Domain
域集成 Samba 伺服器的來賓共享
已設置 Windows 域集成的 samba 伺服器。共享文件執行良好,但只要
security設置為. 就無法設置來賓共享ads。這是配置的縮短版本,其中包含對某個域組免費的共享和未經過身份驗證的使用者的非工作共享。我附上了 smb.conf 以供參考。[global] workgroup = MYDOMAIN dns proxy = no netbios name = myshare clustering = yes security = ads realm = mydomain.com password server = 1.2.3.4 winbind enum users = yes winbind enum groups = yes winbind cache time = 10 winbind use default domain = yes client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 domain master = no local master = no preferred master = no os level = 0 idmap uid = 100000-109999 idmap gid = 100000-109999 log file = /var/log/samba/log log level = 3 max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d server role = standalone server passdb backend = tdbsam unix password sync = yes pam password change = yes map to guest = bad user guest account = nobody [public] browsable = yes create mask = 0666 directory mask = 0777 writeable = yes path = /share/public guest ok = yes [temp] browsable = yes valid users = root, @"share users" create mask = 0666 directory mask = 0777 writeable = yes path = /share/temp guest ok = no但是
guest ok = yes似乎沒有任何效果(temp 正在按預期工作,可由 root 和組的使用者寫入)。nobody應該映射到的使用者具有共享文件夾的 rwx 權限。那麼,當安全性通常是這樣時,還需要什麼來授予訪客訪問特定共享的權限
ads?
安全
ads性不是問題——它只是表明 samba-daemon 接受 Kerberos-Tickets 作為身份驗證。真正的問題是
restrict anonymous = 2。這不允許每個匿名連接到伺服器。將值降低為1允許通過輸入路徑匿名訪問共享,0甚至允許瀏覽共享。設置0oder1仍會檢查訪問權限,並且可能需要額外的身份驗證。資料來源:https ://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#RESTRICTANONYMOUS