[Samba] File server questions

Rowland penny rpenny at samba.org
Thu Jun 4 13:43:20 UTC 2020 

On 04/06/2020 14:13, mathias dufresne via samba wrote:
> Hi everyone,
>
> I'm back working on Samba subjects and rather than writing stupidities, I
> decided to come and use your knowledge : )
>
> nmbd: in modern configurations running nmbd is not necessary and could
> perhaps even be seen as security issue: it seems to allow NetBIOS
> authentication which is not secure.
> Is that true or not?
As far as I am aware 'nmbd' is used for network browsing etc and it 
requires SMBv1, If you are not using SMBv1, you can remove 'nmbd'
> winbindd: is responsible to grab information from AD to produce system
> users (through NSS) and possibly provides a way for these generated system
> users to authenticate against AD (through PAM)
> Is that true or not?
Define 'system users', if you mean users like 'www-data' etc, then these 
have nothing to do with AD. If you mean the users in AD, then, yes, 
winbind is used to authenticate them, amongst other things.
>
> smbd: the file server, at least for modern usage. It can also grab user
> information from AD but not for system users, only for Samba users (the
> applicative users, used to authenticate when accessing Samba and later, to
> shares)
> Is that true or not?

Not any more, smbd used to be able to fallback to AD, but this was 
removed at 4.8.0

'smbd' is the fileserver component of Samba and requires winbind when 
running with 'security = ADS'

>
> smb.conf -> username map: when adding "root = administrator" in the file
> referenced by "username map", the Samba user named administrator will be
> granted access to files that root system user can access. If some system
> user is named administrator too, remote/Samba user named administrator will
> not have access to files owned by system's administrator user.
> Is that true or not?

Probably not, though I have never tried it ;-)

If you have a user called 'administrator' in /etc/passwd , this user 
would be used first on the computer because it is 'passwd files winbind' 
in /etc/nsswitch.conf , but I would still expect winbind to map 
'Administrator' to 'root' when connecting via Samba.

Rowland

More information about the samba mailing list