Linux-Samba Behavior control

Source: Internet
Author: User
Tags microsoft website ntfs permissions

Behavioral Control (1)

With the configuration of the user authentication source in section 6.3.2, the authentication user source for the Samba server is established, and it is natural to obtain the user information based on the authenticated user source and configure the permissions for the specific user to use the shared resource.

Shared folders in Windows can be controlled for different users or groups, and the Samba server has the same functionality, and there are many features that are controlled by the Samba server windows are not implemented by default.

Note: After using the Samba user mapping feature, all parameters involving the user must use the system user name. For example, when the user Tonyzhang is mapped to Tony through the/etc/samba/smbusers file, Tonyzhang is still required when the user rights are set.

1. User Browse Permission Control

The browseable parameter controls the user browse permission, and when Browseable=yes, the shared resource is displayed, and when Browseable=no, the shared resource is hidden and the default is Browseable=yes. When a shared resource is hidden, it is not visible when browsing the samba server, regardless of the access to the shared resource. As shown in the example below, Smbtest is set as a hidden share, which is not visible through the Windows client or Smbclient-l (6-28), but can still be accessed by directly entering the shared resource name. 6-29 (this feature is the same as when you create a shared folder in Windows with the share name added $).

[Smbtest] Comment = This is SMB test path =/test browseable = no


650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/49/99/wKiom1QWY6OTncDFAAVfKl7_NTE443.png "title=" sam28. PNG "alt=" Wkiom1qwy6otncdfaavfkl7_nte443.png "/>


650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/49/9B/wKioL1QWY83zKyhmAAWCjKfvOAw568.png "title=" sam29. PNG "alt=" Wkiol1qwy83zkyhmaawcjkfvoaw568.png "/>


2. User access Rights control

The ability of a user to access a shared resource is determined by several parameters.

(1) Public: Sets whether anonymous users are allowed access to the shared resource, when public = yes is allowed, public = no is not allowed, the default is Public=no. Guest OK has the same functionality as public in the Samba server. When the guest OK conflicts with the public parameter in a shared resource parameter, the following parameters take precedence. Anonymous users are not allowed to access smbtest, as in the following example.

[Smbtest] Comment = This is the SMB test path =/test Guest OK = yes public = no

(2) Valid users: Sets the user or group that is allowed to access the shared resource (if you use a group, you need to add @ before the group name). When this parameter is set, all users that are not specified will not be able to access the shared resource.

 [Smbtest]       comment = this is smb test        path = /test       # Allows Tonyzhang users to access the shared directory.        valid users = tonyzhang        #允许sales组的所有用户访问该共享目录.        valid users =  @sales    [smbtest1]        comment = This is smb test1        path = /test1       # Tonyzhang users are not allowed to access the shared directory.        invalid users = tonyzhang        #不允许sales组的所有用户访问该共享目录.        invalid users =  @sales 

(3) Wide Links: Sets whether to allow external connections to be shared. If a shared resource has a file or directory connected to a non-shared resource, setting wide links = yes will make the connection available, and if set wide links = No will make the connection unavailable.


Behavioral Control (2)

3. User Read and Write permission control

Users can control read and write access to shared resources through samba, while allowing access to a shared resource. What permissions do you have in Windows for a shared folder that is located in an NTFS partition, with NTFS permissions and shared permissions for that folder, and more restrictive two permissions, such as Full control of a user's NTFS permissions on a shared folder, read-only share permissions, The permission for this user to access the shared folder over the network is read-only. The same is true of Samba servers, where the ability to read and write to Samba server resources over a network is determined by the file or directory's own permissions on the file system and the configuration of that file or directory on the Samba server. If you want a user to be able to read or write a shared resource for a Samba service, first correctly configure the user's permissions on the file or directory's own file system. In the example shown in Figure 6-30, from the configuration of the Samba service, the client should be able to access the shared directory of the Smbtest after authenticating with the Tonyzhang user, but note that the test directory itself has no Read permission for other users in the file system's permissions. Testing will reveal that Tonyzhang users cannot access this shared directory.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/49/9B/wKioL1QWZBGyzgKdAAErXBv_DTM745.png "title=" SAM30. PNG "alt=" Wkiol1qwzbgyzgkdaaerxbv_dtm745.png "/>

You can configure the directory's own permissions to match the Samba server's read and write permissions by using either the chmod configuration directory or the ACL configuration to specify user or group permissions. The chmod configuration is convenient, but not fine enough, because all client Linux accessed through the Samba server is considered to be other users and is relatively complex to configure with ACLs, but with finer control over permissions, ACL configuration is recommended.

