搭建samba服务过程记录

cat /etc/samba/smb.conf 示例

#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which 
# are not shown in this example
#
# Some options that are often worth tuning have been included as
# commented-out examples in this file.
#  - When such options are commented with ";", the proposed setting
#    differs from the default Samba behaviour
#  - When commented with "#", the proposed setting is the default
#    behaviour of Samba but the option is considered important
#    enough to be mentioned here
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic 
# errors. 

#======================= Global Settings =======================

[global]

# Change this to the workgroup/NT-domain name your Samba server will part of
   workgroup = WORKGROUP

# server string is the equivalent of the NT Description field
   server string = Samba Server
   
# 强制使用acl
   vfs objects = acl_xattr
   map acl inherit = yes
   store dos attributes = yes
   
   printcap name = /etc/printcap
   load printers = yes

#### Debugging/Accounting ####
# This tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba/%m.log
   log level = 3
   debug timestamp = yes

# Cap the size of the individual log files (in KiB).
   max log size = 50
   
   security = user
   
   name resolve order = lmhosts bcast wins host
   
   dns proxy = no
   
   wide links = yes
   follow symlinks = yes
   unix extensions = no
   
   ntlm auth = yes

#======================= Share Definitions =======================

[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no

# shared_dir这个名字自己随便取，不一定要和path最后一级目录相同，这个名字在samba登录后显示
[shared_dir]
    comment = Share Folder require password
    path = /home/sa/shared_dir
    valid users = stftp_user public_user
    available = yes
    browseable = yes
    guest ok = yes
    read only = no
    writable = yes
    create mask = 0765
    directory mask = 0765
    force create mode = 0765
    force directory mode = 0765
    inherit acls = yes
    inherit permissions = yes

权限控制

添加用户

在samba服务器上创建一个新用户（adduser创建）或者现有用户，确保这个用户拥有你想要共享的目录的访问权限

为samba创建一个用户，并设置密码。将新建的用户添加到samba用户数据库，并设置一个samba密码

sudo smbpasswd -a username

创建共享目录并赋予权限

mkdir /home/username/shared_dir

sudo chown username:username /home/username/shared_dir
sudo chmod 0700 /home/username/shared_dir

配置samba共享

sudo vim /etc/samba/smb.conf

[shared_dir]
    comment = Share Folder require password
    path = /home/username/shared_dir
    valid users = stftp_user public_user
    available = yes
    browseable = yes
    guest ok = yes
    read only = no
    writable = yes
    create mask = 0765
    directory mask = 0765
    force create mode = 0765
    force directory mode = 0765
    inherit acls = yes
    inherit permissions = yes

重启samba服务

sudo service smbd restart

不同用户不同目录对应不同的访问权限

为每个用户创建一个共享文件夹，重复上面步骤

例：

mkdir /home/user1/shared_dir1
mkdir /home/user2/shared_dir2

sudo chown user1:user1 /home/user1/shared_dir1
sudo chmod 0700 /home/user1/shared_dir1
sudo chown user2:user2 /home/user2/shared_dir2
sudo chmod 0700 /home/user2/shared_dir2

# sudo vim /etc/samba/smb.conf
[shared_dir1]
    comment = Share Folder require password
    path = /home/user1/shared_dir1

[shared_dir2]
    comment = Share Folder require password
    path = /home/user2/shared_dir2
    
sudo service smbd restart

同一个共享目录不同的用户不同的访问权限

要在同一个共享目录中为不同的用户设置不同的权限，可以使用文件系统访问控制列表（FACLs）

1. 确保文件系统支持ACL
2. 安装acl软件包

sudo apt install cal

• 创建一个共享目录

mkdir -p /path/to/shared_dir

• 为共享文件夹设置适当的所有者和组。比如创建一个名为smbgrp的组，将所需用户添加到该组中，并将该组指定为共享文件夹的组所有者

sudo groupadd smbgrp
sudo usermod -a -G smbgrp user1
sudo usermod -a -G smbgrp user2
sudo chown :smbgrp /path/to/shared_dir

• 使用setfacl命令为共享文件夹的不同用户或组设置特定的访问权限

# user1 读写, 记得加 -R 选项
sudo setfacl -R -m u:user1:rwX /path/to/shared_dir
# user2 只读
sudo setfacl -R -m u:user2:rX /path/to/shared_dir

• 检查ACL设置是否正确

getfacl /path/to/shared_dir

可以看到类似输出

# owner: root
# group: smbgrp
user:rwx
user:user1:rwx
user:user2:r-x
group:rwx

• 添加共享配置

[shared_dir]
    comment = Share Folder require password
    path = /path/to/shared_dir
    valid users = user1 user2

如果按照上面配置不生效，需要让samba强制遵循ACL

注意，每次修改/etc/samba/smb.conf文件或设置了setfacl选项后都需要重启samba服务才生效

[global]
   vfs objects = acl_xattr
   map acl inherit = yes
   store dos attributes = yes
   
[shared_dir]
    comment = Share Folder require password
    path = /path/to/shared_dir
    valid users = user1 user2
    inherit acls = yes
    inherit permissions = yes

其它

• 在Windows上来访问samba服务时可直接在win + r运行框中输入\\ip\shared_dir
• 如果有同一个服务器涉及到多个用户去访问，在电脑上win + r运行框中输入control /name Microsoft.CredentiaIManager打开“凭据管理器”，点击Windows 凭据进行修改