This series is compatible with Linux certification exam LPIC. A typical Linux user-level topics omitted, I am picked up the contents of the system management and server management. In addition, not only LPIC measures, we have questions problem asking a systematic understanding of related topics. Characteristics of series is that it is stated as possible version of the program of interest, relatively new coherent commentary still small topic is important but it is taken in favor of topics elusive. To solve the problem, you wear a force that can take advantage of Linux in practice by reading the commentary.

 

This distribution: CentOS 5.2

■ The key to solving the problem [1] [2]

When solving the setting and testing issues related to this topic, the following items will be to the point.

[1] set the Samba user authentication and file access rights

Samba server by the Windows SMB (Server Message Block) protocol, is a server that provides file sharing, printer sharing services. Functions and primary / backup domain controller, there is also a function of the WINS server to provide the corresponding information for the NetBIOS name and IP address, you have to Samba package includes client software.

By using the Samba server, in a network UNIX / Linux and Windows are mixed, you will be able to share the resources of a file or printer.

The following two server processes to provide services in the Samba server.

smbd
File sharing, and provide SMB services such as printer sharing. Listening port number is 139 / tcp and 445 / tcp

nmbd
Provides NetBIOS name service. Listening port number is 137 / udp and 138 / udp

(Note 1), CentOS 5.2 server processes smbd and nmbd start / stop / restart, the / etc / init.d / smb script, start each, stop, and run it with the argument of restart

# /etc/init.d/smb Start

(Example) start of the Samba server

Also, as in the recent Fedora distributions, but some smb and nmb is in a separate script. Samba server configuration file is smb.conf.

(Note 2) path name of the smb.conf of CentOS 5.2 is /etc/samba/smb.conf

This file is made up of several sections. Section I will describe as [section name]. [Global], [homes], has been reserved section name of [printers].

[Global]
This is the section that sets the parameters for the entire server. You can also set the default values ​​for each section

[Homes]
This is the section that sets the parameters relating to share the user's home directory

[Printers]
This is the section that sets parameters for printer sharing.

Other section name is attached to freedom, you can set a shared service. Section name is the share name. The parameters required for each section, I set in the format "parameter name = value". format of smb.conf file I can check in testparm command.

# Testparm

Load smb config files from /etc/samba/smb.conf

Processing section "[homes]"

Processing section "[printers]"

...............................

Loaded services file OK.

Server role: ROLE_DOMAIN_PDC

Press enter to see a dump of your service definitions

[Global]

workgroup = MYGROUP

server string = Samba Server Version% v

................................

(Example)

Also, if you specify the -v option as testparm -v, also appears default values ​​that are not specified in smb.conf.

Configuration parameters (also known as optional) I have more than 300 kinds. This article is in the range of LPIC 101,201 test, I will focus parameters for high user authentication and file access rights tend to be questions.

[2] I to know about managing Samba user account

(1) of the user accounts database

In Samba 2.2 user name, account information, such as passwords are stored in the smbpasswd file.

User accounts from Samba 3.0 I will be stored in the database that is specified in the parameter passdb backend = of the [global] section.

passdb backend = tdbsam
I use the TDB (Trivial DataBase)

passdb backend = ldapsam
I use LDAP

TDB can manage a lot of attribute information than conventional smbpasswd file.

In addition to this, there is a passdb backend = smbpasswd for backwards compatibility. You can use the smbpasswd file When this setting.

(2) user authentication method

User authentication method I specified in the parameter security = of the [global] section.

security = user
Set to perform local authentication with a user name and password

security = share
Set to perform the authentication only with a password

security = domain
Set to perform the authentication by domain controller

security = server
Set to perform the authentication by other SMB server

security = ads
AD settings you authenticate with the domain controller (active directory) domain

In addition, security = domain, security = server, in the case of any of the settings of the security = ads I will specify the server to authenticate with the password server =.

