Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ About Samba certification process and permissions     - Linux environment to build next Cocos2dx-3.3.1 (Linux)

- Ubuntu users how to install the latest Nvidia graphics drivers (Linux)

- C language programming entry - Common operators (Programming)

- To deploy MySQL database with separate read and write OneProxy (Database)

- findmnt- Looking mounted file system (Linux)

- CentOS 7.0 Experience with previous versions (Linux)

- Linux environment MySQL master-slave synchronization (Database)

- Ubuntu install Oracle 10g process and problem solution (Linux)

- Linux system security (Linux)

- Ubuntu 14.04 compile RT288x_SDK / toolchain / squashfs3.2-r2 Error (Linux)

- How to install Linux on a MacBook Pro Retina (Linux)

- Linux System Getting Started Tutorial: How to automatically set the JAVA_HOME environment variable on Linux (Linux)

- Ubuntu 14.04 install AMD graphics driver is fully dual monitor solution (Linux)

- How to install and configure the KVM and Open vSwitch on Linux distributions (Linux)

- By way of a binary installation innobackupex (Database)

- C ++ complex class of operator overloading (Programming)

- CentOS installation Docker series (Linux)

- Ubuntu file security removal tool (Linux)

- To setup CentOS LAMP environment (Server)

- The mv command to move the directory two cases under Linux (Linux)

  About Samba certification process and permissions
  Add Date : 2017-08-31      
  First, a review
Samba through two programs: smbd and nmbd to provide file services to the local area network. Where nmbd is Netbios name resolution program, usually running on the system only one nmbd process; smbd provides file services is a real program, usually each have a client makes a request, Samba server smbd will start a process.
nmbd and smbd share a configuration file: smb.conf. In Debian Etch, this file is located in / etc / samba directory. Samba 60s reread once contents of this file will be automatically every. So, every time you modify this file exist after-hours, you can wait 60s to make the new configuration options to take effect, you can also use /etc/init.d/samba restart script manually restart process. Before the official use of a new process, you can use testparm to check file syntax is correct.

Second, the authentication and permissions
Samba I understand the certification process is divided into two steps.
1. First Samba user name provided by the client, password, and local records in the database comparison, if met, giving clients access to shared resources. This process seems to come into a house first proper key.
2. But he entered the room does not mean you are free to use everything inside the house. Samba according to certain rules to determine whether the client can access a particular file or use other resources (such as printers). Here there are rules inside smb.conf file definition, more importantly, it is based on the Linux file permissions system. smbd process will be more than one step to access the document authenticated users have permissions (which means that the step is passed to the Sambe authenticated user name must have a corresponding entry in the / etc / passwd file server's).

Third, the process of certification
1. Samba client identity authentication, there are four methods: share-level (share-level), the user level (user-level), the server level (server-level), domain authentication (domain-level). The latter three means essentially very similar, except that a different location verification occurs. Under user-level, this process takes place on the Samba server; under server-level occurs on another server; under domain-level, by the PDC or BDC for authentication.
2. share-level and user-level are the two most common means of authentication, user-level is the default Samba configuration.
This difference between the two modes of expression in the client: The following share-level mode client does not need to enter a user name and password as long as you can; the next user-level mode clients to simultaneously enter a user name and password for the job.
In the server side, very little difference between these two models: Samba must use the username and password combination for authentication. Under user-level, Samba client will transfer to the user name and password in the local database records for inspection. Under share-level, because the client does not pass a user name, Samba uses the user name smb.conf file provides a resource section, and compiling Samba process into the default user name and password combination, respectively, then the local records in the database are compared, as long as there is a combination pass verification, in order to let the client application user name corresponding to the user has access to shared resources. If all combinations are not validated, the client is refused access.
In share-level there are exceptional circumstances, if a shared resource set
guest ok = yes
guest only = yes
guest account = a user account
When a client connects, Samba automatically designated account guest account has permissions to clients to access shared resources, then the client does not even need a password.

