[Samba] Samba Share - security considerations

Rowland Penny rpenny at samba.org
Fri May 4 15:55:18 UTC 2018

On Fri, 4 May 2018 12:12:55 -0300
Edouard Guigné via samba <samba at lists.samba.org> wrote:

> Dear Samba Users,
> I configured a samba share on a linux centos 7 server as server
> member of an Active Directory Domain.
> I used posix extended unix attributes in AD for permissions on the
> Samba share.
> Winbind and SSSD are also installed for the mapping of unix attibutes.

Why, you only need one of them and depending what comes after files (or
compat) on the 'passwd' line in /etc/nsswitch.conf, that is the one
that will be used

> My question is more about security.
> The linux server is using kerberos to dial with AD server (SSSD + Krb 
> pam etc.).
> I supposed that communication between Samba linux server and AD
> server is secure.
> What about the communication between a Windows client and the Samba
> Server ? The Windows clients are part of AD domain. When a user logs
> in a Windows client, how does the authentication works against the
> Samba linux server ? Does a Windows client send login/passwd to the
> Samba Server to mount the share ?
> If yes, is the communication between Windows client and server
> encrypted and secure ? Quid of Kerberos ?

If you are using 'winbind', then, yes, it will be secure, no idea about
SSSD, it has nothing to do with Samba, you could try asking on the
sssd-mailing list

> Can we force the choice of cyphers somewhere ?


More information about the samba mailing list