Today I will talk about some basic configurations of samba. The content covers the installation of samba and the configuration of user permissions. First of all, look at the background of the project.
Project Background
A company needs to build an intranet storage server to provide employees in different departments for business access. The current requirements are as follows:
There are four folders, [Finance Department] [Art Department] [Planning Department] [Sharing Software]. Requirements:
1. The employee accounts of the Finance Department, Art Department and Planning Department are independent of each other and can only access their own department folders. , And can read, write and execute;
2. All employees can access the shared software soft, but can only read and execute, not write;
3. Under the folder of the planning department, there are g1, g2 and g3, three project groups , Requires the planning department, only members of their own project team can access the folders of their own project team, and at the same time, the director of the planning department can access all project team folders;
4. All folders are recycled by the trash bin to prevent users from deleting files by mistake ;
5. The administrator can read, write, and perform operations on the soft folder.
User division
Obviously, according to requirements, employees in different departments have different permissions; employees in the same department also have different permissions, so we simply list a table
username |
Identity |
Belong to group |
Authorized Directory |
caiwu1 |
Finance department staff |
caiwu1, caiwu |
caiwubu, soft |
meishu1 |
Art department staff |
meishu1, meishu |
meishubu, soft |
cehua1 |
Planning Department Group 1 |
cehua1, cehua |
cehuabu, g1, soft |
cehua2 |
Planning Department 2 Group |
cehua2, cehua |
cehuabu, g2, soft |
cehua3 |
Planning Department 3 Group |
cehua3, cehua |
cehuabu, g3, soft |
cehuazhuguan |
Head of Planning Department |
cehuazhuguan, cehua |
cehuabu, g1, g2, g3, soft |
admin |
administrator |
admin |
soft |
After clarifying the permissions of each user to different directories, we began to configure samba
Configure the server
The server is pre-installed with CentOS 7 1810, which is a brand new pure linux server, just installed system
Install samba service
Install the vim software at the same time to facilitate the modification of the configuration file later
yum -y install samba samba-client vim
Close Selinux
vim /etc/selinux/config
Save and exit, reboot to restart linux, selinux takes effect.
Create a demand catalog
We create a data directory in the root directory, and then create all the department directories under data
mkdir /data
cd /data
mkdir caiwubu cehuabu meishubu soft
cd cehuabu
mkdir g1 g2 g3
Create a data_trash directory in the root directory, this is used for our samba recycle bin to store files deleted by mistake by users
mkdir /data_trash
chmod 777 /data_trash
Create demand users and user groups
In order to prevent samba users from logging in to the server, this parameter must be added -s
useradd -s /sbin/nologin caiwu1
useradd -s /sbin/nologin meishu1
useradd -s /sbin/nologin cehua1
useradd -s /sbin/nologin cehua2
useradd -s /sbin/nologin cehua3
useradd -s /sbin/nologin cehuazhuguan
useradd -s /sbin/nologin admin
groupadd caiwu
groupadd meishu
groupadd cehua
groupadd g1
groupadd g2
groupadd g3
Create the corresponding samba user
The password is set according to the requirements, and the weak password of 123456 is used for testing.
smbpasswd -a caiwu1
smbpasswd -a meishu1
smbpasswd -a cehua1
smbpasswd -a cehua2
smbpasswd -a cehua3
smbpasswd -a cehuazhuguan
smbpasswd -a admin
Modify the group of each directory
cd /data
chown root.caiwu caiwubu
chown root.cehua cehuabu
chown root.meishu meishubu
cd cehuabu
chown root.g1 g1
chown root.g2 g2
chown root.g3 g3
Modify directory permissions
chmod 777 /data/soft
chmod 770 /data/cehuabu/g1
chmod 770 /data/cehuabu/g2
chmod 770 /data/cehuabu/g3
Configure the main samba configuration file
Before configuration, back up the main configuration file to prevent misoperation
cd /etc/samba
cp smb.conf smb.conf.bak
vim smb.conf
Configure [Finance Department] folder
Configure [Art Department] folder
Configure [Planning Department] folder
Configure [soft] folder
Enable garbage collection globally
Save and exit
Start, self-start samba service
systemctl start smb.service
systemctl enable smb.service
Firewall allows samba service
firewall-cmd --permanent --zone=public --add-service=samba
firewall-cmd --reload
Verify that the directory effectively restricts permissions
Goal 1: The admin user can only enter the soft directory and can write files into it; other directories cannot be accessed
The Art Department has been denied access, as are the Finance Department and Planning Department
soft can enter, can store files, and delete
The deleted file has been placed in the recycle bin
Goal 2: cehua1 can enter g1 of the planning department and can read and write, but cannot enter g2 and g3, can execute the programs in the soft directory, and cannot delete the files in the soft directory
Authorize cehua1 to enter g1
usermod -a -G cehua cehua1
usermod -a -G g1 cehua1
systemctl restart smb
Goal 3: cehuazhuguan can access the files of all project groups in the planning department and manage the files of all project groups
Authorize cehuazhuguan
usermod -a -G cehua cehuazhuguan
usermod -a -G g1 cehuazhuguan
usermod -a -G g2 cehuazhuguan
usermod -a -G g3 cehuazhuguan
systemctl restart smb
g1 enters normally
Delete g1 files
Create file to g2
Similarly, the planning supervisor can also execute the software installation package in the soft
to sum up
1. To configure samba, we must first clarify the requirements, determine the directory structure and user permissions;
2. When configuring directory permissions, first release all permissions, test whether they can be used normally, and then restrict permissions one by one according to requirements;
3. When samba cannot be accessed, check the linux configuration. In many cases, it is not the samba configuration restriction, but the permission of linux itself. For example, whether selinux is closed, whether the firewall is open, and the corresponding policies and ports are allowed.