We create the structure of personal documents of users in the enterprise in Samba
Small foreplay
Greetings to the habrasoobshchestvo.
In the life of any medium and large company, sooner or later there comes a time when it is simply not decent to live without a network data storage. It is necessary to create a certain folder structure for intra-individual, inter-unit and other interactions, but more on that next time. And now I would like to show you a quick way to create “personal folders” for users of a company / company / institution / etc (underline the appropriate).
Introduction
So to the point of what is happening. We assume that we have a domain with authorization in any LDAP-compatible directory service (hereinafter referred to as IC). And the desire to create a file server based on Linux + Samba (can be on the same machine as the IC). Why should everyone allocate a personal folder? Mainly for storing data on the server so that no one has access to it. Why does everyone have their own folder, and not 1 directory with the differentiation of rights? Yes, there really is such a way, for me as an administrator, they are approximately equal in
')
I will not talk about configuring samba directly with authorization in
Let's hit the road
First you need to create the folders themselves. No, we will not do it manually ... All we need is to create text files with the following logic: call the otdelK.txt file and put several lines into it, IvanovI PetrovV. How will the script parse this case? Very simple - the file name will be taken as the name of the department / division, and the strings as the names of employees from the UK. Compiling .txt files manually or automatically will be left at your discretion.
The very logic of creating folders:
CreateFolders () {
mkdir "$ PP"
for filename in `ls -l $ catname / *. txt | awk '{print $ NF}' `; do
group = `basename" $ ​​filename ".txt`
mkdir "$ PP / $ group"
for user in `cat" $ filename "`; do
mkdir "$ PP / $ group / $ user"
CreateShare "$ group" "$ user"
PermissionsAssignment "$ group" "$ user"
done
done
} That's actually not a tricky way to create a directory structure (of course in the full version there are a lot of all sorts of checks). The $ catname directory is viewed for the presence of txt files in it and then they are sorted. The $ PP variable contains the path to the folder where everything will be created.
After creating each personal folder, you may notice a call for 2 more functions with “talking names”. Consider their content:
CreateShare () {
username = "$ 2"
ou = "$ 1"
grep -wi '\ [' $ username '\]' "$ SC"> / dev / null
if ["$?" -ne 0]; then
echo -e "[$ username]
path = \ "$ PP / $ ou / $ username \"
valid users = \ "@ $ DN \\ $ AG \", \ "$ DN \\ $ username \"
admin users = \ "@ $ DN \\ $ AG \"
browseable = No
comment = \ "Private Documents% U \"
public = No
writeable = Yes
read only = No
create mask = 0700
directory mask = 0700
inherit permissions = Yes
inherit acls = Yes
inherit owner = Yes
vfs objects = recycle
recycle: repository = .Trash
recycle: versions = Yes
recycle: keeptree = Yes
recycle: exclude = * .TMP * .tmp ~ *
">>" $ SC "
echo "Folder for user $ username is shared" | tee -a "$ log"
else
echo "INFO: Sharing for user $ username already exist" | tee -a "$ log"
warn = true
fi
} This function calls with two arguments: department and user name. Checks if a ball already exists for it and if not, then creates it. The values ​​of each parameter can be viewed both in the official man pages and in Russian . Let me just say that all the rules are aimed at the fact that the user has full access to the folder, but he could not change any permissions in it. You can also notice that the user is allocated a basket, i.e. all that he removes from his network folder will be placed in his network cart (I only have access to the baskets on my network). All these folders are connected to users through my vbs script when I log into the system.
Here you should remember a couple of lines from smb.conf
store dos attributes = Yes map acl inherit = Yes acl group control = No dos filemode = No # POSIX 'rwx' is displayed in rwx, but not full control acl map full control = No <--- here is a very important parameter that helped us.
Next, you need to assign rights in the system for the created directory.
PermissionsAssignment () {
path = "$ PP / $ 1 / $ 2 /"
chown "$ AU": "$ AG" -R "$ path"
chmod 0770 -R "$ path"
chmod g + s -R "$ path"
setfacl -bR "$ path"
setfacl -R -mm :: rwx "$ path"
setfacl -nR -mu: "$ 2": rwx "$ path"
} It immediately becomes clear that the xfsprogs package is required, which includes the setfacl and getfacl utilities for managing extended attributes in Linux. All this
Conclusion
This article is designed for an average level of knowledge and is not intended to make a newbie guru.
The script does not provide for a multi-level hierarchy of departments (to be added upon individual requests). I tried to stuff the script with “protection from a fool” as much as possible, and did it even at the time of writing this article, but I cannot foresee everything. The script inside contains several parameters that should be corrected for themselves, they are not difficult to find ;-). You can also pass them as arguments to the script, with one small restriction - I don’t know how
The full text of the script and smb.conf is attached: script , smb.conf .
PS smb.conf is well-developed. The script itself turned out to be quite cumbersome because of all sorts of checks and “and if”. He also does not claim a complete universal solution because he was written under a narrow task and then was a bit unified.
Source: https://habr.com/ru/post/114071/
All Articles