• Samba set of user authentication and file access rights


    This series is compatible with Linux certification exam LPIC. A typical Linux user-level topics omitted, I am picked up the contents of the system management and server management. In addition, not only LPIC measures, we have questions problem asking a systematic understanding of related topics. Characteristics of series is that it is stated as possible version of the program of interest, relatively new coherent commentary still small topic is important but it is taken in favor of topics elusive. To solve the problem, you wear a force that can take advantage of Linux in practice by reading the commentary.

    This distribution: CentOS 5.2

    ■ The key to solving the problem [1] [2]

    When solving the setting and testing issues related to this topic, the following items will be to the point.

    [1] set the Samba user authentication and file access rights

    Samba server by the Windows SMB (Server Message Block) protocol, is a server that provides file sharing, printer sharing services. Functions and primary / backup domain controller, there is also a function of the WINS server to provide the corresponding information for the NetBIOS name and IP address, you have to Samba package includes client software.

    By using the Samba server, in a network UNIX / Linux and Windows are mixed, you will be able to share the resources of a file or printer.

    The following two server processes to provide services in the Samba server.

    smbd
    File sharing, and provide SMB services such as printer sharing. Listening port number is 139 / tcp and 445 / tcp

    nmbd
    Provides NetBIOS name service. Listening port number is 137 / udp and 138 / udp

    (Note 1), CentOS 5.2 server processes smbd and nmbd start / stop / restart, the / etc / init.d / smb script, start each, stop, and run it with the argument of restart

    # /etc/init.d/smb Start

    (Example) start of the Samba server

    Also, as in the recent Fedora distributions, but some smb and nmb is in a separate script. Samba server configuration file is smb.conf.

    (Note 2) path name of the smb.conf of CentOS 5.2 is /etc/samba/smb.conf

    This file is made up of several sections. Section I will describe as [section name]. [Global], [homes], has been reserved section name of [printers].

    [Global]
    This is the section that sets the parameters for the entire server. You can also set the default values ​​for each section

    [Homes]
    This is the section that sets the parameters relating to share the user's home directory

    [Printers]
    This is the section that sets parameters for printer sharing.

    Other section name is attached to freedom, you can set a shared service. Section name is the share name. The parameters required for each section, I set in the format "parameter name = value". format of smb.conf file I can check in testparm command.

    # Testparm

    Load smb config files from /etc/samba/smb.conf

    Processing section "[homes]"

    Processing section "[printers]"

    ...............................

    Loaded services file OK.

    Server role: ROLE_DOMAIN_PDC

    Press enter to see a dump of your service definitions

    [Global]

    workgroup = MYGROUP

    server string = Samba Server Version% v

    ................................

    (Example)

    Also, if you specify the -v option as testparm -v, also appears default values ​​that are not specified in smb.conf.

    Configuration parameters (also known as optional) I have more than 300 kinds. This article is in the range of LPIC 101,201 test, I will focus parameters for high user authentication and file access rights tend to be questions.

    [2] I to know about managing Samba user account

    (1) of the user accounts database

    In Samba 2.2 user name, account information, such as passwords are stored in the smbpasswd file.

    User accounts from Samba 3.0 I will be stored in the database that is specified in the parameter passdb backend = of the [global] section.

    passdb backend = tdbsam
    I use the TDB (Trivial DataBase)

    passdb backend = ldapsam
    I use LDAP

    TDB can manage a lot of attribute information than conventional smbpasswd file.

    In addition to this, there is a passdb backend = smbpasswd for backwards compatibility. You can use the smbpasswd file When this setting.

    (2) user authentication method

    User authentication method I specified in the parameter security = of the [global] section.

    security = user
    Set to perform local authentication with a user name and password

    security = share
    Set to perform the authentication only with a password

    security = domain
    Set to perform the authentication by domain controller

    security = server
    Set to perform the authentication by other SMB server

    security = ads
    AD settings you authenticate with the domain controller (active directory) domain

    In addition, security = domain, security = server, in the case of any of the settings of the security = ads I will specify the server to authenticate with the password server =.

