Samba Server type is configured in the [global] section of the /etc/samba/smb.conf file. Below are 3 types of Samba servers used while configuring Samba.
- Stand-Alone Server
- Domain Member Server
- Domain Controller
A stand-alone Samba server can be a workgroup server or a member of a workgroup environment and does not participate in a Windows domain in any way. The following is an example of configuring the [global] directives in /etc/samba/smb.conf for a stand- alone server:
# vi /etc/samba/smb.conf [global] workgroup = workgroup_name netbios name = netbios_name security = share
The security parameter set to share indicates share-level security as opposed to user-level security. With share-level security, the server accepts only a password without an explicit username from the client. The server expects a password for each share, independent of the username. The use of share-level security is discouraged in favor of user-level security. There are four different ways to implement user-level security — user, server, domain, and ads.
Domain Member Server
A domain member server is similar to a stand-alone server, but the server is logged in to a domain controller (either Windows or Samba) and is subject to the domain’s security rules. An example of a domain member server would be a departmental server running Samba that has a machine account on the Primary Domain Controller (PDC). All of the department’s clients still authenticate with the PDC, but the departmental server controls the printer and network shares. To set up a domain member server, you must first join the domain or Active Directory by using the net join command before starting the smb service.
The following is an example of configuring /etc/samba/smb.conf to implement an Active Directory domain member server. Samba authenticates users for services being run locally, but is also a client of the Active Directory.
# vi /etc/samba/smb.conf [global] realm = EXAMPLE.COM security = ADS password server = kerberos.example.com
The realm directive identifies the Kerberos realm and must be capitalized. Kerberos is an authentication protocol that allows nodes communicating over a nonsecure network to prove their identity to one another. Windows requires Kerberos for Active Directory authentication. The password server directive is required only if Active Directory and Kerberos are running on different servers.
The following is an example of configuring /etc/samba/smb.conf to implement a Windows NT4-based domain member server. NT4-based domains do not use Kerberos in their authentication method.
# vi /etc/samba/smb.conf [global] workgroup = workgroup_name netbios name = netbios_name security = domain
A Samba server cannot be configured as an Active Directory Primary Domain Controller (PDC) but it can be configured to appear as a Windows NT4-style domain controller. For Windows NT, a domain controller is similar to a Network Information Service (NIS) server in a Linux environment. They both host user and group information databases and other services. Domain controllers are mainly used for security, including the authentication of users accessing domain resources.