(3) user registration

Samba user registration in the smbpasswd command in Samba2.2, I done in the pdbedit command from Samba3.0.

User to be registered does not already must be a user that exists as a UNIX account of the system.

# Smbpasswd -a user01

I register the user01 in (Example 1) smbpasswd

# Pdbedit -a user01

I register the user01 in (Example 2) pdbedit

(4) Change Password

I done in the smbpasswd command if the user to change their password.

$ Smbpasswd

Old SMB password:

New SMB password:

Retype new SMB password:

Password changed for user user01

(Example) user user01 to change their password

Also from Windows, after you have logged Press Ctrl + Alt + Del, you can change from the password change screen.

(5) Password Synchronization

And password for the UNIX account of system, password and is separately set the Samba user account, it will be managed.

However, unix password sync, passwd program, by properly setting the three parameters of the passwd chat, in synchronization with the change of the Samba password, you can set as UNIX account password is also changed.

as unix password sync = yes, and then to synchronize setting of password.

the passwd program = value of I is specified in the password setting command (passwd command). This command root runs.

The passwd chat = a, and then specify the string of conversation (chat) with the passwd command and the system.

unix password sync = yes

passwd program = / usr / bin / passwd% u

passwd chat = *% n \ n *% n \ n *

(Setting Example)

(6) Set the guest account

If the user that the Samba server does not have the account has access, you can set that by mapping it to a specific UNIX account (guest account) to allow access.

This, guest ok, guest account, and is performed by appropriately setting the values ​​of the three parameters of the map to guest.

I will allow access on the guest account as guest ok = yes. The same is true as public = yes.

the value of the guest account = I specified for a particular UNIX account.

the map to guest = value, and then to set dealing if the user does not exist as a Samba user has access as a guest account.

guest ok = yes

guest account = nobody

map to guest = Bad User

(Setting Example)

(Note 4) as the set value of the map to guest, include the following:

Never
Reject the user's login request with an incorrect password

Bad User
Deny the user's login request with an incorrect password, it is treated as a guest login if the specified user did not exist. In this case, I will be with the user specified in the guest account

Bad Password
User login requests with an incorrect password is I treat as a guest user. In this case, I will be with the user specified in the guest account

 

This distribution: CentOS 5.2

■ key [3] to solve the problem

[3] and to know the configuration of Samba file permissions

(1) access to the shared

valid users =
Specifies the user to allow access

invalid users =
Specify deny user access

valid users = user01 user02

The user to allow (for example) access I set to user01 and user02

(2) read and write permissions to the file / directory

the value of the writable =, I set to yes (the write permission) or no (write-protected). Or is the same with the following settings.

a read only = value of, I set to yes (the write-protected) or no (write enabled).

writable = yes

(Example) I want to allow the writing

to read list = value, specify the user name that gives the read permission.

to write list = value, specify the user name that gives the write permission.

write list = user01 user02

I give write permission to (for example) user01 and user02

valid users, invalid users, read list, you can also specify a group name to the value of the write list.

@ Group name
Specified in the order of the group is set NIS group, the system

& Group name
Specifying the NIS group

+ Group name
Specified group that is set on the system

valid users = + staff

Allow access to users that belong to (for example) staff group

(3) Show / Hide sharing and file

I set the value of the browseable = to yes (the display) or no (hidden).

[Section $] are hidden when the last section name with a $ (share name).

When vito files = value to / file name / the specified, its file name can no longer be hidden and access.

When hide files = specified value to / file name / a, the file name will be hidden. However, access I can be.

(4) setting of file / directory when creating permissions

Create the permissions that are set when the file is created in the file mask, I can be specified by the value of the parameters of the force create mask.

Permission is set to the directory during directory create directory mask, I can be specified by the value of the parameters of the force directory mode.

(Note 5) in Samba 2.2 force directory mode can also be set as a force directory mask

Permission of the file that is created is as follows.