    (3) user registration

    Samba user registration in the smbpasswd command in Samba2.2, I done in the pdbedit command from Samba3.0.

    User to be registered does not already must be a user that exists as a UNIX account of the system.

    # Smbpasswd -a user01

    I register the user01 in (Example 1) smbpasswd

    # Pdbedit -a user01

    I register the user01 in (Example 2) pdbedit

    (4) Change Password

    I done in the smbpasswd command if the user to change their password.

    $ Smbpasswd

    Old SMB password:

    New SMB password:

    Retype new SMB password:

    Password changed for user user01

    (Example) user user01 to change their password

    Also from Windows, after you have logged Press Ctrl + Alt + Del, you can change from the password change screen.

    (5) Password Synchronization

    And password for the UNIX account of system, password and is separately set the Samba user account, it will be managed.

    However, unix password sync, passwd program, by properly setting the three parameters of the passwd chat, in synchronization with the change of the Samba password, you can set as UNIX account password is also changed.

    as unix password sync = yes, and then to synchronize setting of password.

    the passwd program = value of I is specified in the password setting command (passwd command). This command root runs.

    The passwd chat = a, and then specify the string of conversation (chat) with the passwd command and the system.

    unix password sync = yes

    passwd program = / usr / bin / passwd% u

    passwd chat = *% n n *% n n *

    (Setting Example)

    (6) Set the guest account

    If the user that the Samba server does not have the account has access, you can set that by mapping it to a specific UNIX account (guest account) to allow access.

    This, guest ok, guest account, and is performed by appropriately setting the values ​​of the three parameters of the map to guest.

    I will allow access on the guest account as guest ok = yes. The same is true as public = yes.

    the value of the guest account = I specified for a particular UNIX account.

    the map to guest = value, and then to set dealing if the user does not exist as a Samba user has access as a guest account.

    guest ok = yes

    guest account = nobody

    map to guest = Bad User

    (Setting Example)

    (Note 4) as the set value of the map to guest, include the following:

    Never
    Reject the user's login request with an incorrect password

    Bad User
    Deny the user's login request with an incorrect password, it is treated as a guest login if the specified user did not exist. In this case, I will be with the user specified in the guest account

    Bad Password
    User login requests with an incorrect password is I treat as a guest user. In this case, I will be with the user specified in the guest account

    This distribution: CentOS 5.2

    ■ key [3] to solve the problem

    [3] and to know the configuration of Samba file permissions

    (1) access to the shared

    valid users =
    Specifies the user to allow access

    invalid users =
    Specify deny user access

    valid users = user01 user02

    The user to allow (for example) access I set to user01 and user02

    (2) read and write permissions to the file / directory

    the value of the writable =, I set to yes (the write permission) or no (write-protected). Or is the same with the following settings.

    a read only = value of, I set to yes (the write-protected) or no (write enabled).

    writable = yes

    (Example) I want to allow the writing

    to read list = value, specify the user name that gives the read permission.

    to write list = value, specify the user name that gives the write permission.

    write list = user01 user02

    I give write permission to (for example) user01 and user02

    valid users, invalid users, read list, you can also specify a group name to the value of the write list.

    @ Group name
    Specified in the order of the group is set NIS group, the system

    & Group name
    Specifying the NIS group

    + Group name
    Specified group that is set on the system

    valid users = + staff

    Allow access to users that belong to (for example) staff group

    (3) Show / Hide sharing and file

    I set the value of the browseable = to yes (the display) or no (hidden).

    [Section $] are hidden when the last section name with a $ (share name).

    When vito files = value to / file name / the specified, its file name can no longer be hidden and access.

    When hide files = specified value to / file name / a, the file name will be hidden. However, access I can be.

    (4) setting of file / directory when creating permissions

    Create the permissions that are set when the file is created in the file mask, I can be specified by the value of the parameters of the force create mask.

    Permission is set to the directory during directory create directory mask, I can be specified by the value of the parameters of the force directory mode.

