Jump to content


Photo

Samba Authentication?


  • Please log in to reply
3 replies to this topic

#1 Ivanhoe

Ivanhoe

    purposeful grimace

  • Members
  • PipPipPipPipPipPipPipPipPipPip
  • 32,085 posts
  • Gender:Male
  • Location:deep in the heart of ... darkness, USA
  • Interests:military technology, military history, weapon systems, management/organizational design, early American history

Posted 29 June 2019 - 1117 AM

I am thinking about finally getting around to building a home backup server. So many questions. Since my client systems will be a mix of Windows and Linux (and possibly ESXi is/when I get around to building a lab server), and desktop and laptop will be dialoguing with the backup server via Wi-Fi, the authentication and network encryption thing is bugging me.

 

SMB3 and sshfs seem to have sufficient security, and I have read that Samba performing SMB3 has better throughput.

 

But I can't seem to find the handle on authentication. AFAICT, a Windows machine accessing a Samba server is going to do the NTLM thing, which is heartburn city even for NTLMv2.

 

What can be done to improve security for Windows clients? I ain't gonna run AD on my home network, so Kerberos is right out.

 

Linux appears to use smbclient to access a Samba server, with username/password being sent encrypted (hopefully!) by SMB3, and compared against the Samba user database. That doesn't bother me as much, assuming SMB3 is decently implemented.


  • 0

#2 Murph

Murph

    Hierophant Lord

  • Members
  • PipPipPipPipPipPipPipPipPipPip
  • 18,764 posts
  • Gender:Male

Posted 29 June 2019 - 1244 PM

Whatever you say.  I'll agree... :)


  • 0

#3 TTK Ciar

TTK Ciar

    Member

  • Members
  • PipPip
  • 2,005 posts
  • Gender:Male
  • Location:Sebastopol, CA, USA
  • Interests:material engineering, composite armor, GPC, battletank technology

Posted 29 June 2019 - 1531 PM

I think you have a good handle on the issues.  If there is a better alternative for Windows authentication, I've not heard of it.

One point to consider: If your Windows users install any third-party binaries or browse websites with javascript enabled, they are far more likely to become compromised via those vectors.  I wouldn't worry too much about the security of your Samba setup.  Once their desktops are compromised, so are (potentially) their fileserver accounts.


Edited by TTK Ciar, 29 June 2019 - 1535 PM.

  • 0

#4 Ivanhoe

Ivanhoe

    purposeful grimace

  • Members
  • PipPipPipPipPipPipPipPipPipPip
  • 32,085 posts
  • Gender:Male
  • Location:deep in the heart of ... darkness, USA
  • Interests:military technology, military history, weapon systems, management/organizational design, early American history

Posted 29 June 2019 - 1817 PM

One point to consider: If your Windows users install any third-party binaries or browse websites with javascript enabled, they are far more likely to become compromised via those vectors.  I wouldn't worry too much about the security of your Samba setup.  Once their desktops are compromised, so are (potentially) their fileserver accounts.

 

Good point, I am just being anal. It just irks me that MS hasn't tightened up network authentication for workgroups.


  • 0




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users