(DOS set to UNIX from the value being) AND (create value of mask) OR (the value of the force create mask)

Permission of the directory that is created is as follows.

(DOS set to UNIX from the value being) AND (directory value of mask) OR (the value of the force directory mode)

When you create a directory, if the value is set to UNIX from DOS is 777, directory mask = 755, force directory mode = 0, the permission of the directory that is created is 755

(Example)

(1) smb.conf of online manual (man smb.conf):

For information about the options described in smb.conf, you Yes and description wrote that becomes much pages about 100.

(Note) In CentOS 5.2, it has been included in the samba-common package.

(2) is in the appendix of using samba Samba Configuration Option Quick Reference:

List of options describing the smb.conf has briefly summarized.

(Note) In CentOS 5.2 and has been included in both the samba package and samba-swat package.

[Reference]

Exercises

After holding the point, let's challenge to the exercises. Each problem, I have described the importance of in LPIC test. Please refer to when exam.

Question 1

when the user has changed the password by the operation on the smbpasswd command or MS Windows,, taking the change and synchronization of the Samba SMB password, UNIX password is also set to smb.conf to be changed at the same time. Already, passwd program = and passwd chat = parameters are already set to the appropriate value. What is the other one to be set description of "parameter = value" is? and (select one)

Severity of test measures: (level1) -, (level2) ***]

a. sync always = no

b. sync always = yes

c. unix password sync = no

d. unix password sync = yes

e. password level = 0

f. password level = 1

Correct answer

d

Commentary

sync always is a write the data on the memory to disk (synchronize) parameters, because it is not in the synchronization parameters for the password, choices a and b choice is a mistake.

Choice c is a mistake because the settings that do not take the synchronization of passwords.

Choice d is the correct answer because it is synchronized set of passwords.

password level is a parameter that specifies a combination of uppercase and lowercase letters of the password, because it is not in the synchronization parameters for the password, choice e and f choice is a mistake.

Problem 2

MS Windows unspecified users to Samba server do not have an account you wrote many people. When this user has access to the Samba server, without requiring a user name and password, you can access by using a specific one of UNIX account, we would like to set the guest account in smb.conf.

In addition, it is assumed to be set as the security = user, also nobody account that is registered in the system, pcuser to the account is not registered in the system. What is the correct settings? and (select one)

Severity of test measures: (level1) ***, (level2) *]

a. public = yes
map to guest = Never
guest account = nobody

b. guest ok = yes
map to guest = Bad User
guest account = nobody

c. public = no
map to guest = Never
guest account = pcuser

d. guest ok = yes
map to guest = Bad User
guest account = pcuser

Correct answer

b

Commentary

Choices a, in the wrong password map to guest = Never refuse, mapping to the guest account is because setting a mistake that does not.

Choice b is allowed to use the guest account in the guest ok = yes, then allowed to log in the guest account if there is no map to guest = Bad User login name, guest account = nobody in the guest account the system of and because it is mapped to the account nobody, it is correct.

Choice c is to prohibit the use of guest account in public = no, in the wrong password map to guest = Never refuse, mapping to the guest account is a setting that does not, the guest account in the guest account = pcuser and because it is mapped to the account that does not exist in the system, all of the settings are wrong.

Choice d is a guest account = pcuser, it is a mistake because it is mapped to the account that does not exist a guest account on the system.

 

Problem 3

Please answer the following questions about how to set to hide the sharing and file.