    (Note 5) in Samba 2.2 force directory mode can also be set as a force directory mask

    Permission of the file that is created is as follows.

    (DOS set to UNIX from the value being) AND (create value of mask) OR (the value of the force create mask)

    Permission of the directory that is created is as follows.

    (DOS set to UNIX from the value being) AND (directory value of mask) OR (the value of the force directory mode)

    When you create a directory, if the value is set to UNIX from DOS is 777, directory mask = 755, force directory mode = 0, the permission of the directory that is created is 755

    (Example)

    (1) smb.conf of online manual (man smb.conf):

    For information about the options described in smb.conf, you Yes and description wrote that becomes much pages about 100.

    (Note) In CentOS 5.2, it has been included in the samba-common package.

    (2) is in the appendix of using samba Samba Configuration Option Quick Reference:

    List of options describing the smb.conf has briefly summarized.

    (Note) In CentOS 5.2 and has been included in both the samba package and samba-swat package.

    [Reference]

    Exercises

    After holding the point, let's challenge to the exercises. Each problem, I have described the importance of in LPIC test. Please refer to when exam.

    Question 1

    when the user has changed the password by the operation on the smbpasswd command or MS Windows,, taking the change and synchronization of the Samba SMB password, UNIX password is also set to smb.conf to be changed at the same time. Already, passwd program = and passwd chat = parameters are already set to the appropriate value. What is the other one to be set description of "parameter = value" is? and (select one)

    Severity of test measures: (level1) -, (level2) ***]

    a. sync always = no

    b. sync always = yes

    c. unix password sync = no

    d. unix password sync = yes

    e. password level = 0

    f. password level = 1

    Correct answer

    d

    Commentary

    sync always is a write the data on the memory to disk (synchronize) parameters, because it is not in the synchronization parameters for the password, choices a and b choice is a mistake.

    Choice c is a mistake because the settings that do not take the synchronization of passwords.

    Choice d is the correct answer because it is synchronized set of passwords.

    password level is a parameter that specifies a combination of uppercase and lowercase letters of the password, because it is not in the synchronization parameters for the password, choice e and f choice is a mistake.

    Problem 2

    MS Windows unspecified users to Samba server do not have an account you wrote many people. When this user has access to the Samba server, without requiring a user name and password, you can access by using a specific one of UNIX account, we would like to set the guest account in smb.conf.

    In addition, it is assumed to be set as the security = user, also nobody account that is registered in the system, pcuser to the account is not registered in the system. What is the correct settings? and (select one)

    Severity of test measures: (level1) ***, (level2) *]

    a. public = yes
    map to guest = Never
    guest account = nobody

    b. guest ok = yes
    map to guest = Bad User
    guest account = nobody

    c. public = no
    map to guest = Never
    guest account = pcuser

    d. guest ok = yes
    map to guest = Bad User
    guest account = pcuser

    Correct answer

    b

    Commentary

    Choices a, in the wrong password map to guest = Never refuse, mapping to the guest account is because setting a mistake that does not.

    Choice b is allowed to use the guest account in the guest ok = yes, then allowed to log in the guest account if there is no map to guest = Bad User login name, guest account = nobody in the guest account the system of and because it is mapped to the account nobody, it is correct.

    Choice c is to prohibit the use of guest account in public = no, in the wrong password map to guest = Never refuse, mapping to the guest account is a setting that does not, the guest account in the guest account = pcuser and because it is mapped to the account that does not exist in the system, all of the settings are wrong.

    Choice d is a guest account = pcuser, it is a mistake because it is mapped to the account that does not exist a guest account on the system.

    Problem 3

    Please answer the following questions about how to set to hide the sharing and file.

