4. SMB Authentication¶
Network File Share or SMB Authentication allows a user to use their existing network password for recorder authentication.
All other user attributes (name, email, permissions, groups, etc) are managed via the recorder’s Local Authentication configuration.
Fig. 4.1 SMB Authentication Configuration¶
4.1. How It Works¶
When a user logs in to the NexLog DX-Series recorder, the credentials entered are tested against the recorder’s local authentication database.
If the credentials do not match, they are transmited to the configured network file share.
If the supplied credentials work against the network file share, the user is considered authenticated and the login will be processed. The user’s permissions for the file share are not considered, only their authentication to it.
If the network file share does authenticate with the supplied credentials, the login is rejected.
4.2. Prerequisites¶
To setup SMB Authentication you must have:
An SMB or CIFS network file share
It must be accessible from the recorder.
Login users must be able to authenticate to this share, even if read access is denied.
The IP address of the server hosting the network file share
The domain name, if any, associated with the login users
List of users with recorder access
4.3. Create the File Share¶
Create a shared folder on a server or computer that is accesible from the NexLog DX-Series recorder.
If there is a firewall in place between the server and recorder, ensure that the firewall is allowing the traffic listed below between the two servers.
Microsoft SMB TCP | tcp/135 through tcp/139
Microsoft SMB UDP | udp/135 through udp/139
NetBIOS TCP | tcp/445
NetBIOS UDP | udp/445
Caution
SMB file shares can be created without encrypted communication. This means that if an insecure SMB protocol is used, a network monitor may be able to see the login credentials in plain-text. For this reason, SMB 1.0 should not be used.
Optional: Create a new text file in the shared folder called DO NOT DELETE. Edit the new text file to add a message for what the share is used for. This may help accidential deletion by a future system administrator.
4.4. Configure SMB Authentication¶
Once the file share has been created and user access has been tested, you can proceed with configuring the NexLog DX-Series recorder.
Login to the web configuration manager and navigate to . Reference Figure 4.1 for an input example.
Select the radio button for Network File Share (SMB).
In the Service field, enter the full location of the network file share. The location must be entered in linux samba format using forward-slash / instead of the Windows format using backslash \. The full location is the //hostname/share name
If the file share is accessed on a Windows PC using \\files.contoso.net\NLAuth, then you would enter //files.contoso.net/NLAuth.
In the IP field, enter the IP address of the server hosting the network file share.
In the Workgroup field, enter the NetBIOS domain or workgroup name of users logging in with SMB Authentication. If your domain name is contoso.net, this would likely be CONTOSO.
Save your changes when finished.
4.5. Create SMB Users¶
When creating a local user account, that will be used with SMB, it follows the same principles as Local Authentication with two exceptions.
4.5.1. SMB Usernames¶
The username on the recorder must match the username as it appears on the file share server.
If the username on the server (or Active Directory) is JohnSmith852, it must be entered on the recorder as JohnSmith852.
The following would all be invalid usernames for JohnSmith852, and may prevent the user from being able to log in:
johnsmith852johnSmith852Johnsmith852JOHNSMITH852
4.5.2. SMB Passwords¶
When creating a new locally authenticated user, a password must be provided. SMB Authentication is no exception to this, since SMB credentials are tested after local credentials.
When creating the user, create a secure long password. This password does not need to be provided to the user.