Fourth, password transmission
Whether share-level or user-level, can be specified in the smb.conf file to explain how the Samba server receives the password sent by the client: The password can be in the form of plain text may also be encrypted form. The client uses the password that is sent in the client operating system has decided, for example, Windows 95 can only send passwords in clear text, Windows XP default password is sent in encrypted form, but can be changed in the registry so that it is sending a clear password. So, if there are several different versions of the client, we need to maintain a simple password database and the encrypted form of the password database on the Samba server.
Use encrypt passwords = yes / no in smb.conf to configure Samba file which explain how the received password.
When Samba is configured in clear text explanation to password transmission, it uses the / etc / passwd as a test basis; when Samba is configured in an encrypted form to explain to the password are passed, it uses smbpasswd as a test basis (Debian Etch in this file is located by default in / etc / samba directory under, but you can specify its location in the smb.conf file.)
(My thoughts: Linux user passwords stored in it / etc / passwd or / etc / shadow file is encrypted, but the encryption algorithm, Windows clients do not support this, the client can not use the same locally. first password encryption algorithm and then sent over the network, but only the password to the Samba server in plain text, after which the Samba server according to / etc / passwd support algorithms to convert the / etc / passwd in the records Compared.
Passwords transmitted in the clear danger is obvious, so Windows will be replaced after the first encrypted password sent to the server, but the problem is different Windows password encryption algorithm used and / etc / passwd using algorithms, Samba can not directly receive plaintext password and / etc / passwd for comparison. And Windows uses a one-way algorithm. This means that the Samba client receives a password to the encrypted transfer can not recover the plaintext password, after further conversion and / etc / passwd for comparison. Sentence is, in the case of an encrypted password, / etc / passwd or / etc / shadow file can not be used as the basis for verification. )
Because smbpasswd file / etc / passwd file is independent, so Samba shared resource can be user password and login password. But smbpasswd file inside each user must have a corresponding record in the / etc / passwd file inside, because once verified, Samba will use the corresponding user permissions to the client to access the corresponding resources.

V. Permissions
When the client passes the authentication, you can use a variety of resources provided by the Samba. smb.conf two options browsable, writable to control whether users can browse and write a resource.
At the same time, the client's permission to read and write operations are controlled Linux system. For example: There is a file owner, group, permissions are as follows
rwxr-x --- user_a group_1 somefile
There are three user name and group are:
Username group name
user_a group_1
user_b group_1
user_c group_2
1. When a client is connected to user_a and verify it, he can not only read the file, but also to write to the file;
2. When the client is connected to user_b and verify it, he can only read the file, you can not write;
3. When the client is connected to user_c and verify it, he could neither read the file can not be written to the file.
- Spark and Hadoop comparison (Server)
- Java memory model subclasses (Programming)
- Text editing and viewing text Linux command (Linux)
- JDK comes with tools jinfo (Linux)
- How to view information about the installed version of CentOS (Linux)
- ORA-38856: Unable instance UNNAMED_INSTANCE_2 (redo thread 2) marked enabled (Database)
- Linux user opens a number of adjustment processes (Linux)
- Ubuntu 15.04 installed JDK and configured as the default JDK (Linux)
- CentOS7 complete step to install Hadoop2.7 (Server)
- LNMP summary of the issues common 502 Bad Gateway (Server)
- Integrated security administrator Linux accident management (Linux)
- Oracle 12C RAC on temporary table space Enlighten (Database)
- How to use Evernote in the Linux command line (Linux)
- Archlinux installation tutorial (Linux)
- Apache Web Security Linux systems (Linux)
- Inherent limitations of Linux systems network security (Linux)
- OpenGL Superb Learning Notes - New Patterns (Programming)
- PL / SQL -> UTL_FILE use presentation package (Database)
- Ubuntu 12.04 installation instructions under GAMIT10.40 (Linux)
- Mounting kit under Fedora Linux (Linux)
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.