Samba set of user authentication and file access rights
This series is compatible with Linux certification exam LPIC. A typical Linux user-level topics omitted, I am picked up the contents of the system management and server management. In addition, not only LPIC measures, we have questions problem asking a systematic understanding of related topics. Characteristics of series is that it is stated as possible version of the program of interest, relatively new coherent commentary still small topic is important but it is taken in favor of topics elusive. To solve the problem, you wear a force that can take advantage of Linux in practice by reading the commentary.
This distribution: CentOS 5.2
■ The key to solving the problem [1] [2]
When solving the setting and testing issues related to this topic, the following items will be to the point.
[1] set the Samba user authentication and file access rights
Samba server by the Windows SMB (Server Message Block) protocol, is a server that provides file sharing, printer sharing services. Functions and primary / backup domain controller, there is also a function of the WINS server to provide the corresponding information for the NetBIOS name and IP address, you have to Samba package includes client software.
By using the Samba server, in a network UNIX / Linux and Windows are mixed, you will be able to share the resources of a file or printer.
The following two server processes to provide services in the Samba server.
smbd
File sharing, and provide SMB services such as printer sharing. Listening port number is 139 / tcp and 445 / tcp
nmbd
Provides NetBIOS name service. Listening port number is 137 / udp and 138 / udp
(Note 1), CentOS 5.2 server processes smbd and nmbd start / stop / restart, the / etc / init.d / smb script, start each, stop, and run it with the argument of restart
# /etc/init.d/smb Start
(Example) start of the Samba server
Also, as in the recent Fedora distributions, but some smb and nmb is in a separate script. Samba server configuration file is smb.conf.
(Note 2) path name of the smb.conf of CentOS 5.2 is /etc/samba/smb.conf
This file is made up of several sections. Section I will describe as [section name]. [Global], [homes], has been reserved section name of [printers].
[Global]
This is the section that sets the parameters for the entire server. You can also set the default values for each section
[Homes]
This is the section that sets the parameters relating to share the user's home directory
[Printers]
This is the section that sets parameters for printer sharing.
Other section name is attached to freedom, you can set a shared service. Section name is the share name. The parameters required for each section, I set in the format "parameter name = value". format of smb.conf file I can check in testparm command.
# Testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
...............................
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
[Global]
workgroup = MYGROUP
server string = Samba Server Version% v
................................
(Example)
Also, if you specify the -v option as testparm -v, also appears default values that are not specified in smb.conf.
Configuration parameters (also known as optional) I have more than 300 kinds. This article is in the range of LPIC 101,201 test, I will focus parameters for high user authentication and file access rights tend to be questions.
[2] I to know about managing Samba user account
(1) of the user accounts database
In Samba 2.2 user name, account information, such as passwords are stored in the smbpasswd file.
User accounts from Samba 3.0 I will be stored in the database that is specified in the parameter passdb backend = of the [global] section.
passdb backend = tdbsam
I use the TDB (Trivial DataBase)
passdb backend = ldapsam
I use LDAP
TDB can manage a lot of attribute information than conventional smbpasswd file.
In addition to this, there is a passdb backend = smbpasswd for backwards compatibility. You can use the smbpasswd file When this setting.
(2) user authentication method
User authentication method I specified in the parameter security = of the [global] section.
security = user
Set to perform local authentication with a user name and password
security = share
Set to perform the authentication only with a password
security = domain
Set to perform the authentication by domain controller
security = server
Set to perform the authentication by other SMB server
security = ads
AD settings you authenticate with the domain controller (active directory) domain
In addition, security = domain, security = server, in the case of any of the settings of the security = ads I will specify the server to authenticate with the password server =.
(3) user registration
Samba user registration in the smbpasswd command in Samba2.2, I done in the pdbedit command from Samba3.0.
User to be registered does not already must be a user that exists as a UNIX account of the system.
# Smbpasswd -a user01
I register the user01 in (Example 1) smbpasswd
# Pdbedit -a user01
I register the user01 in (Example 2) pdbedit
(4) Change Password
I done in the smbpasswd command if the user to change their password.
$ Smbpasswd
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user user01
(Example) user user01 to change their password
Also from Windows, after you have logged Press Ctrl + Alt + Del, you can change from the password change screen.
(5) Password Synchronization
And password for the UNIX account of system, password and is separately set the Samba user account, it will be managed.
However, unix password sync, passwd program, by properly setting the three parameters of the passwd chat, in synchronization with the change of the Samba password, you can set as UNIX account password is also changed.
as unix password sync = yes, and then to synchronize setting of password.
the passwd program = value of I is specified in the password setting command (passwd command). This command root runs.
