Samba set of user authentication and file access rights

This series is compatible with Linux certification exam LPIC. A typical Linux user-level topics omitted, I am picked up the contents of the system management and server management. In addition, not only LPIC measures, we have questions problem asking a systematic understanding of related topics. Characteristics of series is that it is stated as possible version of the program of interest, relatively new coherent commentary still small topic is important but it is taken in favor of topics elusive. To solve the problem, you wear a force that can take advantage of Linux in practice by reading the commentary.

 

This distribution: CentOS 5.2

■ The key to solving the problem [1] [2]

When solving the setting and testing issues related to this topic, the following items will be to the point.

[1] set the Samba user authentication and file access rights

Samba server by the Windows SMB (Server Message Block) protocol, is a server that provides file sharing, printer sharing services. Functions and primary / backup domain controller, there is also a function of the WINS server to provide the corresponding information for the NetBIOS name and IP address, you have to Samba package includes client software.

By using the Samba server, in a network UNIX / Linux and Windows are mixed, you will be able to share the resources of a file or printer.

The following two server processes to provide services in the Samba server.

smbd
File sharing, and provide SMB services such as printer sharing. Listening port number is 139 / tcp and 445 / tcp

nmbd
Provides NetBIOS name service. Listening port number is 137 / udp and 138 / udp

(Note 1), CentOS 5.2 server processes smbd and nmbd start / stop / restart, the / etc / init.d / smb script, start each, stop, and run it with the argument of restart

# /etc/init.d/smb Start

(Example) start of the Samba server

Also, as in the recent Fedora distributions, but some smb and nmb is in a separate script. Samba server configuration file is smb.conf.

(Note 2) path name of the smb.conf of CentOS 5.2 is /etc/samba/smb.conf

This file is made up of several sections. Section I will describe as [section name]. [Global], [homes], has been reserved section name of [printers].

[Global]
This is the section that sets the parameters for the entire server. You can also set the default values ​​for each section

[Homes]
This is the section that sets the parameters relating to share the user's home directory

[Printers]
This is the section that sets parameters for printer sharing.

Other section name is attached to freedom, you can set a shared service. Section name is the share name. The parameters required for each section, I set in the format "parameter name = value". format of smb.conf file I can check in testparm command.

# Testparm

Load smb config files from /etc/samba/smb.conf

Processing section "[homes]"

Processing section "[printers]"

...............................

Loaded services file OK.

Server role: ROLE_DOMAIN_PDC

Press enter to see a dump of your service definitions

[Global]

workgroup = MYGROUP

server string = Samba Server Version% v

................................

(Example)

Also, if you specify the -v option as testparm -v, also appears default values ​​that are not specified in smb.conf.

Configuration parameters (also known as optional) I have more than 300 kinds. This article is in the range of LPIC 101,201 test, I will focus parameters for high user authentication and file access rights tend to be questions.

[2] I to know about managing Samba user account

(1) of the user accounts database

In Samba 2.2 user name, account information, such as passwords are stored in the smbpasswd file.

User accounts from Samba 3.0 I will be stored in the database that is specified in the parameter passdb backend = of the [global] section.

passdb backend = tdbsam
I use the TDB (Trivial DataBase)

passdb backend = ldapsam
I use LDAP

TDB can manage a lot of attribute information than conventional smbpasswd file.

In addition to this, there is a passdb backend = smbpasswd for backwards compatibility. You can use the smbpasswd file When this setting.

(2) user authentication method

User authentication method I specified in the parameter security = of the [global] section.

security = user
Set to perform local authentication with a user name and password

security = share
Set to perform the authentication only with a password

security = domain
Set to perform the authentication by domain controller

security = server
Set to perform the authentication by other SMB server

security = ads
AD settings you authenticate with the domain controller (active directory) domain

In addition, security = domain, security = server, in the case of any of the settings of the security = ads I will specify the server to authenticate with the password server =.

(3) user registration

Samba user registration in the smbpasswd command in Samba2.2, I done in the pdbedit command from Samba3.0.

User to be registered does not already must be a user that exists as a UNIX account of the system.

# Smbpasswd -a user01

I register the user01 in (Example 1) smbpasswd

# Pdbedit -a user01

I register the user01 in (Example 2) pdbedit

(4) Change Password

I done in the smbpasswd command if the user to change their password.

$ Smbpasswd

Old SMB password:

New SMB password:

Retype new SMB password:

Password changed for user user01

(Example) user user01 to change their password

Also from Windows, after you have logged Press Ctrl + Alt + Del, you can change from the password change screen.

(5) Password Synchronization

And password for the UNIX account of system, password and is separately set the Samba user account, it will be managed.

However, unix password sync, passwd program, by properly setting the three parameters of the passwd chat, in synchronization with the change of the Samba password, you can set as UNIX account password is also changed.

as unix password sync = yes, and then to synchronize setting of password.

the passwd program = value of I is specified in the password setting command (passwd command). This command root runs.

