在此服务器中安装配置Samba服务,为公司配置财务、工程、经理3个用户组,设为finance、engineer、manager;每个组设置2个用户,用户分别为: finance01、finance02、engineer01、 engineer02 、manager01、manager02
[root@localhost ~]# groupadd finance
[root@localhost ~]# groupadd engineer
[root@localhost ~]# groupadd manager
[root@localhost ~]# useradd -g finance finance01
[root@localhost ~]# useradd -g finance finance02
[root@localhost ~]# useradd -g engineer engineer01
[root@localhost ~]# useradd -g engineer engineer02
[root@localhost ~]# useradd -g manager manager01
[root@localhost ~]# useradd -g manager manager02
[root@localhost ~]# passwd finance01
Changing password for user finance01.
New password:
BAD PASSWORD: The password is a palindrome
Retype new password:
passwd: all authentication tokens updated successfully.
# 冗余操作不再阐述
[root@localhost ~]# pdbedit -a -v finance01 #创建Samba用户
new password:
retype new password:
Unix username: finance01
NT username:
Account Flags: [U ]
User SID: S-1-5-21-3003835886-479305898-706290558-1000
Primary Group SID: S-1-5-21-3003835886-479305898-706290558-513
Full Name:
Home Directory: \\localhost\finance01
HomeDir Drive:
Logon Script:
Profile Path: \\localhost\finance01\profile
Domain: LOCALHOST
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Wed, 06 Feb 2036 14:06:39 CVT
Kickoff time: Wed, 06 Feb 2036 14:06:39 CVT
Password last set: Fri, 29 Oct 2021 08:06:50 CVT
Password can change: Fri, 29 Oct 2021 08:06:50 CVT
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
服务器采用用户验证的方式,每个用户可以访问且只能访问自己的宿主目录,且有完全的权限,每个人都不能看到其他人的宿主目录
[root@localhost ~]# yum -y install samba
[root@localhost ~]# vi /etc/samba/smb.conf
[global]
security = user #用户认证user 域domain 远程server 无需认证share
[homes]
comment = Home Directories
browseable = no #共享隐藏
writable = yes
建立目录finance 路径/opt/finance,finance组具有可读可写的权限, manager组和用户engineer02具有读权限
[root@localhost ~] mkdir /opt/finance
[root@localhost ~] chown -R :finance /opt/finance/
[root@localhost ~] chmod 777 /opt/finance/
[root@localhost ~] vi /etc/samba/smb.conf
[finance]
comment = finance
path = /opt/finance
browseable = no
writable = yes
vaild users = @finance,@manager,engineer02
write list = @finance
建立目录manager 路径/opt/manager的目录,只有经理组的人可以访问,并读写,用户engineer02具有读权限,但其他人访问不到该目录
[root@localhost ~]# mkdir /opt/manager
[root@localhost ~]# chown -R :finance /opt/finance/
[root@localhost ~]# chmod 777 /opt/manager/
[root@localhost ~]# vi /etc/samba/smb.conf
[manager]
comment = manager
path = /opt/manager
browseable = no
writable = yes
vaild users = @manager,engineer02
write list = @manager
建立一个文件交换目录exchange /opt/exchange,所有的人都能读写,包括guest用户,但每个人不能删除别人的文件
[root@localhost ~]# mkdir /opt/exchange
[root@localhost ~]# chmod 777 /opt/exchange/
[root@localhost ~]# vi /etc/samba/smb.conf
[exchange]
comment = exchange
path = /opt/exchange
browseable = no
writable = yes
public = yes
[root@localhost ~]# chmod -R 1777 /opt/exchange/ #每个人不能删除别人的文件
阻止客户端上传含有特定关键字的文件或目录到samba共享资源,客户端不允许在目录/opt/finance中上传可执行文件(.exe)及位图(.jpg)文件;客户端不允许在/opt/manager目录中上传包含root关键字的文件或目录。
[finance]
comment = finance
path = /opt/finance
browseable = no
writable = yes
vaild users = @finance,@manager,engineer02
write list = @finance
veto files = /*.exe/*.jpg*/ #不允许在目录/中上传.exe及.jpg文件
[manager]
comment = manager
path = /opt/manager
browseable = no
writable = yes
vaild users = @manager,engineer02
write list = @manager
veto files = /*root*/ #不允许在目录中上传包含root关键字的文件或目录
验证:
[root@localhost ~]# systemctl stop firewalld.service
[root@localhost ~]# setenforce 0
[root@localhost ~]# getenforce
Permissive
[root@localhost ~]# systemctl restart smb.service
![](https://i-blog.csdnimg.cn/blog_migrate/7df2c3b3b4247c38a6355d62fea1e490.png)
![](https://i-blog.csdnimg.cn/blog_migrate/5f798e085ffab1c6a1325e9ca762385b.png)
![](https://i-blog.csdnimg.cn/blog_migrate/7ea14e16c6b283400708a59288dd4012.png)