Severity of test measures: (level1) -, (level2) ***]

I want to make a setting to share (question 1) / home / private directory. However, so as not to access only those who know the share name, so that you become a non-display a share on the client side. What is the correct settings? (2 one selection)

a. [Private]
path = / home / private
browseable = no

b. [Private]
path = / home / private
browseable = yes

c. [Private $]
path = / home / private

d. [.private]
path = / home / private

Do the (question 2) / home / samba settings that shared directory on a shared name public a. However only Trash Folder directory that have been placed in this below is to be available only when a user who has an account on the Samba server you log in to the server, so that you can not hide and access to client users, such as Windows. What is the correct settings? and (select one)

a. [Public]
path = / home / samba
browseable = yes
hide files = / home / samba / Trash \ Folder

b. [Public]
path = / home / samba
browseable = yes
hide files = / Trash Folder /

c. [Public]
path = / home / samba
browseable = yes
veto files = / home / samba / Trash \ Folder

d. [Public]
path = / home / samba
browseable = yes
veto files = / Trash Folder /

Correct answer

(Question 1) a, c

(Question 2) d

Commentary

(Question 1)

Choice A is a correct answer because it is a non-display settings in the browseable = no.

Choice b is a mistake because it become the setting display in browseable = yes.

Choice c is the shared name have been the last to $ addition of (section name), because the share name private $ is not displayed correct.

Choice d is a mistake because the share name (section name) ,. private is displayed as it is.

(Question 2)

It will be hidden by setting hide files parameters, but the access is possible, choices a and b choice is a mistake.

Choice c but is hidden and inaccessible set by the veto files parameter represents the directory path to the file name that you specify / is a mistake because it does not work.

Choice d is hidden and inaccessible set by the veto files parameter, it is correct because Aru enclose the file name to be specified correctly / at.

Problem 4

Please answer the following questions about the access rights of the shared file / directory.

Severity of test measures: (level1) -, (level2) **]

As (question 1) there has been decided to set up a shared directory, owner permissions of the file to be created there is a user who belongs to write and read, the group is read only, can not be other access, Also other than the owner permissions of the directory in which you want to create is you want to set it so that it can not be written. What is the appropriate setting? However, the value of the force create mask and force directory mode is assumed to be set to 0 both is the default value. and (select one)

a. file mode = 640
directory mode = 755

b. file mode = 137
directory mode = 022

c. create mask = 640
directory mask = 755

d. create mask = 137
directory mask = 022

(Question 2) it has been decided to set up a shared directory that is, the users who can access user01 and user01, and you want to limit only to users who belong to the staff group of systems. What is the appropriate setting? and (select one)

a. valid users = user01 user02 + staff

b. valid users = user01 user02 staff

c. invalid users = user01 user02 + staff

d. force user = user01 user02
force group = staff

Correct answer

(Question 1) c

(Question 2) a

Commentary

(Question 1)

Since the parameter does not exist that file mode, choice a choice and b is a mistake.

Choice c, the permissions of the file to be created with the create mask, because it set the permissions on the directory in which to create correctly in directory mask, it is correct.

Choice d is the value of the create mask and directory mask, it is a mistake because the 1 and 0 of each bit is set to reverse.

(Question 2)

Choices a, specify the user in the parameter valid users to specify the user to allow access, in front of the group name, is the correct answer because it is specified by adding the + representing the group.

Choice b, there is no specified characters that represent the group in front of the group staff, staff is a mistake because it treated as a user name.

Choice c is a mistake because it specifies the user to prohibit access by invalid users parameter.

Choice d is, force by user parameters, and the access of the user who specifies the user that access the site, by force group parameters, is because it is setting mistake to access and in the specified group.

Was cheers for good work. Next time I will question about "server management (DNS)"

 

参考:http://www.atmarkit.co.jp/ait/articles/0901/28/news153.html

http://www.knowd.co.jp/

Samba set of user authentication and file access rights的更多相关文章

  1. PostgreSQL Client Authentication Configuration File

    PostgreSQL: Documentation: 10: 16.4. Installation Procedure https://www.postgresql.org/docs/10/stati ...

  2. Method and system for implementing mandatory file access control in native discretionary access control environments

    A method is provided for implementing a mandatory access control model in operating systems which na ...

