security已设置 Windows 域集成的 samba 服务器。共享文件运行良好,但只要设置为,就无法设置来宾共享ads。这是配置的简化版本,其中包含对某个域组免费的共享和对未经身份验证的用户不起作用的共享。我已附上 smb.conf 以供参考。
[global]
workgroup = MYDOMAIN
dns proxy = no
netbios name = myshare
clustering = yes
security = ads
realm = mydomain.com
password server = 1.2.3.4
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 10
winbind use default domain = yes
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
os level = 0
idmap uid = 100000-109999
idmap gid = 100000-109999
log file = /var/log/samba/log
log level = 3
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
server role = standalone server
passdb backend = tdbsam
unix password sync = yes
pam password change = yes
map to guest = bad user
guest account = nobody
[public]
browsable = yes
create mask = 0666
directory mask = 0777
writeable = yes
path = /share/public
guest ok = yes
[temp]
browsable = yes
valid users = root, @"share users"
create mask = 0666
directory mask = 0777
writeable = yes
path = /share/temp
guest ok = no
但是guest ok = yes似乎没有任何效果(temp 工作正常,可由 root 和组用户写入)。nobody应映射到的用户对共享文件夹具有 rwx 权限。
那么,当安全性一般时,还需要什么来授予访客对特定共享的访问权限ads?
答案1
安全ads不是问题 - 它只是表明 samba-daemon 接受 Kerberos-Tickets 作为身份验证。
真正的问题是restrict anonymous = 2。这禁止了对服务器的所有匿名连接。将值降低到1允许通过输入路径匿名访问共享,0甚至允许浏览共享。设置0oder1仍会检查访问权限,并且可能需要额外的身份验证。
来源:https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#RESTRICTANONYMOUS