The passwd chat = a, and then specify the string of conversation (chat) with the passwd command and the system.
unix password sync = yes
passwd program = / usr / bin / passwd% u
passwd chat = *% n \ n *% n \ n *
(Setting Example)
(6) Set the guest account
If the user that the Samba server does not have the account has access, you can set that by mapping it to a specific UNIX account (guest account) to allow access.
This, guest ok, guest account, and is performed by appropriately setting the values of the three parameters of the map to guest.
I will allow access on the guest account as guest ok = yes. The same is true as public = yes.
the value of the guest account = I specified for a particular UNIX account.
the map to guest = value, and then to set dealing if the user does not exist as a Samba user has access as a guest account.
guest ok = yes
guest account = nobody
map to guest = Bad User
(Setting Example)
(Note 4) as the set value of the map to guest, include the following:
Never
Reject the user's login request with an incorrect password
Bad User
Deny the user's login request with an incorrect password, it is treated as a guest login if the specified user did not exist. In this case, I will be with the user specified in the guest account
Bad Password
User login requests with an incorrect password is I treat as a guest user. In this case, I will be with the user specified in the guest account
This distribution: CentOS 5.2
■ key [3] to solve the problem
[3] and to know the configuration of Samba file permissions
(1) access to the shared
valid users =
Specifies the user to allow access
invalid users =
Specify deny user access
valid users = user01 user02
The user to allow (for example) access I set to user01 and user02
(2) read and write permissions to the file / directory
the value of the writable =, I set to yes (the write permission) or no (write-protected). Or is the same with the following settings.
a read only = value of, I set to yes (the write-protected) or no (write enabled).
writable = yes
(Example) I want to allow the writing
to read list = value, specify the user name that gives the read permission.
to write list = value, specify the user name that gives the write permission.
write list = user01 user02
I give write permission to (for example) user01 and user02
valid users, invalid users, read list, you can also specify a group name to the value of the write list.
@ Group name
Specified in the order of the group is set NIS group, the system
& Group name
Specifying the NIS group
+ Group name
Specified group that is set on the system
valid users = + staff
Allow access to users that belong to (for example) staff group
(3) Show / Hide sharing and file
I set the value of the browseable = to yes (the display) or no (hidden).
[Section $] are hidden when the last section name with a $ (share name).
When vito files = value to / file name / the specified, its file name can no longer be hidden and access.
When hide files = specified value to / file name / a, the file name will be hidden. However, access I can be.
(4) setting of file / directory when creating permissions
Create the permissions that are set when the file is created in the file mask, I can be specified by the value of the parameters of the force create mask.
Permission is set to the directory during directory create directory mask, I can be specified by the value of the parameters of the force directory mode.
(Note 5) in Samba 2.2 force directory mode can also be set as a force directory mask
Permission of the file that is created is as follows.
(DOS set to UNIX from the value being) AND (create value of mask) OR (the value of the force create mask)
Permission of the directory that is created is as follows.
(DOS set to UNIX from the value being) AND (directory value of mask) OR (the value of the force directory mode)
When you create a directory, if the value is set to UNIX from DOS is 777, directory mask = 755, force directory mode = 0, the permission of the directory that is created is 755
(Example)
(1) smb.conf of online manual (man smb.conf):
For information about the options described in smb.conf, you Yes and description wrote that becomes much pages about 100.
(Note) In CentOS 5.2, it has been included in the samba-common package.
(2) is in the appendix of using samba Samba Configuration Option Quick Reference:
List of options describing the smb.conf has briefly summarized.
(Note) In CentOS 5.2 and has been included in both the samba package and samba-swat package.
[Reference]
Exercises
After holding the point, let's challenge to the exercises. Each problem, I have described the importance of in LPIC test. Please refer to when exam.
Question 1
when the user has changed the password by the operation on the smbpasswd command or MS Windows,, taking the change and synchronization of the Samba SMB password, UNIX password is also set to smb.conf to be changed at the same time. Already, passwd program = and passwd chat = parameters are already set to the appropriate value. What is the other one to be set description of "parameter = value" is? and (select one)
Severity of test measures: (level1) -, (level2) ***]
a. sync always = no
b. sync always = yes
c. unix password sync = no
d. unix password sync = yes
e. password level = 0
f. password level = 1
Correct answer
d
Commentary
sync always is a write the data on the memory to disk (synchronize) parameters, because it is not in the synchronization parameters for the password, choices a and b choice is a mistake.
Choice c is a mistake because the settings that do not take the synchronization of passwords.
Choice d is the correct answer because it is synchronized set of passwords.
password level is a parameter that specifies a combination of uppercase and lowercase letters of the password, because it is not in the synchronization parameters for the password, choice e and f choice is a mistake.
Problem 2
MS Windows unspecified users to Samba server do not have an account you wrote many people. When this user has access to the Samba server, without requiring a user name and password, you can access by using a specific one of UNIX account, we would like to set the guest account in smb.conf.