The passwd chat = a, and then specify the string of conversation (chat) with the passwd command and the system.

unix password sync = yes

passwd program = / usr / bin / passwd% u

passwd chat = *% n \ n *% n \ n *

(Setting Example)

(6) Set the guest account

If the user that the Samba server does not have the account has access, you can set that by mapping it to a specific UNIX account (guest account) to allow access.

This, guest ok, guest account, and is performed by appropriately setting the values ​​of the three parameters of the map to guest.

I will allow access on the guest account as guest ok = yes. The same is true as public = yes.

the value of the guest account = I specified for a particular UNIX account.

the map to guest = value, and then to set dealing if the user does not exist as a Samba user has access as a guest account.

guest ok = yes

guest account = nobody

map to guest = Bad User

(Setting Example)

(Note 4) as the set value of the map to guest, include the following:

Never
Reject the user's login request with an incorrect password

Bad User
Deny the user's login request with an incorrect password, it is treated as a guest login if the specified user did not exist. In this case, I will be with the user specified in the guest account

Bad Password
User login requests with an incorrect password is I treat as a guest user. In this case, I will be with the user specified in the guest account

 

This distribution: CentOS 5.2

■ key [3] to solve the problem

[3] and to know the configuration of Samba file permissions

(1) access to the shared

valid users =
Specifies the user to allow access

invalid users =
Specify deny user access

valid users = user01 user02

The user to allow (for example) access I set to user01 and user02

(2) read and write permissions to the file / directory

the value of the writable =, I set to yes (the write permission) or no (write-protected). Or is the same with the following settings.

a read only = value of, I set to yes (the write-protected) or no (write enabled).

writable = yes

(Example) I want to allow the writing

to read list = value, specify the user name that gives the read permission.

to write list = value, specify the user name that gives the write permission.

write list = user01 user02

I give write permission to (for example) user01 and user02

valid users, invalid users, read list, you can also specify a group name to the value of the write list.

@ Group name
Specified in the order of the group is set NIS group, the system

& Group name
Specifying the NIS group

+ Group name
Specified group that is set on the system

valid users = + staff

Allow access to users that belong to (for example) staff group

(3) Show / Hide sharing and file

I set the value of the browseable = to yes (the display) or no (hidden).

[Section $] are hidden when the last section name with a $ (share name).

When vito files = value to / file name / the specified, its file name can no longer be hidden and access.

When hide files = specified value to / file name / a, the file name will be hidden. However, access I can be.

(4) setting of file / directory when creating permissions

Create the permissions that are set when the file is created in the file mask, I can be specified by the value of the parameters of the force create mask.

Permission is set to the directory during directory create directory mask, I can be specified by the value of the parameters of the force directory mode.

(Note 5) in Samba 2.2 force directory mode can also be set as a force directory mask

Permission of the file that is created is as follows.

(DOS set to UNIX from the value being) AND (create value of mask) OR (the value of the force create mask)

Permission of the directory that is created is as follows.

(DOS set to UNIX from the value being) AND (directory value of mask) OR (the value of the force directory mode)

When you create a directory, if the value is set to UNIX from DOS is 777, directory mask = 755, force directory mode = 0, the permission of the directory that is created is 755

(Example)

(1) smb.conf of online manual (man smb.conf):

For information about the options described in smb.conf, you Yes and description wrote that becomes much pages about 100.

(Note) In CentOS 5.2, it has been included in the samba-common package.

(2) is in the appendix of using samba Samba Configuration Option Quick Reference:

List of options describing the smb.conf has briefly summarized.

(Note) In CentOS 5.2 and has been included in both the samba package and samba-swat package.

[Reference]

Exercises

After holding the point, let's challenge to the exercises. Each problem, I have described the importance of in LPIC test. Please refer to when exam.

Question 1

when the user has changed the password by the operation on the smbpasswd command or MS Windows,, taking the change and synchronization of the Samba SMB password, UNIX password is also set to smb.conf to be changed at the same time. Already, passwd program = and passwd chat = parameters are already set to the appropriate value. What is the other one to be set description of "parameter = value" is? and (select one)

Severity of test measures: (level1) -, (level2) ***]

a. sync always = no

b. sync always = yes

c. unix password sync = no

d. unix password sync = yes

e. password level = 0

f. password level = 1

Correct answer

d

Commentary

sync always is a write the data on the memory to disk (synchronize) parameters, because it is not in the synchronization parameters for the password, choices a and b choice is a mistake.

Choice c is a mistake because the settings that do not take the synchronization of passwords.

Choice d is the correct answer because it is synchronized set of passwords.

password level is a parameter that specifies a combination of uppercase and lowercase letters of the password, because it is not in the synchronization parameters for the password, choice e and f choice is a mistake.

Problem 2

MS Windows unspecified users to Samba server do not have an account you wrote many people. When this user has access to the Samba server, without requiring a user name and password, you can access by using a specific one of UNIX account, we would like to set the guest account in smb.conf.

