Linux – What does Ubuntu’s Samba use for authentication

linuxsambaUbuntu

First of all, I'm fairly new to Linux & Samba.

I just setup a basic Ubuntu Server 9.10 home server. I setup a few directories as Samba shares. I have only one login on the Ubuntu server, lets call it bobdole. I did NOT however setup any Samba specific users (using smbpasswd).

Now in Windows XP, I use this 3rd party Windows Explorer software called xplorer2. I like it because its just much much better than Windows Explorer. Anyways when I went to the share in xplorer2, it of course asked for my username and password. I put in bobdole and the password and it let me in. Now remember, this bobdole is not a Samba user that I setup. It's my username for logging into the Ubuntu server.

So far I'm a little bit confused. Why did the Ubuntu server allow me to use my system username (bobdole) to login to a Samba share?

A little bit later, I was using normal Windows Explorer and when accessing a share, it asked again for my username/password. I used bobdole again…. but then it wasn't letting me in. After some investigation I started to discover this is why I need to setup specific Samba logins for the shares.

So my questions are:

  1. How did this explorer2 software login to a Samba share using my server's system username instead of an actually Samba specific username? Why doesn't normal Windows Explorer just do the same thing?

  2. Are Samba specific users a requirement for me to setup? (I would assume it is, but this odd behavior made me question that).

Best Answer

Welcome to the wonderful world of Samba! I've been using it for years, and it's well worth learning about. It's a bit of a learning curve, however. I highly recommend becoming intimately familiar with your /etc/samba/smb.conf and the smb.conf(5) manpage, and keep the Samba How-To Collection link handy. These are your best resources for how your server is configured and what it means.

First off, you need to understand something about how Windows XP connects to servers. In Windows, once you establish a connection to a certain server with one username, you can't establish another connection with the same server with a different username. (At the same time, Windows recognizes these connections by how you address the server, so while \\ServerName and \\X.X.X.X are the same machine, to Windows they're different connections.)

Second, you need to understand something about Samba and guest access. Samba can be configured to allow guest access for any user whose authentication fails. Under this configuration, if you attempt to login from Windows and the login fails for some reason (say, Samba doesn't recognize the username), Samba will establish the connection with guest account privileges.

Since Ubuntu is preconfigured for ease-of-access, it uses the map to guest = bad user directive to automatically allow guest access to unknown users. It also allows guest access to public shares created through the GUI (the usershare allow guests = yes directive). I think Ubuntu uses PAM for user authentication by default -- the default server configuration uses encrypt passwords = no, which means the passdb backend = tdbsam isn't actually used.

So, to answer your questions:

  1. You logged in either because Samba authenticated you to your unix account via PAM, or because it didn't recognize the username at all and mapped you to the guest account. As to why Win Explorer failed, I can only speculate. My best guess is that it thought you were trying to connect as a different user (did you see error 1219?).

  2. No, and yes. Guest access is provided for automatically for users that Samba doesn't recognize; with unencrypted passwords, PAM is used, so I think your Unix accounts are automatically recognized; but if you want encrypted SMB authentication, you'll need to create Samba users and passwords in the tdbsam database.

Related Question