The following content is reproduced from http://hi.baidu.com/jyj888/blog/item/0f95dc35b16c3a5b241f1463.html
Part 1: control options of the samba Service
User Control
Public = no anonymous users are not allowed to access
Browseable = yes do not hide the directory (You know the directory can also be accessed) (System Default yes, can not write)
Valid users = user or list or @ User Group
Writable = Yes writable (the directory itself must be writable)
Writable list = user or list or @ User Group
Readonly = yes whether to set read-only (System Default yes, can not be written)
Create mask = 0744 control the client's permission to create files (0744 by default)
Directory mask = 0744 control the permission to create a directory on the client (0755 by default)
Access Control
Max connections = maximum number of connections
Deadtime = disconnection time (minutes) 0 is not limited
Note: add global
Hosts deny = .sale.com. Net free indicates that access by clients with the .sale.com domain and. Net domain and host name free is prohibited.
Hosts deny = All indicates that all clients are allowed. Common wildcards include "*", "?", "Local", etc.
Hosts allow = 192.168.0. 192.168.t 192.168.0.100 192.168.0.78 indicates that access from the IP address range of 192.168.0.0 is allowed, except 192.168.0.100 and 192.168.0.78.
Note: It can be added globally and locally.
Note: priority is allowed.
Part 2: Several Key Fields
Add it to global as needed. Although simple, the function is not simple, and you will learn it slowly when using it.
Include =/etc/samba/% G. smb. conf
Include =/etc/samba/% u. smb. conf
Username map =/etc/samba/smbusers call the configuration file mapped to the user account
Part 3: Samba-related commands
Batch increase of SMB users (what many people want)
# For user in user list
> Do
> Useradd-G group-s shell $ user
> Smbpasswd-A $ user
> Done
Edit SMB User Account commands
Smbpasswd
Smbpasswd-A adds an account
Smbpasswd-D disable an account
Smbpasswd-e enables an account
Smbpasswd-x delete an account
Smbpasswd Change User Password
Pdbedit
Pdbedit-l list SMB accounts
Pdbedit-A adds an account
Pdbedit-x delete an account
Note: The preceding two commands can be selected as needed.
Access tools for Linux clients
Smbtree displays the list of all shared hosts and directories in the LAN
Smbtree-d only displays the Working Group or domain name in the LAN. -U username % passwd can be added later to indicate the access permission of the relevant user.
Nmblookup the NetBIOS host name or workgroup of a host. # Display the corresponding IP Address
Smbclient Command Format
Smbclient-l // host name or IP address-u logon username # list the shared resources of the target host
Smbclient // host name or IP address/shared directory name-u login username # use shared resources
Mount Command Format
Mount // target IP address or host name/shared directory name mount point-O username = username # Mount share
Umount mount point # uninstall sharing
Smbtar-S server-u user-P passwd-x shareneam-T output.tar # Back up remote content to a local device
Tar tvf *. Tar # view the content in the TAR package
Part 4: instance details
[Instance 1] employees can work in the company and put their files on the server no matter they work on any machine. At the same time, they cannot use the shell on the server. (Note: SMB has the default share setting for the user's home directory. We only need to set the user level, then add the user and specify the unavailable shell)
The content of the smb. conf configuration file is changed as follows:
Security = user
[Homes]
Comment = Home Directories
Browseable = No
Writable = Yes
Valid users = % s
After configuration, restart the smb service.
# Useradd user-S/dev/null
# Smbpasswd-a user
After adding the user name and password, you can test the password directly! You don't need to restart the smb service!
[Instance 2] creates the shared directory student. Its local path is "/home/student". Only users in the teachers group can read and write the directory. Students user groups can only read the directory. (Note: The key is to set permissions for the same directory in different groups. The student directory belongs to the students user group and set its other permission to 7, we use this other permission to implement access to the student directory by the teachers group, and restrict user access through the SMB configuration file)
# Mkdir/home/student
# Groupadd students
# Groupadd teachers
# Useradd-G students user
# Useradd-G teachers user
# Smbpasswd-a user
# Chgrp students/home/student
# Chmod 757/home/student
# Chmod g + S/home/student
The content of the smb. conf configuration file is changed as follows:
Security = user
[Student]
Path =/home/student
Comment = student
Write list = @ teachers
Valid users = @ teachers @ students
Restart the smb service for testing.
