TLDR; can I add "security = user, ads" to smb.conf for domain and local SMB authentication? Is domain authentication safe in a DMZ?

We've just replaced an FTP server with an SFTP server in our DMZ and it's been working great. Our developers access the upload directories with SMB to ingest into our news feeds.

Now the developers need this SMB share to authenticate to Active Directory for some of their scripts, but I don't want to break the shares I've already got working. Can I add "security = user, ads" to smb.conf? If a domain lookup fails, will it failover to the local smb user database? Also, is it safe to have hashed domain usernames and passwords in an Ubuntu server in the DMZ?

Thanks for any insight you can provide.

No, you can not specify multiple security modes; it's either "user" (local user database) or "ads" (AD authentication).

"security = ads" means you don't store hashed passwords on the Samba server at all, as all authentication is done via Kerberos against an AD domain controller. The only account an intruder would immediately be able to access, is the AD computer account for the Samba server itself.

Whether it's "safe" or not to store hashed data on a server in a DMZ would depend on a number of factors, such as:

• the quality of the hash algorithm
• whether the hashes are salted
• how well the hashed passwords can withstand a dictionary attack
• what (if anything) such a hash can be used for (some broken and deprecated MS authentication algorithms make it possible to authenticate using only the hash)
• and of course, how difficult it is to compromise the server and how long it would take you to notice that a break-in had taken place

Thank for for the insight! I'll schedule a maintenance and connect this to our active directory environment as soon as I get a chance.