In addition, it is assumed to be set as the security = user, also nobody account that is registered in the system, pcuser to the account is not registered in the system. What is the correct settings? and (select one)
Severity of test measures: (level1) ***, (level2) *]
a. public = yes
map to guest = Never
guest account = nobody
b. guest ok = yes
map to guest = Bad User
guest account = nobody
c. public = no
map to guest = Never
guest account = pcuser
d. guest ok = yes
map to guest = Bad User
guest account = pcuser
Correct answer
b
Commentary
Choices a, in the wrong password map to guest = Never refuse, mapping to the guest account is because setting a mistake that does not.
Choice b is allowed to use the guest account in the guest ok = yes, then allowed to log in the guest account if there is no map to guest = Bad User login name, guest account = nobody in the guest account the system of and because it is mapped to the account nobody, it is correct.
Choice c is to prohibit the use of guest account in public = no, in the wrong password map to guest = Never refuse, mapping to the guest account is a setting that does not, the guest account in the guest account = pcuser and because it is mapped to the account that does not exist in the system, all of the settings are wrong.
Choice d is a guest account = pcuser, it is a mistake because it is mapped to the account that does not exist a guest account on the system.
Problem 3
Please answer the following questions about how to set to hide the sharing and file.
Severity of test measures: (level1) -, (level2) ***]
I want to make a setting to share (question 1) / home / private directory. However, so as not to access only those who know the share name, so that you become a non-display a share on the client side. What is the correct settings? (2 one selection)
a. [Private]
path = / home / private
browseable = no
b. [Private]
path = / home / private
browseable = yes
c. [Private $]
path = / home / private
d. [.private]
path = / home / private
Do the (question 2) / home / samba settings that shared directory on a shared name public a. However only Trash Folder directory that have been placed in this below is to be available only when a user who has an account on the Samba server you log in to the server, so that you can not hide and access to client users, such as Windows. What is the correct settings? and (select one)
a. [Public]
path = / home / samba
browseable = yes
hide files = / home / samba / Trash \ Folder
b. [Public]
path = / home / samba
browseable = yes
hide files = / Trash Folder /
c. [Public]
path = / home / samba
browseable = yes
veto files = / home / samba / Trash \ Folder
d. [Public]
path = / home / samba
browseable = yes
veto files = / Trash Folder /
Correct answer
(Question 1) a, c
(Question 2) d
Commentary
(Question 1)
Choice A is a correct answer because it is a non-display settings in the browseable = no.
Choice b is a mistake because it become the setting display in browseable = yes.
Choice c is the shared name have been the last to $ addition of (section name), because the share name private $ is not displayed correct.
Choice d is a mistake because the share name (section name) ,. private is displayed as it is.
(Question 2)
It will be hidden by setting hide files parameters, but the access is possible, choices a and b choice is a mistake.
Choice c but is hidden and inaccessible set by the veto files parameter represents the directory path to the file name that you specify / is a mistake because it does not work.
Choice d is hidden and inaccessible set by the veto files parameter, it is correct because Aru enclose the file name to be specified correctly / at.
Problem 4
Please answer the following questions about the access rights of the shared file / directory.
Severity of test measures: (level1) -, (level2) **]
As (question 1) there has been decided to set up a shared directory, owner permissions of the file to be created there is a user who belongs to write and read, the group is read only, can not be other access, Also other than the owner permissions of the directory in which you want to create is you want to set it so that it can not be written. What is the appropriate setting? However, the value of the force create mask and force directory mode is assumed to be set to 0 both is the default value. and (select one)
a. file mode = 640
directory mode = 755
b. file mode = 137
directory mode = 022
c. create mask = 640
directory mask = 755
d. create mask = 137
directory mask = 022
(Question 2) it has been decided to set up a shared directory that is, the users who can access user01 and user01, and you want to limit only to users who belong to the staff group of systems. What is the appropriate setting? and (select one)
a. valid users = user01 user02 + staff
b. valid users = user01 user02 staff
c. invalid users = user01 user02 + staff
d. force user = user01 user02
force group = staff
Correct answer
(Question 1) c
(Question 2) a
Commentary
(Question 1)
Since the parameter does not exist that file mode, choice a choice and b is a mistake.
Choice c, the permissions of the file to be created with the create mask, because it set the permissions on the directory in which to create correctly in directory mask, it is correct.
Choice d is the value of the create mask and directory mask, it is a mistake because the 1 and 0 of each bit is set to reverse.
(Question 2)
Choices a, specify the user in the parameter valid users to specify the user to allow access, in front of the group name, is the correct answer because it is specified by adding the + representing the group.
Choice b, there is no specified characters that represent the group in front of the group staff, staff is a mistake because it treated as a user name.