In addition, it is assumed to be set as the security = user, also nobody account that is registered in the system, pcuser to the account is not registered in the system. What is the correct settings? and (select one)

Severity of test measures: (level1) ***, (level2) *]

a. public = yes
map to guest = Never
guest account = nobody

b. guest ok = yes
map to guest = Bad User
guest account = nobody

c. public = no
map to guest = Never
guest account = pcuser

d. guest ok = yes
map to guest = Bad User
guest account = pcuser

Correct answer

b

Commentary

Choices a, in the wrong password map to guest = Never refuse, mapping to the guest account is because setting a mistake that does not.

Choice b is allowed to use the guest account in the guest ok = yes, then allowed to log in the guest account if there is no map to guest = Bad User login name, guest account = nobody in the guest account the system of and because it is mapped to the account nobody, it is correct.

Choice c is to prohibit the use of guest account in public = no, in the wrong password map to guest = Never refuse, mapping to the guest account is a setting that does not, the guest account in the guest account = pcuser and because it is mapped to the account that does not exist in the system, all of the settings are wrong.

Choice d is a guest account = pcuser, it is a mistake because it is mapped to the account that does not exist a guest account on the system.

 

Problem 3

Please answer the following questions about how to set to hide the sharing and file.

Severity of test measures: (level1) -, (level2) ***]

I want to make a setting to share (question 1) / home / private directory. However, so as not to access only those who know the share name, so that you become a non-display a share on the client side. What is the correct settings? (2 one selection)

a. [Private]
path = / home / private
browseable = no

b. [Private]
path = / home / private
browseable = yes

c. [Private $]
path = / home / private

d. [.private]
path = / home / private

Do the (question 2) / home / samba settings that shared directory on a shared name public a. However only Trash Folder directory that have been placed in this below is to be available only when a user who has an account on the Samba server you log in to the server, so that you can not hide and access to client users, such as Windows. What is the correct settings? and (select one)

a. [Public]
path = / home / samba
browseable = yes
hide files = / home / samba / Trash \ Folder

b. [Public]
path = / home / samba
browseable = yes
hide files = / Trash Folder /

c. [Public]
path = / home / samba
browseable = yes
veto files = / home / samba / Trash \ Folder

d. [Public]
path = / home / samba
browseable = yes
veto files = / Trash Folder /

Correct answer

(Question 1) a, c

(Question 2) d

Commentary

(Question 1)

Choice A is a correct answer because it is a non-display settings in the browseable = no.

Choice b is a mistake because it become the setting display in browseable = yes.

Choice c is the shared name have been the last to $ addition of (section name), because the share name private $ is not displayed correct.

Choice d is a mistake because the share name (section name) ,. private is displayed as it is.

(Question 2)

It will be hidden by setting hide files parameters, but the access is possible, choices a and b choice is a mistake.

Choice c but is hidden and inaccessible set by the veto files parameter represents the directory path to the file name that you specify / is a mistake because it does not work.

Choice d is hidden and inaccessible set by the veto files parameter, it is correct because Aru enclose the file name to be specified correctly / at.

Problem 4

Please answer the following questions about the access rights of the shared file / directory.

Severity of test measures: (level1) -, (level2) **]

As (question 1) there has been decided to set up a shared directory, owner permissions of the file to be created there is a user who belongs to write and read, the group is read only, can not be other access, Also other than the owner permissions of the directory in which you want to create is you want to set it so that it can not be written. What is the appropriate setting? However, the value of the force create mask and force directory mode is assumed to be set to 0 both is the default value. and (select one)

a. file mode = 640
directory mode = 755

b. file mode = 137
directory mode = 022

c. create mask = 640
directory mask = 755

d. create mask = 137
directory mask = 022

(Question 2) it has been decided to set up a shared directory that is, the users who can access user01 and user01, and you want to limit only to users who belong to the staff group of systems. What is the appropriate setting? and (select one)

a. valid users = user01 user02 + staff

b. valid users = user01 user02 staff

c. invalid users = user01 user02 + staff

d. force user = user01 user02
force group = staff

Correct answer

(Question 1) c

(Question 2) a

Commentary

(Question 1)

Since the parameter does not exist that file mode, choice a choice and b is a mistake.

Choice c, the permissions of the file to be created with the create mask, because it set the permissions on the directory in which to create correctly in directory mask, it is correct.

Choice d is the value of the create mask and directory mask, it is a mistake because the 1 and 0 of each bit is set to reverse.

(Question 2)

Choices a, specify the user in the parameter valid users to specify the user to allow access, in front of the group name, is the correct answer because it is specified by adding the + representing the group.

Choice b, there is no specified characters that represent the group in front of the group staff, staff is a mistake because it treated as a user name.

Choice c is a mistake because it specifies the user to prohibit access by invalid users parameter.

Choice d is, force by user parameters, and the access of the user who specifies the user that access the site, by force group parameters, is because it is setting mistake to access and in the specified group.

Was cheers for good work. Next time I will question about "server management (DNS)"

 

参考：http://www.atmarkit.co.jp/ait/articles/0901/28/news153.html

http://www.knowd.co.jp/