Configuring and Managing MPE/iX Internet Services (August 2002)
Chapter 7
Samba for MPE/iX Services
Samba for MPE/iX Share Level Security Mode
109
Samba for MPE/iX Share Level Security Mode
The process of user authentication depends whether Samba for MPE/iX is running in share level or user level.
The “security” parameter in the configuration file is used to specify the share level or user level
authentication. If the “security” parameter is set to “share,” Samba for MPE/iX will tell clients it is granting
access under share mode security. The process for granting access under share level security is:
• If the service is marked “guest ok” or “public”, the client is granted access with the rights of the
username given in the “guest account” parameter for the service.
• If a service is marked as “guest only” (not guest ok or public), access is granted with the rights of the
username given in the guest account parameter for the service.
• If a client passed a username/password pair to Samba for MPE/iX and the username and password are
validated, the client is granted access with the rights of the username.
• If the client registered a username with Samba for MPE/iX during a previous connection and now
supplies the correct password for that username, access is granted.
• If the client validated a username/password pair with the Samba for MPE/iX server during a previous
connections and now passes the correct corresponding access token, access is granted. This step will be
skipped if the “revalidate” service parameter is true for this service.
Samba for MPE/iX Server Security Mode
Samba for MPE/iX server mode security is just one of the security policies of user level authentication. This
mode of security is one of the types in processing user authentication. After the user is validated, access
rights are enforced for the user:
To make Samba for MPE/iX operate in server security mode:
• Add security = server in the
[global] section for smb.conf specifying security = server in smb.conf,
the server security mode is on.
• Add password server = <yourNTserver>
This option will allow Samba for MPE/iX to ask a remote SMB server for password checks, e.g., a
Windows NT server. This option will be useful if you are integrating an MPE/iX into an already existing
NT domain. It is better to set your Windows NT (primary or backup domain controller) server as the
password server.
Please set the password parameter to the DNS name of the Windows NT server.
After setting up the configuration, the client can proceed to login to the Samba for MPE/iX server. When
connecting to a service using user level security, the client sends a session setup SMB that includes username
and password. This step is not necessary while using shared level security.
In server level security, the Samba for MPE/iX server reports to the client in which it is in user level security.
The client sends username and password pair. The Samba for MPE/iX server takes the username/password
that the client sent and attempts to login to the “password server” by sending exactly the same
username/password that it got from the client. If that server is in user level security and accepts the
password, Samba for MPE/iX accepts the client’s connection. This allows the Samba for MPE/iX server to use
another SMB server as the “password server,” the user authenticates against the NT password.