The configuration that the editor has introduced last time can already enable resources within the enterprise to be shared through the network, and assign appropriate sharing permissions to manage the shared directory. For many businesses, this falls far short of the requirements. The following small series will introduce the advanced functions of Samba.
User account mapping
According to the introduction in the previous section, the Samba user account is stored in the smbpasswd file, and the account used to access the Samba server must correspond to a system account with the same name, which can be used as long as the password is cracked. This increases the security risk of the server, and the user account mapping function can be used to solve this problem.
In fact, the mapping of user accounts is very simple. If we tell the user that the Samba account is not the account of the local system, and can access the Samba server, then the problem is solved.
Therefore, it is necessary to establish an account mapping relationship table, which records the corresponding relationship between Samba accounts and virtual accounts. The client uses the virtual account to log in when accessing the Samba server.
We need to make the following changes in the main configuration file
This line of fields is added to enable the mapping function of user accounts
Then we find this file and open it
The last line is added by the editor, which means that the tom on the left represents the Samba user name, and the right corresponds to the mapping account name.
Then after we modify it, restart the smb service
Then we open win7 to continue to access the Samba server
Here, the editor input is the dog mapping account name, and cat has the same effect.
OK, here has been successfully accessed.
Client Access Control
We can use the valid users field to control user access. If a large enterprise has a large number of users, this approach can be a bit unwieldy. For example, when a client who wants to enter a certain IP subnet or a certain domain accesses the resource, using the valid users field will not be able to implement the client's access control. The following will use the hosts allow and hosts deny fields to achieve this function.
(1) The role of hosts allow and hosts deny fields
The hosts allow field defines which clients can access. The hosts deny field defines clients that are denied access.
(2) Restriction using IP address
Now let's make an assumption, we deny the IP address of the 192.168.10 network segment to access the shared directory, but allow the host 192.168.10.254 to access the directory
We edit the main configuration file and set the security level to share
Then we restrict under the shared directory mez. There will be a question here. Will the permission and denial here conflict? The answer is that we have allowed the host of this network segment, and the permission of permission is given priority, so it will not hinder the Host access, we can verify
First we set up, restart the smb service
Then come to win7, you can see the official host of this address, and then we continue to access the Samba server
We can see that the mez folder can still be accessed normally.
If you want to deny the IP addresses of multiple network segments at the same time (the network segment IP addresses should be separated by blank lines) to access the smb server, we only need to write this
hosts deny=192.168. 172.17.
This sentence means that we deny the 192.168 network segment and the 172.17 network segment address to access the directory.
(3) Restriction using domain names
This is similar to the IP address restriction, so I will give an example.
hosts deny=.mez.com .net jack
Here it means, deny access to clients with .mez.com and .net domains and hostnames jack. Such as www.mez.com, ftp.mez.com, www.mez.net can not access
(4) Use wildcards for access control
hosts deny=all
hosts allow=mez
The all here is not the host named all, but denies all client access, we added a sentence below, only the mez host is allowed to access here
Commonly used wildcards are "*", "?", "LOCAL" and so on.
We can see that the priority of allow is greater than deny, and there is another situation below, which allows a network segment, but excludes a specific IP
hosts deny=all
hosts allow=192.168.10. EXCEPT 192.168.10.10
Indicates that the host on the 192.168.10 network segment is allowed to access, but the host 192.168.10.10 is excluded, that is, it cannot be accessed
Finally add
The scope of hosts deny and hosts allow
Put these two fields in different positions, and their scopes are different. If it is set in [global], it means it will take effect on the Samba server. If it is set under a directory, it means that it only takes effect on a single directory.
[global]
hosts deny=all
hosts allow=192.168.10.254
Indicates that only 192.168.10.254 can access the Samba server.
[honey]
hosts deny=all
hosts allow=192.168.10.254
Only 192.168.10.254 can access the mez directory.