  3. file access , argc, argv[ ]

    _____main函数含有 两个参数 ,argc ,argv[] 这两个参数用以指示命令行输入的参数信息. argc 的值是输入的参数的数量.argv是一个数组,每个数组元素指向一个string字符串 ...

  4. Unable to copy file, Access to the path is denied

    Unable to copy file, Access to the path is denied http://stackoverflow.com/questions/7130136/unable- ...

  5. git pull 出错 fatal: Could not read from remote repository.Please make sure you have the correct access rights.and the repository exists.

    Warning: Permanently added the RSA host key for IP address '192.30.252.131' to the list of known hos ...

  6. php curl Problem with the SSL CA cert (path? access rights?)

    公司有台老服务器,搭的php的环境,有个负载均横的服务 调用 curl_init 的时候报了 Problem with the SSL CA cert (path? access rights?) 网 ...

  7. Git push提交时报错Permission denied(publickey)...Please make sure you have the correct access rights and the repository exists.

    一.git push origin master 时出错 错误信息为: Permission denied(publickey). fatal: Could not read from remote ...

  8. 【git 报错】Could not read from remote repository.Please make sure you have the correct access rights.

    我们在使用git clone 或其他命令的时候,有时候会遇到这类问题,如图: and the repository exists. fatal: Could not read from remote ...

  9. git遇到的问题之“Please make sure you have the correct access rights and the repository exists.”

    对于git的提交一直很小心翼翼,感觉一不小心就会踩到莫名的坑. 这不, 某天commit 就遇到了On branch master nothing to commit (working directo ...

随机推荐

  1. const成员变量

    #include <iostream> using namespace std; class A { public: A(int size) : SIZE(size) {}; privat ...

  2. Hibernate三种状态:瞬时状态、持久化状态、离线状态

    三种状态及相互转化 瞬时状态(transient):刚new出来一个对象,还没有被保存到数据库中 持久化状态(persistent):已经被保存到数据库中或刚从数据库中取得 离线状态(detached ...

  3. androidstudio的安装与抓log

    公司新开发的软件是基于unity的,我们被告知unity是不允许charles抓包的,故此只能只用 Android   studio 一. Android    studio的安装与配置 在此我就不赘 ...

  4. 【ARM-Linux开发】Linux的SOCKET编程详解

    Linux的SOCKET编程详解 1. 网络中进程之间如何通信 进 程通信的概念最初来源于单机系统.由于每个进程都在自己的地址范围内运行,为保证两个相互通信的进 程之间既互不干扰又协调一致工作,操作系 ...

  5. Docker踩坑小记

    Docker是一个开放平台用于快速开发.分发和部署应用程序.   Docker是一种容器管理技术.   解决头疼问题原则:回归最简单的方式来.确保最初级的方案没有错误. 安装 docker安装很简单, ...

  6. 小记--------spark资源调度机制源码分析-----Schedule

    Master类位置所在:spark-core_2.11-2.1.0.jar的org.apache.spark.deploy.master下的Master类 /** * driver调度机制原理代码分析 ...

  7. 什么是时序时空数据库TSDB

    时序时空数据库(Time Series & Spatial Temporal Database,简称 TSDB)是一种高性能.低成本.稳定可靠的在线时序时空数据库服务,提供高效读写.高压缩比存 ...

  8. 【LOJ】#3120. 「CTS2019 | CTSC2019」珍珠

    LOJ3120 52pts \(N - D >= 2M\)或者\(M = 0\)那么就是\(D^{N}\) 只和数字的奇偶性有关,如果有k个奇数,那么必须满足\(N - k >= 2M\) ...

  9. mybatis 基础(一) xml配置

    如果文章有误,请各位楼下评论,感谢各位积极修正! 一起学习,成为大佬! mybatis: 1.轻量级 2.高级映射(实体类与数据库表字段的映射) 这样就可以后续开发中去操作实体类而不需要去关注数据库, ...

  10. Java设置时区

    TimeZone.setDefault(TimeZone.getTimeZone("GMT+8"));