The ability of a user to write a shared resource is determined by the following parameters (such as the configuration of SELinux when configured to be writable, see section 6.3.1).

(1) ReadOnly: Whether the shared resource is set to read-only. When readonly = yes represents a read-only share, readonly= no means that it is not shared using read-only mode.

(2) Read list: Set a read-only user or group (if you use a group, you need to add @ before the group name).

[Smbtest] Comment = This is SMB test path =/test #允许tonyzhang及tomyang用户访问该共享目录时只读.       Read list = Tonyzhang Tomyang #允许sales组的所有用户访问该共享时只读. Read List = @sales

(3) Writable: Whether to allow shared resources to be set to writable. Writable = yes indicates writable, writable = no is not writable.

(4) Write list: Set writable users or groups (if you use a group, you need to add @ before the group name).

[Smbtest] Comment = This is SMB test path =/test #允许tonyzhang及tomyang用户访问该共享目录时可写.       Write list = Tonyzhang Tomyang #允许sales组的所有用户访问该共享时可写. Write list = @sales

(5) Force User: Specifies a user who accesses a file or directory created by a Samba server to access a shared resource. In the following example, any user who has write permission to access a shared resource through the Samba server, the owning group of the file or directory that was created is Tonyzhang.

[Smbtest] Comment = This is the SMB test path =/test force user = Tonyzhang

(6) Group: Specifies the group to use when accessing a file or directory created by a Samba server for shared resources. In the following example, any user who has write permission to access a shared resource through the Samba server has a set of sales for the file or directory that was created. This feature can also be implemented through Sgid.

[Smbtest] Comment = This is SMB test path =/test readonly = no group = Sales

The following rules are used when ReadOnly, read list, writable, and write users conflict with settings for a shared resource.

(1) readonly, writeable in the event of conflict, the parameters in the following priority. All users in the following example are not writable by Smbtest.

[Smbtest] Comment = This is SMB test path =/test ReadOnly = yes writeable = no

(2) When the ReadOnly, write list conflicts, except the Write list specifies that the user can write, the other user is read-only. As the following example Tonyzhang can be written, other users are read-only.

[Smbtest] Comment = This is SMB test path =/test readonly = yes write list = Tonyzhang

(3) Read list, writable when a conflict occurs, except that the read list specifies that the user is read-only, other users can write. As in the example below, Tonyzhang is read-only and can be written by other users.

[Smbtest] Comment = This is SMB test path =/test writable = yes Read list = Tonyzhang

(4) When a read list, write list conflicts, the Write list takes precedence. As in the example below, Tonyzhang can be written.

[Smbtest] Comment = This is SMB test path =/test Write list = yes Read list = Tonyzhang

(5) writeable = No, the configuration of the write list is invalid. As in the example below, Tonyzhang and Tomyang are not writable.

[Smbtest] Comment = This is SMB test path =/test writeable = no write list = Tonyzhang Tomyang

(6) Writeable=yes Invalid when configuring Writeable=yes, write list at the same time. As shown in the example below, only Tonyzhang and Tomyang can be written.

[Smbtest] Comment = This is SMB test path =/test writeable = yes write list = Tonyzhang Tomyang

When writeable, write list and readonly appear in a shared resource at the same time, the final result can be based on the above mentioned rules to determine whether it is writable, the following is a comprehensive example, in this example assumes that/test and/test1 's own permissions of 777.

[Smbtest] Comment = This is SMB test path =/test writeable = yes readonly = yes write list =  Tonyzhang Tomyang [Smbtest1] comment = This is smb test1 path =/test1 ReadOnly = yes writeable = Yes Write list = @sales

When you access smbtest as a Tonyzhang or Tomyang, you are writable. Only members of the sales group are writable when accessing Smbtest1.



Behavioral Control (3)

4. Working with child configuration files

As described earlier, browseable can implement a feature similar to Windows hidden sharing, but if you configure this parameter as Browseable=yes, all users cannot browse to it, and if you want a shared resource to allow only specific users to browse, What happens when other users are unable to browse or access? Windows sharing does not have this feature by default (it can also be implemented after downloading a free tool on the Microsoft website, Windows Server 2003 Access-based enumeration), and samba can be implemented by referencing the child configuration file.

