主页 / server / 问题 / 984385
Accepted
michi.0x5d
Asked: 2019-09-17 03:57:52 +0800 CST

域集成 Samba 服务器的来宾共享

  • 772

已设置 Windows 域集成的 samba 服务器。共享文件运行良好,但只要security设置为. 就无法设置来宾共享ads。这是配置的缩短版本,其中包含对某个域组免费的共享和未经过身份验证的用户的非工作共享。我附上了 smb.conf 以供参考。

[global]
    workgroup = MYDOMAIN
    dns proxy = no
    netbios name = myshare
    clustering = yes

    security = ads
    realm = mydomain.com
    password server = 1.2.3.4
    winbind enum users = yes
    winbind enum groups = yes
    winbind cache time = 10
    winbind use default domain = yes
    client use spnego = yes
    client ntlmv2 auth = yes
    encrypt passwords = yes
    restrict anonymous = 2
    domain master = no
    local master = no
    preferred master = no
    os level = 0
    idmap uid = 100000-109999
    idmap gid = 100000-109999

    log file = /var/log/samba/log
    log level = 3
    max log size = 1000
    syslog = 0
    panic action = /usr/share/samba/panic-action %d

    server role = standalone server
    passdb backend = tdbsam

    unix password sync = yes
    pam password change = yes
    map to guest = bad user
    guest account = nobody


[public]
    browsable = yes
    create mask = 0666
    directory mask = 0777
    writeable = yes
    path = /share/public
    guest ok = yes

[temp]
    browsable = yes
    valid users = root, @"share users"
    create mask = 0666
    directory mask = 0777
    writeable = yes
    path = /share/temp
    guest ok = no

但是guest ok = yes似乎没有任何效果(temp 正在按预期工作,可由 root 和组的用户写入)。nobody应该映射到的用户具有共享文件夹的 rwx 权限。

那么,当安全性通常是这样时,还需要什么来授予访客访问特定共享的权限ads

domain

1 个回答

  1. Best Answer

    安全ads性不是问题——它只是表明 samba-daemon 接受 Kerberos-Tickets 作为身份验证。

    真正的问题是restrict anonymous = 2。这不允许每个匿名连接到服务器。将值降低为1允许通过输入路径匿名访问共享,0甚至允许浏览共享。设置0oder1仍会检查访问权限,并且可能需要额外的身份验证。

    资料来源:https ://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#RESTRICTANONYMOUS

    • 0

相关问题