modo) um servidor samba de um cliente CIFS é a flag "security = "
Se for domain, server ou ads, a máquina é cliente da rede , e autentica-se num outro servidor CIFS (NT ou SAMBA), e ADS num AD Server, como Win2kServer ou Win2k3.
SECURITY = SHARE
When clients connect to a share level security server they need not log onto the server with a valid username and password before attempting to connect to a shared resource (although modern clients such as Windows 95/98 and Windows NT will send a logon request with a username but no password when talking to a security = share server). Instead, the clients send authentication information (passwords) on a per-share basis, at the time they attempt to connect to that share.
Note that smbd ALWAYS uses a valid UNIX user to act on behalf of the client, even in security = share level security.
SECURITY = DOMAIN
"This mode will only work correctly if net(8) has been used to add this machine into a Windows NT Domain. It expects the encrypted passwords parameter to be set to yes. In this mode Samba will try to validate the username/password by passing it to a Windows NT Primary or Backup Domain Controller, in exactly the same way that a Windows NT Server would do.
Note that from the client's point of view security = domain is the same as security = user. It only affects how the server deals with the authentication, it does not in any way affect what the client sees."
SECURITY = SERVER
"In this mode Samba will try to validate the username/password by passing it to another SMB server, such as an NT box."
SECURITY = ADS
In this mode, Samba will act as a domain member in an ADS realm. To operate in this mode, the machine running Samba will need to have Kerberos installed and configured and Samba will need to be joined to the ADS realm using the net utility.
Note that this mode does NOT make Samba operate as a Active Directory Domain Controller.
E finalmente, sobre "os desenvolvedores do samba não recomendam o uso de "security = share"", acho que voce imaginou isso, caso contrário forneça o link - :martelo:
13-04-2005, 06:37 #7altemar
Isso que precisava é que uma máquina controle a autenticação, eu coloquei security = server deu certo.
Valeu pela força.
13-04-2005, 18:53 #8gmlinux
Caro karfax, o secuity=share tinha problemas de performance pela maneira que era (ou ainda é) implementado, vou localizar a informação (tentar pelo menos).
13-04-2005, 18:59 #9gmlinux
Não ache a original, mais aqui tem um texto que explica o processo de autenticação do modo share:
1.When a connection is requested, Samba will accept the password and (if sent) the username of the client.
2.If the share is guest only , the user is immediately granted access to the share with the rights of the user specified by the guest account parameter; no password checking is performed.
3.For other shares, Samba appends the username to a list of users who are allowed access to the share. It then attempts to validate the password given in association with that username. If successful, Samba grants the user access to the share with the rights assigned to that user. The user will not need to authenticate again unless a revalidate = yes option has been set inside the share.
4.If the authentication is unsuccessful, Samba will attempt to validate the password against the list of users it has previously compiled throughout the attempted connections, as well as any specified under the share in the configuration file. If the password does not match any usernames (as specified in the system password file, typically /etc/passwd ), the user is not granted access to the share under that username.
5.However, if the share has a guest ok or public option set, the user will default to access with the rights of the user specified by the guest account option.
No modo share ele pega a senha enviada pelo cliente e testa se a senha é valida em relação a algun usuário (observe que não necessariamente ele conhece o usuário que esta acessando), dependendo do tamanho desta lista...
21-04-2005, 15:35 #10Postado originalmente por altemar