[Samba] Can someone explain SMB passwords?

steve steve at steve-ss.com
Sun Jul 21 04:00:00 MDT 2013

On Sun, 2013-07-21 at 01:34 -0700, Paul D. DeRocco wrote:
> > On Sat, Jul 20, 2013 at 10:41:31PM -0700, Paul D. DeRocco wrote:
> > > I've read what I can find about SMB passwords, but I don't 
> > > get what they
> > > are. Are they Unix passwords or an alternative to them? If 
> > > I have a file
> > > share, and the underlying file system requires some sort of 
> > > credentials to
> > > access it, what is the relationship between that and an SMB 
> > > password?
> > > 
> > > If a client tries to access the share, using a user account 
> > > that is listed
> > > in the smbpasswd file, does the client have to provide a 
> > > password that
> > > matches the SMB password in order for the server to allow 
> > > the access, and
> > > having done that, does it then not need to know the Unix 
> > > password? Or is the
> > > SMB password the Unix password that the server will use to 
> > > access the share,
> > > so that the client doesn't have to supply a password at all?
> > > 
> > > I don't even understand if the SMB server runs as root, and 
> > > can therefore
> > > access anything, or if it can't access local files unless 
> > > it is given a
> > > password somehow. The smbpasswd(5) and smbpasswd(8) man pages, and
> > > everything else I've read, seem to assume that whoever is 
> > > reading them
> > > already knows the answers to these questions.
> > From: Volker Lendecke [mailto:Volker.Lendecke at SerNet.DE] 
> > 
> > The Samba server never sees the plaintext password. The
> > Samba password is a one-way hashed version of the plaintext
> > password, that is all Samba needs to do its
> > challenge-response authentication. If Samba is a domain
> > member, it does not even have the hash, it has nothing but
> > trusts the domain controller to have it and check it
> > properly.
> > 
> > What file system is this? If it happens to be AFS, then
> > there's the fake_kaserver functionality. The basic trick is
> > that this makes the file server the KDC. A blatant violation
> > of any security policy, but that's the only way.
> You completely misunderstood my question. I'm asking something much simpler
> and more basic than all that. What's an SMB password for, and how does it
> relate to a Unix password?
> Here's the situation. I have a directory on a machine, and the files in it
> are created by a service which runs as root, so the files are owned by root
> and only locally accessible to root. I need to make this directory
> accessible to ANY remote client who knows a particular password. Do I have
> to tell the client the root password, so that the client can tell the Samba
> server the password needed to access the files? Or does Samba run as root
> and have access to everything anyway? If the former, is the SMB password the
> same as the Unix password needed to access the files, programmed into the
> Samba server so that the client doesn't have to supply it? If the latter, is
> the SMB password a completely independent password that Samba uses to grant
> access?
> Nothing in the docs gives me a clue how this works. It all seems to be
> written by and for people who've been working with networking since the
> Stone Age, and already know all the mechanisms and issues. My only involving
> with networking over the years has been as a user, who is given a user name
> and a password to access various network services. How that maps to what's
> going on in the Samba server is a complete mystery to me. But now I need to
> set up a simple server with one file share, as described above. Some of the
> docs imply that the client must supply a password that matches a password on
> one of the local Unix user accounts (or in some remote password server). Yet
> then there's this talk about an SMB password. I don't see where that fits
> in.
> Is my question clearer now?

Hi. I sympathise with your need for plain English.

I'll have a go from what you describe.
Each Linux user needs also to be a samba user. It's easier to use the
same password for both, so as root:
useradd paul
(enter a password)
smbpasswd -a paul
(enter the same password)

paul is now a local Linux user and also a samba user who can now access
folders defined in smb.conf on that machine.

Setup a share like this:
path = /path/to/the/folder
read only = No
valid users = paul

paul can now access that folder not only from that machine but also from
remote machines, including windows. An easy way to do that in Linux is
to use a browser:
Samba will then ask for a username and password on the remote machine,
be it Linux or windows.

That may be enough to get started but I'm afraid that from here the
learning curve is steep. I know systems like GNOME and KDE have quite
simple right click > share folder as > samba. Maybe that's good enough
if you have just one folder?


More information about the samba mailing list