Choice c is a mistake because it specifies the user to prohibit access by invalid users parameter.
Choice d is, force by user parameters, and the access of the user who specifies the user that access the site, by force group parameters, is because it is setting mistake to access and in the specified group.
Was cheers for good work. Next time I will question about "server management (DNS)"
参考:http://www.atmarkit.co.jp/ait/articles/0901/28/news153.html
Samba set of user authentication and file access rights的更多相关文章
- PostgreSQL Client Authentication Configuration File
PostgreSQL: Documentation: 10: 16.4. Installation Procedure https://www.postgresql.org/docs/10/stati ...
- Method and system for implementing mandatory file access control in native discretionary access control environments
A method is provided for implementing a mandatory access control model in operating systems which na ...
- file access , argc, argv[ ]
_____main函数含有 两个参数 ,argc ,argv[] 这两个参数用以指示命令行输入的参数信息. argc 的值是输入的参数的数量.argv是一个数组,每个数组元素指向一个string字符串 ...
- Unable to copy file, Access to the path is denied
Unable to copy file, Access to the path is denied http://stackoverflow.com/questions/7130136/unable- ...
- git pull 出错 fatal: Could not read from remote repository.Please make sure you have the correct access rights.and the repository exists.
Warning: Permanently added the RSA host key for IP address '192.30.252.131' to the list of known hos ...
- php curl Problem with the SSL CA cert (path? access rights?)
公司有台老服务器,搭的php的环境,有个负载均横的服务 调用 curl_init 的时候报了 Problem with the SSL CA cert (path? access rights?) 网 ...
- Git push提交时报错Permission denied(publickey)...Please make sure you have the correct access rights and the repository exists.
一.git push origin master 时出错 错误信息为: Permission denied(publickey). fatal: Could not read from remote ...
- 【git 报错】Could not read from remote repository.Please make sure you have the correct access rights.
我们在使用git clone 或其他命令的时候,有时候会遇到这类问题,如图: and the repository exists. fatal: Could not read from remote ...
- git遇到的问题之“Please make sure you have the correct access rights and the repository exists.”
对于git的提交一直很小心翼翼,感觉一不小心就会踩到莫名的坑. 这不, 某天commit 就遇到了On branch master nothing to commit (working directo ...
随机推荐
- Linux 查看CPU和内存的使用情况
Linux 查看CPU和内存的使用情况 如何查看Linux机器的CPU和内存的使用情况. 可以通过如下方式: 1.查看CPU和内存的实时使用情况 使用如下命令: top 命令执行后,效果如下(资源的使 ...
- 在Spring中配置jdbc为什么不能用${username}问题
楼主在spring中配置jdbc时,引用的是dbcp.jar包,在dataSource.properties配置文件中,有mysql用户名,楼主自然的选择了使用username,密码是root, 然后 ...
- vue cli 3.0设置指定端口号运行
在项目根目录创建vue.config.js文件 module.exports = { devServer: { port: 3000, // 端口 }, // lintOnSave: false // ...
- QTP的安装(转载)
1.WIndows10安装QTP时需注意版本的要求. 2.安装参考 下载链接:https://download.csdn.net/download/weixin_41479750/11240466 下 ...
- LeetCode.1160-找到可以由给定字符组成的字符串(Find Words That Can Be Formed by Characters)
这是小川的第411次更新,第443篇原创 看题和准备 今天介绍的是LeetCode算法题中Easy级别的第262题(顺位题号是1160).你会得到一个字符串单词数组和一个字符串chars.如果字符串可 ...
- 【POJ - 2078】Matrix(dfs)
-->Matrix Descriptions: 输入一个n×n的矩阵,可以对矩阵的每行进行任意次的循环右移操作,行的每一次右移后,计算矩阵中每一列的和的最大值,输出这些最大值中的最小值. Sam ...
- 安装glance
在控制节点上执行 controllerHost='controller' MYSQL_PASSWD='m4r!adbOP' GLANCE_PASSWD='glance1234!' 1.创建数据库 my ...
- 使用logstash迁移elasticsearch数据
支持同集群复制和跨集群复制 优点:通过简单配置即可实现.零编码. 缺点:logstash 单点运行迁移,速度一般. 以es2.2.1 logstash2.2.1 为例 以下logstash 配置功能 ...
- arm-linux的gdb移植
转载于:http://blog.chinaunix.net/uid-23381466-id-309369.html arm-linux的gdb移植分为两种情况.一种是交叉调试版.这一种模式是需要编译一 ...
- 【转帖】.NET的一点历史故事:Novell的崩溃和Xamarin的重生
.NET的一点历史故事:Novell的崩溃和Xamarin的重生 https://blog.csdn.net/sD7O95O/article/details/78096502 学习安装 mono 时了 ...