1. Preparations
Close the firewall
Close selinux
systemctl stop firewalld.service
setenforce 0 && getenforce && \cp /etc/selinux/config{,.ori} && grep -q "SELINUX=disabled" /etc/selinux/config || sed -i 's%SELINUX=enforcing%SELINUX=disabled%g' /etc/selinux/config
2.Yum installs Samba packages
yum install -y samba [root@zon ~]# rpm -qa | grep samba samba-4.7.1-9.el7_5.x86_64 samba-common-libs-4.7.1-9.el7_5.x86_64 samba-common-tools-4.7.1-9.el7_5.x86_64 samba-common-4.7.1-9.el7_5.noarch samba-libs-4.7.1-9.el7_5.x86_64 samba-client-libs-4.7.1-9.el7_5.x86_64
3. Planning Samba users, permissions, files
Create planned Samba users
groupadd ad_gp && useradd -g ad_gp -s /sbin/nologin ad_admin && useradd -g ad_gp -s /sbin/nologin ad_user groupadd op_gp && useradd -g op_gp -s /sbin/nologin op_admin && useradd -g op_gp -s /sbin/nologin op_user groupadd fd_gp && useradd -g fd_gp -s /sbin/nologin fd_admin && useradd -g fd_gp -s /sbin/nologin fd_user groupadd rd_gp && useradd -g rd_gp -s /sbin/nologin rd_admin && useradd -g rd_gp -s /sbin/nologin rd_user useradd -s /sbin/nologin tools_admin
Setting Samba User Password
Pdbedit-a-u username
Create a planning directory and change the owner and group of the planning directory
mkdir /company/{ad,op,share,fd,rd} -p && mkdir /company/share/{ad,op,tools,fd,rd} -p chown ad_admin.ad_gp /company/{ad,share/ad} chown op_admin.op_gp /company/{op,share/op} chown tools_admin.tools_admin /company/{share,share/tools} chown fd_admin.fd_gp /company/{fd,share/fd} chown rd_admin.rd_gp /company/{rd,share/rd}
Change the directory permissions under share directory, so that users only have all permissions on the files they create, the rest of the people can not delete, modify the file, except administrators.
chmod 1755 /company/share/{ad,fd,op,rd}
4. Modify Samba's configuration file
Backup configuration file:
cp -a /etc/samba/smb.conf{,.ori}
a. Public, accessible without login
mkdir /public chown -R nobody.nobody /public/ vim /etc/samba/smb.conf [global] workgroup = WORKGROUP security = user map to guest = Bad User passdb backend = tdbsam printing = cups printcap name = cups load printers = yes cups options = raw log file = /var/log/samba/log.%m max log size = 50000 [public] comment = Public Stuff path = /public public = yes writable = yes
b. Account login rights restrictions
[global] workgroup = WORKGROUP security = user passdb backend = tdbsam printing = cups printcap name = cups load printers = yes cups options = raw log file = /var/log/samba/log.%m max log size = 50000 map to guest = Bad User [AD] comment = This is a directory of AD. path = /company/ad/ public = no admin users = ad_admin valid users = @ad_gp writable = yes create mask = 0750 directory mask = 0750 [FD] comment = This is a directory of FD. path = /company/fd/ public = no admin users = fd_admin valid users = @fd_gp writable = yes create mask = 0750 directory mask = 0750 [OP] comment = This is a directory of OP. path = /company/op/ public = no admin users = op_admin valid users = @op_gp writable = yes create mask = 0750 directory mask = 0750 [RD] comment = This is a directory of RD. path = /company/rd/ public = no admin users = rd_admin valid users = @rd_gp writable = yes create mask = 0750 directory mask = 0750 [Share] comment = This is a share directory. path = /company/share/ public = no admin users = tools_admin valid users = tools_admin,@ad_gp,@fd_gp,@op_gp,@rd_gp writable = yes create mask = 0755 directory mask = 0755
Pirated win7 may have correct username and password, but access is denied and password error is said.
Batch creation of samba user files
vim creat_sys_and_smb_users.txt ad_gp:x:Administration Department:ad_admin:Executive director: ad_gp:x:Administration Department:ad_user:Administrative staff: op_gp:x:Operation Department:ad_admin:Operation Supervisor: op_gp:x:Operation Department:ad_user:Operating staff: fd_gp:x:Treasury Department:ad_admin:Treasurer: fd_gp:x:Treasury Department:ad_user:Financial staff: rd_gp:x:R & D department:ad_admin:R & D Supervisor: rd_gp:x:R & D department:ad_user:R & D staff: tools_admin:x:Tool Administrator:tools_admin:Tool Administrator:
Scripts create samba users in batches, groups, random 10-bit passwords
vim creat_sys_and_smb_users.sh #!/bin/bash users_info=`cat /root/creat_sys_and_smb_users.txt` for user_line in $users_info; do group1=`echo $user_line|awk -F ':' '{print $1}'` group2=`echo $user_line|awk -F ':' '{print $2}'` group_desc=`echo $user_line|awk -F ':' '{print $3}'` user=`echo $user_line|awk -F ':' '{print $4}'` name=`echo $user_line|awk -F ':' '{print $5}'` user_passwd=`head -n 20 /dev/urandom |tr -dc A-Za-z0-9|head -c 10` id $user > /dev/null 2>&1 if [ $? -eq 0 ]; then echo "$user already exists" elif [ `grep -E "^$group1" /etc/group|wc -l` -eq 0 ]; then groupadd $group1 echo "Creat $group1" if [ `grep -E "^$group2" /etc/group|wc -l` -eq 0 ] && [ $group2 != "x" ]; then groupadd $group2 echo "Creat $group2" case $group2 in "x") useradd -s /sbin/nologin -M -G $group1 $user ;; *) useradd -s /sbin/nologin -M -G $group1,$group2 $user ;; esac echo $user_passwd|passwd $user --stdin > /dev/null 2>&1 echo -e "$user_passwd\n$user_passwd" |pdbedit -t -a $user > /dev/null 2>&1 echo "$name:$user:$user_passwd:$group_desc:$group1:$group2:" >> /root/smb_user_info.txt fi elif [ `grep -E "^$group2" /etc/group|wc -l` -eq 0 ] && [ $group2 != "x" ]; then groupadd $group2 echo "Creat $group2" case $group2 in "x") useradd -s /sbin/nologin -M -G $group1 $user ;; *) useradd -s /sbin/nologin -M -G $group1,$group2 $user ;; esac echo $user_passwd|passwd $user --stdin > /dev/null 2>&1 echo -e "$user_passwd\n$user_passwd" |pdbedit -t -a $user > /dev/null 2>&1 echo "$name:$user:$user_passwd:$group_desc:$group1:$group2:" >> /root/smb_user_info.txt else case $group2 in "x") useradd -s /sbin/nologin -M -G $group1 $user ;; *) useradd -s /sbin/nologin -M -G $group1,$group2 $user ;; esac echo $user_passwd|passwd $user --stdin > /dev/null 2>&1 echo -e "$user_passwd\n$user_passwd" |pdbedit -t -a $user > /dev/null 2>&1 echo "$name:$user:$user_passwd:$group_desc:$group1:$group2:" >> /root/smb_user_info.txt fi done
Corresponding generated user information file
vim smb_user_info.txt
name1:user1:Ldh8CDTTGa:Deputy General Office:fzb:x:
name2:user2:Czg3giH793:General manager:zjb:fzb: