我有一个 samba 4.4.3 文件服务器设置为 AD 域成员。
我当前的 smb.conf 文件是:
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.ROOT
security = ADS
encrypt passwords = yes
idmap config *:backend =tdb
idmap config *:range = 70001-80000
idmap config MYDOMAIN:backend = rid
idmap config MYDOMAIN:range = 80000 - 1234567890123456
winbind trusted domains only =no
winbind enum users = yes
winbind enum groups = yes
domain master = no
local master = no
map untrusted to domain = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
dns proxy = no
log level = 10
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
server role = member server
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
template shell = /bin/bash
template homedir = /home/%D/%U
client use spnego = yes
read only = yes
create mask = 0700
directory mask = 0700
[rw]
path = /srv/rw
writable = yes
guest ok = no
force user = share
force group = share
valid users=
allow hosts =
deny hosts =
如您所见,我使用了“强制用户”和“强制组”选项,以便域中的每个用户都映射到共享:共享。
现在安全模型已经改变,我想将域用户映射到共享:共享除非域用户位于“shareWriteAccess”(域)组中,如果不在,则位于 ro:ro 中。这可能吗?
目标是使某些域用户能够对共享具有写访问权限,而其他用户只能具有读访问权限。我更有信心使用 Linux 文件权限检查来实现这一点,所以我想到映射到 2 个不同的 Linux 用户。/srv/rw 具有权限 755 share:share,因此映射为 ro:ro 的域用户实际上是“只读”的。不过,我愿意接受另一种解决方案