Let's look at two examples that refer to a sub-configuration file.

(1) The Samba server has a shared directory Smbtest (/test has its own permission of 777) want the user Tomyang visible readable writable, another shared directory Smbtest1 (/ Test1 's own permission is 777) want the user Tonyzhang visible readable writable. The implementation of the child configuration file is as follows.

①: Create a text file under/etc/samba with the name tomyang.smb.conf, add the following to the file.

[Smbtest] Comment = This is SMB test path =/test Write list = Tomyang

②: Create a text file under/etc/samba with the name tomyang.smb.conf, add the following to the file.

[Smbtest1] Comment = This is smb test1 path =/test1 Write list = Tonyzhang

③: Reference child configuration file. There are two ways to refer to a child configuration file:

Config file: Enter the following parameters in the [Global] tab.

[Global] Config file =/etc/samba/%u.smb.conf

Include: Enter the following parameters in the [Global] tab.

[Global] include =/etc/samba/%u.smb.conf

The difference between config file and include is that when you use config file, when you access the Samba server as a Tomyang, you can only browse to Smbtest, Other shared resources defined in smb.conf cannot be viewed, and when you access the Samba server as Tonyzhang, you can only browse to Smbtest1, and other shared resources defined in smb.conf cannot be viewed. When using include, when you access the Samba server as a Tomyang, you can browse to the smbtest in addition to the Other shared resources defined in smb.conf can also be browsed to, and when the Samba server is accessed as Tonyzhang, other shared resources defined in smb.conf can be browsed in addition to the smbtest1.

(2) In the Samba server there is a shared directory Smbtest (/test has its own permission of 777) you want the initial group for the sales user to be visible readable writable, another shared directory Smbtest1 (/ Test1 's own permission is 777) The user who wants the initial group as HR is visible and readable and writable. The implementation of the child configuration file is as follows.

①: Create a text file under/etc/samba with the name sales.smb.conf, add the following to the file.

[Smbtest] Comment = This is SMB test path =/test Write list = @sales

②: Create a text file under/etc/samba with the name hr.smb.conf, add the following to the file.

[Smbtest1] Comment = This is smb test1 path =/test1 Write list = @hr

③: Reference child configuration file. There are two ways to refer to a child configuration file.

Config file: Enter the following parameters in the [Global] tab.

[Global] Config file =/etc/samba/%g.smb.conf

Include: Enter the following parameters in the [Global] tab.

[Global] include =/etc/samba/%g.smb.conf

5. Upload file Type control

Before Windows Server 2003 R2, Windows could not prevent specific files from uploading to the file server, and the Samba server could block clients from uploading files or directories containing specific keywords to the Samba server shared resources through the veto files parameter. You can use * or? As a wildcard character in a parameter value, which must be escaped by/. When the parameter is placed on the [Global] tab, it is a global configuration that is valid for all shared resources of the Samba server and is valid only for this shared resource if it is within the identity that defines a shared resource. If the global setting conflicts with a shared resource in this parameter, the parameter value within the shared resource takes precedence. In the following example, the client is not allowed to upload a file or directory containing the root keyword in smbtest, and a file or directory containing the. exe or. bmp keyword is not allowed in Smbtest1.

[Global] veto files =/*root*/[Smbtest] comment = This is SMB test path =/test writable = yes [Smbtest1] Comment = This is smb test1 path =/test1 writable = yes veto files =/*.exe/*.bmp*/

When you configure the veto files parameter, you can prevent clients from uploading files or directories that contain specific keywords to the Samba server share resource (you can hide files of the specified type through the hide files parameter, and the configuration method is the same as the veto files parameter). However, for shared resources that already exist with a file or directory with a specific keyword associated with the shared resource before the parameter is configured, it can be handled by the delete veto files parameter, and when the delete veto files=yes, all satisfies veto Files or directories that have a file parameter condition will be deleted, and when delete veto files=no, a file or directory containing a specific keyword that already exists with the shared resource will be allowed, which is also the default value.


Reference: http://book.51cto.com/art/201108/282444.htm

This article is from the "--" blog, please be sure to keep this source http://57388.blog.51cto.com/47388/1552802

Linux-Samba Behavior control

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.