[Example 3] The company has two departments (sales market). The sales department and Marketing Department have their own shared directories, which can only be accessed by the General Manager and employees of the corresponding departments, in addition, employees of the Company are prohibited from accessing shared directories that are not in the department. (Note: This content is similar to the second one, but the user group is changed to a user. If there is another user group, you only need to give the folder owner to the general manager. If the user group is the user group, it will be OK)
# Mkdir/home/sales
# Mkdir/home/market
# Groupadd sales
# Groupadd Market
# Useradd-G sales user
# Useradd-g market user
# Smbpasswd-a user
# Chgrp sales/home/sales
# Chgrp market/home/market
# Chown CEO/home/sales
# Chown CEO/home/market
# Chmod 770/home/sales
# Chmod 770/home/market
# Chmod g + S/home/sales
# Chmod g + S/home/market
The content of the smb. conf configuration file is changed as follows:
Security = user
[Sales]
Path =/home/sales
Comment = Sales
Write list = @ sales CEO
Valid users = @ sales CEO
Create mask = 0770
Directory mask = 0770
[Market]
Path =/home/market
Comment = Market
Write list = @ market CEO
Valid users = @ market CEO
Create mask = 0770
Directory mask = 0770
Restart the smb service for testing.
[Instance 4] enables you to view only your shared directories when logging on, but not those with no access permissions.
(Note: In fact, this is mainly achieved by loading an independent configuration file, as long as the corresponding permissions are set for the independent file, OK, SMB main configuration file to add an independent configuration file, other settings are not required)
I will not write it out here for the increase of users, which is no different from the above. (Skipped)
First, copy the smb. conf file from the source, and add the corresponding user or group, for example, smb. conf. User smb. conf. Group.
Then configure your own configuration files
For example, smb. conf. CEO
[Sales]
Comment = Sales
Path =/home/sales
Writeable = Yes
Valid users = CEO
Create mask = 0770
Directory mask = 0770
[Markets]
Comment = markets
Path =/home/Markets
Writeable = Yes
Valid users = CEO
Create mask = 0770
Directory mask = 0770
For example, smb. conf. Sales
[Sales]
Comment = Sales
Path =/home/sales
Writeable = Yes
Valid users = @ sales
Create mask = 0770
Directory mask = 0770
For example, smb. conf. Markets
[Markets]
Comment = markets
Path =/home/Markets
Writeable = Yes
Valid users = @ markets
Create mask = 0770
Directory mask = 0770
The main configuration file is as follows:
Security = user
Include =/etc/samba/smb. conf. % G
Include =/etc/samba/smb. conf. % u
Finally, if SELinux is Enabled:
After the Samba server is started, the shared directory is displayed, but the shared directory cannot be accessed and the permission is insufficient. Run the following command:
Tail/var/log/message:
'/Home/lyy' does not exist or permission denied when connecting to [lyy] error was permission is insufficient
SELinux is preventing the Samba daemon from reading users home directories. for complete SELinux messages. Run sealert-l a0c1c154-bc37-44f5-a6eb-cfc88fed18b9
Run as prompted:
Sealert-l a0c1c154-bc37-44f5-a6eb-cfc88fed18b9
You can see more detailed prompts, and then follow the prompts
Allowing access
If you want Samba to share home directories you need to turn on
Samba_enable_home_dirs Boolean: "setsebool-P samba_enable_home_dirs = 1"
The following command will allow this access:
Setsebool-P samba_enable_home_dirs = 1
Run:
Setsebool-P samba_enable_home_dirs = 1
After running successfully, you can access the directory normally. The-p parameter is permanently valid.
Note that setsebool is placed in/usr/sbin. If the system prompts that the setsebool command cannot be found, add the above path.
In addition, http://xingxing5421.blog.163.com/blog/static/11944631920108309309395/ also has reference value.