Linux--Samba access control

Access Control (1)

In section 6.3.3, the main focus is on the control of the use of shared resource permissions by certain users, whose administrative principal is the user. If you need to control the host, the method is also more, you can use Iptables (see Chapter 17th), you can also use the Samba service itself control. In fact, the access control features provided by Samba are already very powerful. The access control for Samba is implemented by the hosts allow (configured clients to be accessed), hosts deny (Configure access denied clients) two parameters.

When using the hosts allow, hosts deny parameter in Samba, this parameter can appear in the Global configuration section (6-31) to allow or deny clients that can connect to the Samba server. You can also appear in a specific shared resource configuration (shown in 6-32) to allow or deny clients that can access the resource. What happens if hosts allow, hosts deny, and the configuration of a specific shared resource are in the Global configuration section? It's easy to see that samba clients can connect to the Samba server first to access their shared resources, and the following rules are used when hosts allow, hosts deny priority in all global configuration sections conflict with the configuration of a specific shared resource.

(1) The global configuration hosts deny specifies the client, at which point the Samba server cannot access any shared resources.

(2) in the global configuration, hosts allow the client to be specified in the following situations.

①: If only hosts deny is specified in a specific shared resource and does not conflict with the global configuration, the client can access the specific shared resource.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/49/99/wKiom1QWZQCxtGqvAAeFjAtfgZI185.png "title=" sam31. PNG "alt=" Wkiom1qwzqcxtgqvaaefjatfgzi185.png "/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/49/9B/wKioL1QWZSKjQIEwAAF7DFzfNuE863.png "title=" sam32. PNG "alt=" Wkiol1qwzskjqiewaaf7dfzfnue863.png "/>

②: If only hosts allow is specified in a specific shared resource and is a subset of the global configuration, only the clients specified in the specific shared resource can access it.

③: If you specify the hosts allow and the hosts deny specified in the specific shared resource, first the client that the specific shared resource is allowed or denied according to the rules of the hosts Grant and the hosts deny, and then the final result according to the two rules above.

The following rules are used if hosts allow within a global configuration or a specific shared resource conflicts with hosts deny.

(1) If hosts deny conflicts with the hosts allow, the hosts allow priority.

(2) If only hosts allow, all clients other than the one specified in the hosts save are inaccessible.

(3) If only hosts deny, all clients except those specified in the hosts deny can be accessed.

1. Using IP Address Control

When hosts allow and hosts deny, you can use IP addresses to precisely permit or deny specific clients access to Samba servers, see a few examples below.

(1) clients with IP addresses 192.168.0.20 are not allowed to access the Smbtest directory on the Samba server.

[Smbtest] Comment = This is SMB test path =/test hosts deny = 192.168.0.20

(2) Only clients with IP address 192.168.0.25 are allowed to visit the Smbtest directory on the Samba server.

[Smbtest] Comment = This is the SMB test path =/test hosts allow = 192.168.0.20

(3) In the following example, can clients with IP address 192.168.0.99 access the Smbtest directory on the samba server? Of course is allowed to access, why? Because the hosts allow in Samba is higher than the hosts deny priority.

[Smbtest] Comment = This is the SMB test path =/test hosts allow = 192.168.0.99 hosts Deny = 192.168. 0.99

2. Using Network Segment control

When hosts allow and hosts deny, you can use 192.168.0./24, 192.168.0, or 192.168.0.0/when representing subnets by allowing or denying specific clients access to the Samba server by using subnets. 255.255.255.0 represents the 192.168.0.0 subnet mask 24-bit subnet. Let's look at a few examples.

(1) 192.168.0.0/24 all clients are not allowed to access the Smbtest directory on the Samba server.

[Smbtest] Comment = This is SMB test path =/test hosts Deny = 192.168.0.

(2) Only 192.168.0.0/24 all clients are allowed to visit the Smbtest directory on the Samba server.

[Smbtest] Comment = This is the SMB test path =/test hosts allow = 192.168.0.

(3) clients that do not allow 192.168.0.0/24 but do not include 192.168.0.99 to access the Smbtest directory on the Samba server.

[Smbtest] Comment = This is SMB test path =/test hosts Deny = 192.168.0. Hosts allow = 192.168.0.99

(4) clients accessing the Smbtest directory on the Samba server are allowed only 192.168.0.0/24 but not including 192.168.0.99.

[Smbtest] Comment = This is SMB test path =/test # except parameter indicates not included. Hosts allow = 192.168.0. EXCEPT 192.168.0.99

Access Control (2)

3. Use domain name control

When hosts allow and hosts deny, you can use a domain name to permit or deny specific clients access to the Samba server, and when representing a domain name you can use the FQDN to represent a specific client or to represent all clients of a domain with a domain name. Let's look at a few examples.

(1) The FQDN is not allowed to access the Smbtest directory on the Samba server for client1.example.com clients.

[Smbtest] Comment = This is SMB test path =/test hosts Deny = client1.example.com. (2) Only allow all clients in the example.com domain to visit

(2) Only allow all clients of the example.com domain to access the Smbtest directory on the Samba server.

[Smbtest] Comment = This is SMB test path =/test hosts Deny =.example.com

(3) clients accessing the Smbtest directory on the Samba server are not allowed to example.com zones but do not include 192.168.0.99.

[Smbtest] Comment = This is the SMB test path =/test hosts Deny =. example.com hosts allow = 192.168. 0.99

(4) clients accessing the Smbtest directory on the Samba server are only allowed to example.com but not include the IP address 192.168.0.99.

[Smbtest] Comment = This is the SMB test path =/test hosts allow =. example.com EXCEPT 192.168.0.99

4. Using wildcard controls

When hosts allow and hosts deny, you can represent a specific set of clients by using wildcard characters. The wildcard characters you can use are: all for all clients, * for any characters? Represents a character that local represents on the computer. Let's look at a few examples.

(1) Deny all clients except 192.168.0.99 and 192.168.0.100 access to the Smbtest directory on the Samba server.

[Smbtest] Comment = This is the SMB test path =/test hosts deny = All #多个匹配条件区用空格分隔. Hosts allow = 192.168.0.99 192.168.0.100

(2) Deny all clients access to the Smbtest directory on the Samba server except for 192.168.0.0/24 network segment clients (excluding 192.168.0.99).

[Smbtest] Comment = This is the SMB test path =/test hosts Deny = ALL hosts Allow = 192.168.0. EXCEPT 192.168.0.99

For various forms of using hosts allow and hosts Deny, see a comprehensive example: only 192.168.0.0/24, 192.168.1.0/24, and 192.168.2.0/24 are allowed to connect to the Samba server, Only the. example.com domain is allowed, but the client that does not include 192.168.0.99 accesses a shared directory named Smbtest, allowing only 192.168.1.0/24 clients to access shares named Smbtest1.

(1) Add the following parameters to the [Global] tab.

[Global] hosts allow = Lo 192.168.0.  192.168.1.192.168.2. (2) Add the following parameters to the specific shared resource.

(2) Add the following parameters to the specific shared resource.

[Smbtest] Comment = This is the SMB test path =/test hosts allow =. example.com EXCEPT 192.168.0.99 [SMBT Est1] Comment = This is the SMB test1 Path =/test1 hosts allow = 192.168.1.

Reference: http://book.51cto.com/art/201108/282445.htm

This article is from the "--" blog, please be sure to keep this source http://57388.blog.51cto.com/47388/1552803

Linux--Samba access control