终于搞定了samba的文件夹访问权限设置
昨天下午w老师找我,说现在实验室的文件服务器(内网IP为xx.xx.xx.16,所以简称16)上面有一个文件夹需要设置访问权限,只有指定项目组的人能访问。于是乎昨天晚上在许大牛的协助下设置了半天,查了手册,试了好多方法,均告失败。今天上午继续折腾,通过查看samba的日志文件发现了问题所在,终于搞定了。
1. 问题背景
我们实验室的文件服务器装的是Ubuntu Server,它只负责存放文件,而把用户名和密码的验证工作交给另一台装有Windows Server 2003的服务器来做。这就给这次的任务造成了好多困难,因为手册上查到的关于设置访问权限的东东都是直接说,只要在smb.conf配置文件中相应文件夹的配置行添加一行
就可以了,可是具体的用户名(或者用户组)到底是16本地的UNIX用户名呢,还是Windows NT域控上的用户名(或者用户组)呢?没人讲。
原始的samba配置文件如下
security = ads
; netbios name = SVNSERVER
realm = CGCAD.COM
password server = 192.168.100.4
workgroup = CGCAD
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no
client ntlmv2 auth = yes
encrypt passwords = true
winbind use default domain = yes
restrict anonymous = 2
[printers]
comment = All Printers
path = /var/spool/samba
guest ok = No
printable = No
use client driver = No
browseable = No
load printers = No
[Software]
comment = Share Data
path = /var/software
read only = Yes
create mask = 0775
directory mask = 0775
browsable = Yes
public = Yes
writeable = No
force create mode = 0775
force directory mode = 0775
force security mode = 0775
guest ok = no
inherit permissions = yes
; nt acl support = yes
[TestGroup]
comment = Test Group Share Data
path = /var/TestGroup
read only = No
create mask = 0775
directory mask = 0775
browsable = Yes
public = Yes
writeable = Yes
force create mode = 0775
force directory mode = 0775
force security mode = 0775
guest ok = no
inherit permissions = yes
; nt acl support = yes
[Incoming]
comment = Incoming
path = /var/incoming
read only = No
create mask = 0777
directory mask = 0777
browsable = Yes
public = Yes
writeable = Yes
force create mode = 0777
force directory mode = 0777
force security mode = 0777
guest ok = Yes
inherit permissions = Yes
; nt acl support = Yes
除了打印机,我们一共有三个文件夹:Inconming,Software,TestGroup,其中Software对一般用户只开放了读权限,没有写权限;三个文件夹都需要用户在域控服务器上验证才能访问。
2. 失败的方法们
假设我们要把test group组的用户成员加入TestGroup文件夹的合法用户列表中,其中,test group组有user1,user2两个用户,他们在NT和UNIX上的用户名一样,用户组的名字则不同,在NT上的叫"test group",而在UNIX上的用户组则叫testgroup。
2.1 直接把valid users = @testgroup加入smb.conf文件中的 [TestGroup] 字段下,结果谁也不能访问这个文件夹了。
2.2 不使用组名,改为一个一个地添加用户: valid users = user1, user2 ,结果同上。
2.3 把NT用户组映射到UNIX用户组上,用 net groupmap modify ntgroup="test group" unixgroup=testgroup 命令(需要root权限),仍然不起作用。
2.4 后来w老师建议用简单的方法来解决,就是放弃samba,改用FTP服务;或者直接把TestGroup文件夹移到域控的NT服务器上,但是被许大牛否决了,因为这样相当于饮鸩止渴,还会带来潜在的安全问题;
3. 成功的方法
后来我想到了查看一下samba的登录日志,看看到底为什么相应的用户名被拒绝登录,于是乎在 smb.conf 中的 [global] 字段下面添加两行debug配置:
; xxx
debuglevel = 100
log file = /etc/samba/long.%m
其中%m代表客户机的netbios名,你当然也可以换成%u,%I等等,这些samba变量的意义如下:
%S 当前服务名(如果有的话)
%P 当前服务的根目录(如果有的话)
%u 当前服务的用户名(如果有的话)
%U 当前对话的用户名
%H 当前服务的用户的Home目录
%v Samba服务的版本号
%h 运行Samba服务机器的主机名
%m 客户机的NETBIOS名称
%L 服务器的NETBIOS名称
%M 客户机的主机名
%I 客户机的IP
%T 当前日期和时间
接着说,当设置好了debuglevel为最高的100之后,试图登录一下,失败,然后赶紧去看日志,发现samba在匹配用户名的时候用的并不是smb.conf中的原来的名称,而是在之前加了一个“CGCAD+” (注:CGCAD是我们的域名),于是乎本来填上去的 valid users = user1 被samba认为是 CGCAD+user1 ,然后按照这个名字去NT域控的用户名列表里面找,似乎没找到。于是乎我就干脆在smb.conf中也把user1前面加上CGCAD+试试,结果竟然成了!修改后的smb.conf如下:
security = ads
; netbios name = SVNSERVER
realm = CGCAD.COM
password server = 192.168.100.4
workgroup = CGCAD
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no
client ntlmv2 auth = yes
encrypt passwords = true
winbind use default domain = yes
restrict anonymous = 2
[printers]
comment = All Printers
path = /var/spool/samba
guest ok = No
printable = No
use client driver = No
browseable = No
load printers = No
[Software]
comment = Share Data
path = /var/software
read only = Yes
create mask = 0775
directory mask = 0775
browsable = Yes
public = Yes
writeable = No
force create mode = 0775
force directory mode = 0775
force security mode = 0775
guest ok = no
inherit permissions = yes
; nt acl support = yes
[TestGroup]
comment = Test Group Share Data
path = /var/TestGroup
read only = No
create mask = 0775
directory mask = 0775
browsable = Yes
public = Yes
writeable = Yes
force create mode = 0775
force directory mode = 0775
force security mode = 0775
guest ok = no
inherit permissions = yes
valid users = @CGCAD+"test group"
;nt acl support = yes
[Incoming]
comment = Incoming
path = /var/incoming
read only = No
create mask = 0777
directory mask = 0777
browsable = Yes
public = Yes
writeable = Yes
force create mode = 0777
force directory mode = 0777
force security mode = 0777
guest ok = Yes
inherit permissions = Yes
; nt acl support = Yes
4. 结论
log file很重要。
samba很强大,但是很难配。
2010年7月22日 19:13
请问 能实现 有共享 A,B,C,D 四个 用户joy 只有 A , C 两个的权限 在joy登录以后发现B,D也显示了 怎么能让B,D不显示的。
2019年9月23日 17:24
The majority cleaning agencies and maid services offer many different options, with a deep-down one-time maintenance to repeatedly scheduled maintenance services. Based upon how much you like (or simply hate! )#) maintenance house, how big your home is and the way in which messy details get, you’ll ordinarily find a sufficient amount of options to choose the right one in your circumstances.