如何根据域组将域用户映射到特定的 UID/GID?

如何根据域组将域用户映射到特定的 UID/GID?

我有一个 samba 4.4.3 文件服务器设置为 AD 域成员。

我当前的 smb.conf 文件是:

[global]
  workgroup = MYDOMAIN
  realm = MYDOMAIN.ROOT
  security = ADS 
  encrypt passwords = yes 
  idmap config *:backend =tdb
  idmap config *:range = 70001-80000
  idmap config MYDOMAIN:backend = rid 
  idmap config MYDOMAIN:range = 80000 - 1234567890123456
  winbind trusted domains only =no 
  winbind enum users = yes 
  winbind enum groups = yes 
  domain master = no
  local master = no
  map untrusted to domain = Yes 
  dedicated keytab file = /etc/krb5.keytab
  kerberos method = secrets and keytab
  winbind refresh tickets = yes 
  dns proxy = no
  log level = 10
  max log size = 1000
  syslog = 0 
  panic action = /usr/share/samba/panic-action %d
  server role = member server
  obey pam restrictions = yes 
  unix password sync = yes 
  passwd program = /usr/bin/passwd %u
  passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
  pam password change = yes 
  map to guest = bad user
  template shell = /bin/bash
  template homedir = /home/%D/%U
  client use spnego = yes 
  read only = yes 
  create mask = 0700
  directory mask = 0700
[rw]
  path = /srv/rw
  writable = yes 
  guest ok = no
  force user = share
  force group = share
  valid users=
  allow hosts =
  deny hosts =

如您所见,我使用了“强制用户”和“强制组”选项,以便域中的每个用户都映射到共享:共享。

现在安全模型已经改变,我想将域用户映射到共享:共享除非域用户位于“shareWriteAccess”(域)组中,如果不在,则位于 ro:ro 中。这可能吗?

目标是使某些域用户能够对共享具有写访问权限,而其他用户只能具有读访问权限。我更有信心使用 Linux 文件权限检查来实现这一点,所以我想到映射到 2 个不同的 Linux 用户。/srv/rw 具有权限 755 share:share,因此映射为 ro:ro 的域用户实际上是“只读”的。不过,我愿意接受另一种解决方案

相关内容