怎么配置centos系统下的samba server请参考centos7安装samba_WannaHaha的博客-CSDN博客
此博客主要记录CentOS Samba共享目录的多用户权限设置配置
一、需求背景
人事部门有一台CentOS Samba共享服务器,需要根据人员身份对相应的目录权限做出限制
领导:HR leader
正式员工:HR staff
实习生: HR intern
存档区 | ||
子目录 | 读写权限 | 查询权限 |
企业文化 | HR leader | HR staff、HR intern |
规章制度 | HR leader | HR staff、HR intern |
薪酬结构 | HR leader | HR staff、HR intern |
编辑区 | ||
子目录 | 读写权限 | 查询权限 |
招聘 | HR leader、HR staff、HR intern | |
社保 | HR leader、HR staff | HR intern |
薪资 | HR leader、HR staff | HR intern |
二、samba服务器部署
1)安装samba
Last login: Tue Sep 22 23:35:49 2020
[root@localhost ~]# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
[root@localhost ~]# rpm -qa | grep samba
samba-client-libs-4.10.4-11.el7_8.x86_64
samba-4.10.4-11.el7_8.x86_64
samba-client-4.10.4-11.el7_8.x86_64
samba-common-libs-4.10.4-11.el7_8.x86_64
samba-libs-4.10.4-11.el7_8.x86_64
samba-common-4.10.4-11.el7_8.noarch
samba-common-tools-4.10.4-11.el7_8.x86_64
已经安装了samba,如果没安装需要执行下面命令
[root@localhost ~]# yum install -y samba
2)安全角度考虑,需要设置防火墙安全策略放行samba服务(不需要关闭防火墙)
[root@localhost ~]# firewall-cmd --add-service samba --permanent
success
重启防火墙
[root@localhost ~]# firewall-cmd --reload
success
查看防火墙放行服务中,是否包含samba service
[root@localhost ~]# firewall-cmd --list-all | grep samba
services: ssh dhcpv6-client samba
一定要关闭selinux,否则会造成windows客户端不能正常访问samba
[root@localhost ~]# vim /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled 修改为disabled
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
[root@localhost ~]# setenforce 0
[root@localhost ~]# getenforce
Permissive
3)smaba服务配置
[root@localhost ~]# vim /etc/samba/smb.conf
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.
[global]
workgroup = SAMBA
security = user
map to guest = Bad User
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @printadmin root
force group = @printadmin
create mask = 0664
directory mask = 077
新增samba目录
[HR Samba Server]
comment = "鹿share limits list"
path = /HR Server/samba
public = no
valid users = leader,staff,intern,@samba
printable = no
write list = leader,staff,intern
4)创建共享目录
[root@localhost ~]# useradd samba
[root@localhost ~]# mkdir -p /date/samba/edit-area 编辑区
[root@localhost ~]# mkdir -p /date/samba/already-area 存档区
[root@localhost ~]# chown -R samba.samba /data/samba
[root@localhost ~]# cd /data/samba
[root@localhost samba]# ll
total 0
drwxr-xr-x. 2 root root 6 Sep 23 04:24 already-area
drwxr-xr-x. 2 root root 6 Sep 23 04:23 edit-area
5)添加各samba账号
[root@localhost ~]# useradd leader -d /data/samba -s /sbin/nologin
useradd: user 'leader' already exists
[root@localhost ~]# useradd staff -d /data/samba -s /sbin/nologin
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
[root@localhost ~]# useradd -d /data/samba -s /sbin/nologin staff
useradd: user 'staff' already exists
[root@localhost ~]# useradd -d /data/samba -s /sbin/nologin intern
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
这些报错可以忽略,因为用户已经添加
-s /sbin/nologin 参数的意思是不允许此用户登录系统,但是可以使用ftp、samba等服务;
查看新增samba账号
[root@localhost ~]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
...
...
