HPC管理之samba+ACL权限控制实现跨平台文件夹共享
服务器上搭建samba共享文件夹,所有用户可以访问,但是根据部门不同设置不同的访问权限。
分为两步:
1、搭建samba服务
送上配置文件,怎么安装?通过yum等直接安装若干个包就可以了。不会的话去搜。。。
主要是配置文件smb.conf
[global] workgroup = grand server string = samba server on HPC netbios name = HPC interfaces = 127.0.0.0/8 eth0 eth1 security = user username map = /etc/samba/smbusers encrypt passwords = true passdb backend = smbpasswd smb passwd file =/etc/samba/smbpasswd log file = /var/log/samba/log.%m max open files = 1000 socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=16384 SO_SNDBUF=16384 unix charset = GB2312 use sendfile = yes write raw = yes read raw = yes max xmit = 65535 aio read size = 16384 aio write size = 16384 max connections = 0 deadtime = 0 max log size = 500 getwd cache = yes [1_共享文档_研究部] comment = 1_SharedDoc_Research path = /1_SharedDoc_Research ; writable = yes browseable = yes available = yes valid users = @research write list = @research create mode = 0770 force create mode = 0770 directory mode = 0770 force dircetory mode = 0770 force group = research vfs object = recycle recycle:repository = .deleted/%U recycle:keeptree = Yes recycle:versions = Yes recycle:maxsixe = 0 [2_流程管理] comment = 2_ProcessManagement path = /2_ProcessManagement ; writable = yes browseable = yes available = yes valid users = @research,@catia,@ProcessDevelopment write list = @research,@catia,@ProcessDevelopment create mode = 0770 force create mode = 0770 directory mode = 0770 force dircetory mode = 0770 force group = pub vfs object = recycle recycle:repository = .deleted/%U recycle:keeptree = Yes recycle:versions = Yes recycle:maxsixe = 0 [3_流程开发处] comment = 3_ProcessDevelopment path = /3_ProcessDevelopment ; writable = yes browseable = no available = yes valid users = @ProcessDevelopment write list = @ProcessDevelopment create mode = 0770 force create mode = 0770 directory mode = 0770 force dircetory mode = 0770 force group = pub vfs object = recycle recycle:repository = .deleted/%G recycle:keeptree = Yes recycle:versions = Yes recycle:maxsixe = 0 include = /etc/samba/smb.conf.%G
第三个流程开发处是只给这个部门成员访问的文件夹,其他部门人员看不到,为了让这个处成员看到需要添加额外的配置文件
配置文件名:smb.conf.xxxx这个xxxx是smb用户名
comment = 3_ProcessDevelopment path = /3_ProcessDevelopment ; writable = yes available = yes browseable = yes valid users = @ProcessDevelopment write list = @ProcessDevelopment create mode = 0770 force create mode = 0770 directory mode = 0770 force dircetory mode = 0770 force group = pub vfs object = recycle recycle:repository = .deleted/test recycle:keeptree = Yes recycle:versions = Yes recycle:maxsixe = 0
这样当xxxx访问“流程开发处”这个文件夹时就会单独加载这个配置文件。
2、设置文件夹访问权限
samba服务都配置好了,但是为了控制用户的访问权限,这里通过ACL实现。
samba本身是有一些权限控制的,但是无法对以上目录的子目录进行权限设置,这就要结合linux自身的权限控制了
主要通过如下命令实现对文件夹的权限设置:
-R参数是递归子目录和文件
-m 是修改的意思
-d 是默认属性,比如在一个文件夹你创建了一个子文件,那么这个子文件默认就采用这个权限设置
setfacl -R -m u:xxxx:rwx \path 设置用户xxxx对path文件或者目录及其子目录的权限为读写执行
setfacl -d -R -m u:xxxx:rwx \path 设置用户xxxx对path文件或者目录及其子目录默认的权限为读写执行
setfacl -R -m g:xxxx:rwx \path
setfacl -d -R -m g:xxxx:rwx \path
setfacl -R -m o:xxxx:rwx \path
setfacl -d -R -m o:xxxx:rwx \path
getfacl \path 查看path的acl权限设置情况
当使用 ll 命令查看文件夹权限时 drwxrwx---+ 这个+号表示该文件夹的ACL启用了。
查看acl设置情况时可以看到有mask:r-x之类的,意思就是对于acl设置的最大权限就是r-x,如果其中有设置w权限的其实不起作用。
3、一点小技巧:
samba服务共享文件夹有时候打开后会加载很慢,这时ping一下samba服务器就会立刻加载完,就像下水道堵住了,需要找东西捅一下。