Samba has several security mechanisms that you might want to use. These mechanisms allow you to specify which hosts have access to your shares and how Samba transmits passwords from SMB clients.
Samba provides a mechanism for host-based access control. Using this facility, you can select hosts (either by IP or hostname) or networks to which to grant or deny access.
Specify this option, either globally or on a per-share basis, with the
hosts
keyword. This keyword takes one of two parameters:
allow
or
deny
.
You can set the value to any of the following, separating multiple entries with whitespace:
- A specific host, for example,
station1
, station1.mycompany.com
, or 192.168.0.1
- A DNS domain matching rule, for example,
.mycompany.com
- An IP address matching rule, for example,
192.168.0
- A network/netmask pair, for example,
192.168.0.1/255.255.255.0
- Special keywords, for example,
EXCEPT
and ALL
For example, a configuration for a local area network, with IP addresses ranging from 192.168.0.1 through 192.168.0.254 and 192.168.1.1 through 192.168.1.254, might secure Samba with:
Samba supports several methods for validating user passwords, configurable with the
security
keyword. The method you configure depends on how you intend to integrate your Samba server with the rest of your network.
For most installations, the default configuration
security = user
is acceptable. This setting requires that the Samba server have a user entry and password that matches the user name trying to the access the share.
The
security = share
setting is common when you wish to provide a common service to a group of trusted users with a single password.
This setting requires connecting users to provide the share password before they can access the service.
The two remaining methods,
security = server
and
security = domain
, instruct Samba to use an Windows server to validate passwords.
If the value is
domain
, the Samba server will act as part of the configured
Windows domain. Otherwise, Samba will act as part of the configured
workgroup.
- Windows domain: A more organized form of Windows workgroup.
- Workgroup: In Windows terminology, a group of computers acting as part of a cohesive working unit that can share resources allocated to that workgroup.
Some versions of Windows require you to set securing_a.sbspecial configurations to be compatible with the Samba default encryption scheme.
Roll your mouse over the lines of code below to investigate Samba security settings.