leader:x:1006:1006::/data/samba:/sbin/nologin
staff:x:1007:1007::/data/samba:/sbin/nologin
intern:x:1008:1008::/data/samba:/sbin/nologin
账户密码配置
[root@localhost ~]# pdbedit -a -u leader
new password:
retype new password:
Unix username: leader
NT username:
Account Flags: [U ]
User SID: S-1-5-21-2060531220-1618663364-3200767798-1001
Primary Group SID: S-1-5-21-2060531220-1618663364-3200767798-513
Full Name:
Home Directory: \\localhost\leader
HomeDir Drive:
Logon Script:
Profile Path: \\localhost\leader\profile
Domain: LOCALHOST
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Wed, 06 Feb 2036 10:06:39 EST
Kickoff time: Wed, 06 Feb 2036 10:06:39 EST
Password last set: Wed, 23 Sep 2020 04:48:52 EDT
Password can change: Wed, 23 Sep 2020 04:48:52 EDT
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[root@localhost ~]# pdbedit -a -u staff
new password:
retype new password:
Unix username: staff
NT username:
Account Flags: [U ]
User SID: S-1-5-21-2060531220-1618663364-3200767798-1002
Primary Group SID: S-1-5-21-2060531220-1618663364-3200767798-513
Full Name:
Home Directory: \\localhost\staff
HomeDir Drive:
Logon Script:
Profile Path: \\localhost\staff\profile
Domain: LOCALHOST
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Wed, 06 Feb 2036 10:06:39 EST
Kickoff time: Wed, 06 Feb 2036 10:06:39 EST
Password last set: Wed, 23 Sep 2020 04:50:44 EDT
Password can change: Wed, 23 Sep 2020 04:50:44 EDT
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[root@localhost ~]# pdbedit -a -u intern
new password:
retype new password:
Unix username: intern
NT username:
Account Flags: [U ]
User SID: S-1-5-21-2060531220-1618663364-3200767798-1003
Primary Group SID: S-1-5-21-2060531220-1618663364-3200767798-513
Full Name:
Home Directory: \\localhost\intern
HomeDir Drive:
Logon Script:
Profile Path: \\localhost\intern\profile
Domain: LOCALHOST
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Wed, 06 Feb 2036 10:06:39 EST
Kickoff time: Wed, 06 Feb 2036 10:06:39 EST
Password last set: Wed, 23 Sep 2020 04:51:21 EDT
Password can change: Wed, 23 Sep 2020 04:51:21 EDT
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
查看samba账户列表
[root@localhost ~]# pdbedit -L
staff:1007:
leader:1006:
intern:1008:
6)设置共享目录权限[root@localhost samba]# cd /data/samba
[root@localhost samba]# ll
total 0
drwxr-xr-x. 2 root root 6 Sep 23 04:24 already-area
drwxr-xr-x. 2 root root 6 Sep 23 04:23 edit-area
[root@localhost samba]# cd already-area
[root@localhost already-area]# mkdir 01-qiyewenhua
[root@localhost already-area]#chown -R leader.leader /data/samba/already-area/01-qiyewenhua
[root@localhost already-area]#chmod -R 744 /data/samba/already-area/01-qiyewenhua
[root@localhost already-area]# mkdir 02-guizhangzhidu
[root@localhost already-area]# chown -R staff.staff /data/samba/already-area/02-guizhangzhidu
[root@localhost already-area]# chmod -R 700 /data/samba/already-area/02-guizhangzhidu
[root@localhost already-area]# setfacl -R -m u:intern:rx /data/samba/already-area/02-guizhangzhidu
[root@localhost already-area]# setfacl -R -m g:leader:rwx /data/samba/already-area/02-guizhangzhidu
[root@localhost already-area]# ll
total 0
drwxr--r--. 2 leader leader 6 Sep 23 05:00 01-qiyewenhua
drwxrwx---+ 2 staff staff 6 Sep 23 05:03 02-guizhangzhidu
[root@localhost already-area]# cd ..
[root@localhost samba]# cd edit-area
[root@localhost edit-area]# mkdir /data/samba/edit-area/01-zhaopin
[root@localhost edit-area]# chown -R staff.staff /data/samba/edit-area/01-zhaopin
[root@localhost edit-area]# chmod -R 700/data/samba/edit-area/01-zhaopin
[root@localhost edit-area]# setfacl -R -m g:leader:rwx /data/samba/edit-area/01-zhaopin
[root@localhost edit-area]# setfacl -R -m g:intern:rwx /data/samba/edit-area/01-zhaopin
由于leader有对整个共享盘的读写权限,所以还需要给leader设置所有子目录的读写权限
[root@localhost]# setfacl -R -m u:leader:rwx /data/samba/already-area/01-qiyewenhua
[root@localhost]# setfacl -R -m u:leader:rwx /data/samba/already-area/02-guizhangzhidu
[root@localhost]# setfacl -R -m u:leader:rwx /data/samba/edit-area/01-zhaopin
由于staff有对already-area有读权限,对edit-area有读写权限,所以还需要给staff设置所有子目录权限
[root@localhost]# setfacl -R -m u:staff:rx /data/samba/already-area/01-qiyewenhua
[root@localhost]# setfacl -R -m u:staff:rx /data/samba/already-area/02-guizhangzhidu
[root@localhost]# setfacl -R -m u:staff:rwx /data/samba/edit-area/01-zhaopin
由于intern有对already-area有读权限,对edit-area有读写权限,所以还需要给staff设置所有子目录权限
[root@localhost]# setfacl -R -m u:intern:rx /data/samba/already-area/01-qiyewenhua
[root@localhost]# setfacl -R -m u:intern:rx /data/samba/already-area/02-guizhangzhidu
[root@localhost]# setfacl -R -m u:intern:rwx /data/samba/edit-area/01-zhaopin
三、在windows客户端登录以不同身份登录samba服务器验证配置