The environment we want to implement today is that if the company has three departments: finance, technology, and leadership, we will establish three user groups for the three departments: caiwu, network, and lingdao;
There are 2 users in each of the three departments. The users we created are caiwu01,caiwu02,network01,network02,lingdao01,lingdao02.
Then we will establish corresponding directories and access permissions based on the specific circumstances of the company. Through the following examples, I hope you can flexibly apply samba security permissions to set up your samba file server in your daily work.
1. First, the server adopts user authentication. Each user can access his or her own host directory, and only this user can access the host directory and has full permissions, while others cannot see your host directory.
2. Create a caiwu folder. I hope people in the caiwu group and lingdao group can see it. Network02 can also access it, but only caiwu01 has write permission.
3. Create a directory in lindao. Only people in the leadership group can access and read and write. Network02 can also access it, but outsiders cannot see that directory.
4. Create a file exchange directory exchange, which can be read and written by everyone, including the guest user, but no one can delete other people's files.
5. Create a public read-only folder public, and everyone can only read the contents of this folder.
Okay, let’s do the preliminary work first.
Create 3 groups:
#groupadd caiwu
#groupadd network
#groupaddlingdao
Add users and join relevant groups:
#useradd caiwu01 -g caiwu
#useradd caiwu02 -g caiwu
#useradd network01 -g network
#useradd network02 -g network
#useradd lingdao01 -g lingdao
#useradd lingdao02 -g lingdao
Then we use the smbpasswd -a caiwu01 command to add the 6 accounts to the samba user respectively.
#mkdir /home/samba
#mkdir /home/samba/caiwu
#mkdir /home/samba/lingdao
#mkdir /home/samba/exchange
#mkdir /home/samba/public
In order to avoid trouble, we can set the permissions of all the above folders to 777. We use samba's flexible permission management to set the above five requirements.
The following is the configuration file of my smb.conf
[global]
workgroup=bmit
#mynetworkworkinggroup
server string = Frank's Samba File Server
#My server name description
security=user
#Use user authentication mechanism
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
#Use the encrypted password mechanism. In win95 and winnt, plain text is used.
Others can basically follow the default settings.
[Cut-Page]
[homes]
comment = Home Directories
browseable=no
writable = yes
valid users = %S
create mode = 0664
directory mode = 0775
The #homes segment meets the first condition
[caiwu]
comment=caiwu
path = /home/samba/caiwu
public=no
valid users = @caiwu,@lingdao,network02
write list = caiwu01
printable=no
#caiwu paragraph meets our 2nd requirement
[lingdao]
comment = lingdao
path = /home/samba/lingdao
public=no
browseable=no
valid users = @lingdao,network02
printable=no
#lingdao paragraph can meet our third requirement
[exchage]
comment = Exchange File Directory
path = /home/samba/exchange
public=yes
writable=yes
The #exchange segment can basically meet our fourth requirement, but it cannot meet the condition that everyone cannot delete other people's files. Even if the mask is set in it, it is useless. In fact, this condition only requires Unix to set a sticky bit.
chmod -R 1777 /home/samba/exchange
Note that the permission here is 1777. The similar system directory /tmp also has the same permission. This permission can realize the requirement that everyone can write files freely, but cannot delete other people's files.
[Cut-Page]
[public]
comment = Read Only Public
path = /home/samba/public
public=yes
readonly=yes
#This public segment can meet our fifth requirement.
So far, our settings have been able to achieve our shared file requirements. Remember to restart the service.
#/etc/rc.d/init.d/smb restart
If you don’t have winodws, you might as well use the cilent-side command of samba to test it first.
I will only give a few examples of how to use the command. You can try it if you want to know more about it.
smbclient -L server ip -N
The guest account queries the Samba share status of your server. You can check whether the lingdao directory can be seen by the guest account. It should not be visible. Of course, you can also view it in the name of a certain user.
smbclient -L server ip -U caiwu01
The system will prompt for a password, just enter the smb password.
smbclient //server ip/caiwu -U caiwu01
#Log in to the caiwu directory as user caiwu01
smbmount //server ip/caiwu /mnt/caiwu -o username=caiwu01
#Map the server's financial directory to the local /mnt/caiwu directory.
[Cut-Page][homes]
comment = Home Directories
browseable=no
writable=yes
valid users = %S
create mode = 0664
directory mode = 0775
The #homes segment meets the first condition
[caiwu]
comment=caiwu
path = /home/samba/caiwu
public=no
valid users = @caiwu,@lingdao,network02
write list = caiwu01
printable=no
#caiwu paragraph meets our 2nd requirement
[lingdao]
comment = lingdao
path = /home/samba/lingdao
public=no
browseable=no
valid users = @lingdao,network02
printable=no
#lingdao paragraph can meet our third requirement
[exchage]
comment = Exchange File Directory
path = /home/samba/exchange
public=yes
writable = yes
The #exchange segment can basically meet our fourth requirement, but it cannot meet the condition that everyone cannot delete other people's files. Even if the mask is set in it, it is useless. In fact, this condition only requires Unix to set a sticky bit.
chmod -R 1777 /home/samba/exchange
Note that the permission here is 1777. The similar system directory /tmp also has the same permission. This permission can realize the requirement that everyone can write files freely, but cannot delete other people's files.