    Severity of test measures: (level1) -, (level2) ***]

    I want to make a setting to share (question 1) / home / private directory. However, so as not to access only those who know the share name, so that you become a non-display a share on the client side. What is the correct settings? (2 one selection)

    a. [Private]
    path = / home / private
    browseable = no

    b. [Private]
    path = / home / private
    browseable = yes

    c. [Private $]
    path = / home / private

    d. [.private]
    path = / home / private

    Do the (question 2) / home / samba settings that shared directory on a shared name public a. However only Trash Folder directory that have been placed in this below is to be available only when a user who has an account on the Samba server you log in to the server, so that you can not hide and access to client users, such as Windows. What is the correct settings? and (select one)

    a. [Public]
    path = / home / samba
    browseable = yes
    hide files = / home / samba / Trash Folder

    b. [Public]
    path = / home / samba
    browseable = yes
    hide files = / Trash Folder /

    c. [Public]
    path = / home / samba
    browseable = yes
    veto files = / home / samba / Trash Folder

    d. [Public]
    path = / home / samba
    browseable = yes
    veto files = / Trash Folder /

    Correct answer

    (Question 1) a, c

    (Question 2) d

    Commentary

    (Question 1)

    Choice A is a correct answer because it is a non-display settings in the browseable = no.

    Choice b is a mistake because it become the setting display in browseable = yes.

    Choice c is the shared name have been the last to $ addition of (section name), because the share name private $ is not displayed correct.

    Choice d is a mistake because the share name (section name) ,. private is displayed as it is.

    (Question 2)

    It will be hidden by setting hide files parameters, but the access is possible, choices a and b choice is a mistake.

    Choice c but is hidden and inaccessible set by the veto files parameter represents the directory path to the file name that you specify / is a mistake because it does not work.

    Choice d is hidden and inaccessible set by the veto files parameter, it is correct because Aru enclose the file name to be specified correctly / at.

    Problem 4

    Please answer the following questions about the access rights of the shared file / directory.

    Severity of test measures: (level1) -, (level2) **]

    As (question 1) there has been decided to set up a shared directory, owner permissions of the file to be created there is a user who belongs to write and read, the group is read only, can not be other access, Also other than the owner permissions of the directory in which you want to create is you want to set it so that it can not be written. What is the appropriate setting? However, the value of the force create mask and force directory mode is assumed to be set to 0 both is the default value. and (select one)

    a. file mode = 640
    directory mode = 755

    b. file mode = 137
    directory mode = 022

    c. create mask = 640
    directory mask = 755

    d. create mask = 137
    directory mask = 022

    (Question 2) it has been decided to set up a shared directory that is, the users who can access user01 and user01, and you want to limit only to users who belong to the staff group of systems. What is the appropriate setting? and (select one)

    a. valid users = user01 user02 + staff

    b. valid users = user01 user02 staff

    c. invalid users = user01 user02 + staff

    d. force user = user01 user02
    force group = staff

    Correct answer

    (Question 1) c

    (Question 2) a

    Commentary

    (Question 1)

    Since the parameter does not exist that file mode, choice a choice and b is a mistake.

    Choice c, the permissions of the file to be created with the create mask, because it set the permissions on the directory in which to create correctly in directory mask, it is correct.

    Choice d is the value of the create mask and directory mask, it is a mistake because the 1 and 0 of each bit is set to reverse.

    (Question 2)

    Choices a, specify the user in the parameter valid users to specify the user to allow access, in front of the group name, is the correct answer because it is specified by adding the + representing the group.

    Choice b, there is no specified characters that represent the group in front of the group staff, staff is a mistake because it treated as a user name.

    Choice c is a mistake because it specifies the user to prohibit access by invalid users parameter.

    Choice d is, force by user parameters, and the access of the user who specifies the user that access the site, by force group parameters, is because it is setting mistake to access and in the specified group.

    Was cheers for good work. Next time I will question about "server management (DNS)"

    参考:http://www.atmarkit.co.jp/ait/articles/0901/28/news153.html

    http://www.knowd.co.jp/

  • 相关阅读:
    类与类之间的关系图
    UML介绍
    数据建模
    状态图
    部署图
    用例图
    业务建模
    时序图
    postgresql 维护手册
    ashx文件的使用(转)
  • 原文地址:https://www.cnblogs.com/linuxbo/p/4289392.html
Copyright © 2020-2023  润新知