在此那么问题来了,提问者提到添加并编辑 samba 用户帐户。
像这样:
$ sudo useradd --system --no-create-home --group=smb-group -s /bin/false smb-user1
$ sudo smbpasswd -a smb-user1
$ sudo smbpasswd -e smb-user1
也是本文将其描述为一个经常被忽视的步骤。
不过,我不知道问题出在哪里——我可以从我的 ubuntu18 客户端顺利登录到 ubuntu22 服务器,而无需启用任何用户。我可以读取文件、编辑文件、创建目录并在其中复制粘贴文件。
/etc/samba/smb.conf对于那些想知道是否会影响这一点的人来说,我的调整如下:
[shared]
comment = Bla
path = /srv/shared
force user = smb-user1
force group = smb-group
create mask = 0664
force create mode = 0664
directory mask = 0775
force directory mode = 0775
guest ok = no
read only = no
手册smbpasswd页描述了它的行为;如果禁用则启用,如果启用则不执行任何操作。但是它没有解释它的作用或含义。它也没有说明是否-a自动启用了使用创建的用户。
列出所有用户sudo pdbedit -L -v不会显示哪些用户已启用或未启用。我刚刚创建了第二个用户,test-user1这样我就可以启用那一个,并在该列表中进行比较。没有区别。
它有什么作用或意义?它是几年前过时的东西吗?
答案1
默认情况下,当用户添加到本地 smbpasswd 文件时,该用户已启用。并且 的输出sudo pdbedit -L -v不会具体表明该用户已启用。因此,当您启用已启用的用户时,什么也不会发生。
-e
This option specifies that the username following should be enabled in the local smbpasswd file, if the account was previously disabled. If the account was not disabled this option has no effect. Once the account is enabled then the user will be able to authenticate via SMB once again.
但是,在您禁用用户后,帐户标志将显示该用户已被标志禁用D。
-d
This option specifies that the username following should be disabled in the local smbpasswd file. This is done by writing a 'D' flag into the account control space in the smbpasswd file. Once this is done all attempts to authenticate via SMB using this username will fail.
这是一个例子...
在禁用用户之前,请查看 的输出sudo pdbedit -L -v。请注意,帐户标志仅显示U。这意味着该用户是普通用户。
$ sudo pdbedit -L -v
---------------
Unix username: smb-user1
NT username:
Account Flags: [U ]
User SID: S-1-5-21-546278022-4217200412-1778477751-1001
Primary Group SID: S-1-5-21-546278022-4217200412-1778477751-513
Full Name:
Home Directory: \\TESTSERVER\smb-user1
HomeDir Drive:
Logon Script:
Profile Path: \\TESTSERVER\smb-user1\profile
Domain: TESTSERVER
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Wed, 06 Feb 2036 15:06:39 UTC
Kickoff time: Wed, 06 Feb 2036 15:06:39 UTC
Password last set: Sun, 30 Jul 2023 20:45:45 UTC
Password can change: Sun, 30 Jul 2023 20:45:45 UTC
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
接下来,禁用用户:
$ sudo smbpasswd -d smb-user1
Disabled user smb-user1.
然后查看输出sudo pdbedit -L -v,您会注意到帐户标志添加了一个D,这表明该用户现在已被禁用。
$ sudo pdbedit -L -v
---------------
Unix username: smb-user1
NT username:
Account Flags: [DU ]
User SID: S-1-5-21-546278022-4217200412-1778477751-1001
Primary Group SID: S-1-5-21-546278022-4217200412-1778477751-513
Full Name:
Home Directory: \\TESTSERVER\smb-user1
HomeDir Drive:
Logon Script:
Profile Path: \\TESTSERVER\smb-user1\profile
Domain: TESTSERVER
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Wed, 06 Feb 2036 15:06:39 UTC
Kickoff time: Wed, 06 Feb 2036 15:06:39 UTC
Password last set: Sun, 30 Jul 2023 20:45:45 UTC
Password can change: Sun, 30 Jul 2023 20:45:45 UTC
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
最后,您可以启用用户:
$ sudo smbpasswd -e smb-user1
Enabled user smb-user1.
然后运行sudo pdbedit -L -v你会看到该D标志已被删除。
$ sudo pdbedit -L -v
---------------
Unix username: smb-user1
NT username:
Account Flags: [U ]
User SID: S-1-5-21-546278022-4217200412-1778477751-1001
Primary Group SID: S-1-5-21-546278022-4217200412-1778477751-513
Full Name:
Home Directory: \\TESTSERVER\smb-user1
HomeDir Drive:
Logon Script:
Profile Path: \\TESTSERVER\smb-user1\profile
Domain: TESTSERVER
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Wed, 06 Feb 2036 15:06:39 UTC
Kickoff time: Wed, 06 Feb 2036 15:06:39 UTC
Password last set: Sun, 30 Jul 2023 20:45:45 UTC
Password can change: Sun, 30 Jul 2023 20:45:45 UTC
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
有关帐户标志的列表和含义,请参阅手册 smbpasswd(5):
Account Flags
This section contains flags that describe the attributes of the users account. This field is bracketed by '[' and ']' characters and is always 13 characters in length (including the '[' and ']' characters). The contents of this field may be any of the following characters:
U - This means this is a "User" account, i.e. an ordinary user.
N - This means the account has no password (the passwords in the fields LANMAN Password Hash and NT Password Hash are ignored). Note that this will only allow users to log on with no password if the null passwords parameter is set in the smb.conf(5) config file.
D - This means the account is disabled and no SMB/CIFS logins will be allowed for this user.
X - This means the password does not expire.
W - This means this account is a "Workstation Trust" account. This kind of account is used in the Samba PDC code stream to allow Windows NT Workstations and Servers to join a Domain hosted by a Samba PDC.
Other flags may be added as the code is extended in future. The rest of this field space is filled in with spaces. For further information regarding the flags that are supported please refer to the man page for the pdbedit command.
或者查看更完整的列表,请参阅pdbedit(8) 手册页:
-c|--account-control account-control
This option can be used while adding or modifying a user account. It will specify the users' account control property. Possible flags are listed below.
N: No password required
D: Account disabled
H: Home directory required
T: Temporary duplicate of other account
U: Regular user account
M: MNS logon user account
W: Workstation Trust Account
S: Server Trust Account
L: Automatic Locking
X: Password does not expire
I: Domain Trust Account
Example: -c "[X ]"