Viewing and changing UNIX permissions using the NT security dialogs in Samba
2.0.4
在samba中用NT的安全对话框来观察和改变UNIX权限。
Jeremy Allison, Samba Team
12th April 1999
Table of Contents
------------------------------------------------------------------------------
--
Viewing and changing UNIX permissions using the NT security dialogs
用NT的安全对话框来观察和改变UNIX权限
-------------------------------------------------------------------
New in the Samba 2.0.4 release is the ability for Windows NT clients to use
their native security settings dialog box to view and modify the underlying
UNIX permissions.
这项smba 2.0.4版本提出的新功能可以使NT客户用他们本地的安全设定对话框来观察和修
改根本的UNIX权限。
Note that this ability is careful not to compromise the security of the UNIX
host Samba is running on, and still obeys all the file permission rules that
a Samba administrator can set.
注意小心使用这项功能不会危及正在运行samba的UNIX主机安全,它仍然服从所有的samba
管理员设定的文件权限规则。
In Samba 2.0.4 and above the default value of the parameter "nt acl support"
has been changed from "false" to "true", so manipulation of permissions is
turned on by default.
samba 2.0.4及以上版本已经把"nt acl support"参数的默认值从“false”改成了“true
”,所以说默认情况下权限操作已经被允许了。
How to view file security on a Samba share
如何来观察samba共享文件的安全性
------------------------------------------
From an NT 4.0 client, single-click with the right mouse button on any file
or directory in a Samba mounted drive letter or UNC path. When the menu
pops-up, click on the Properties entry at the bottom of the menu. This brings
up the normal file properties dialog box, but with Samba 2.0.4 this will have
a new tab along the top marked Security. Click on this tab and you will see
three buttons, Permissions, Auditing, and Ownership. The Auditing button will
cause either an error message "A requested privilege is not held by the
client" to appear if the user is not the NT Administrator, or a dialog which
is intended to allow an Administrator to add auditing requirements to a file
if the user is logged on as the NT Administrator. This dialog is
non-functional with a Samba share at this time, as the only useful button,
the Add button will not currently allow a list of users to be seen.
方法是:NT客户用鼠标右键单击任何位于samba共享设备符或UNC路径上的文件或目录,在
弹出的菜单底部点击“属性”项,这时会出现普通文件属性对话框,而samba 2.0.4会在
安全性标记的顶部给出一个新的表项。单击这个表项可以看到三个按钮,Permissions,
Auditing, 和 Ownership。点击Auditing按钮,如果用户并不是NT管理员的话将会出现一
个错误信息:“客户没有足够权限”;如果用户以管理员身份登录的话会出现一个对话框
允许管理员对文件加入审核信息。此时,对话框中关于samba共享资源的部分将无效,因
为仅有的可用按钮“Add”会不允许查看一份用户列表。
Viewing file ownership
查看文件属主
----------------------
Clicking on the "Ownership" button brings up a dialog box telling you who
owns the given file. The owner name will be of the form :
点击“Ownership”按钮你可以查看给出文件的属主。属主名称以下面的形式列出:
"SERVERuser (Long name)"
Where SERVER is the NetBIOS name of the Samba server, user is the user name
of the UNIX user who owns the file, and (Long name) is the discriptive string
identifying the user (normally found in the GECOS field of the UNIX password
database). Click on the Close button to remove this dialog.
此处的SERVER是samba服务器的NetBIOS名,user是拥有这个文件的UNIX用户名,而(Long
name)是用来识别用户的描述字串(通常这部分内容可以在UNIX口令数据库的GECOS字段找
到)。这时在Close按钮上点击可以关闭这个对话框。
If the parameter "nt acl support" is set to "false" then the file owner will
be shown as the NT user "Everyone".
如果把"nt acl support"参数设为“false”则文件属主将以NT用户“Everyone”来显示
。
The Take Ownership button will not allow you to change the ownership of this
file to yourself (clicking on it will display a dialog box complaining that
the user you are currently logged onto the NT client cannot be found). The
reason for this is that changing the ownership of a file is a privilaged
operation in UNIX, available only to the root user. As clicking on this
button causes NT to attempt to change the ownership of a file to the current
user logged into the NT client this will not work with Samba at this time.
Take Ownership按钮并不能把文件的属主改变成你自己(在这个按钮上点击的话将显示一
个对话框通知你当前登录的身份并没有找到,也就是和文件属主身份不匹配)。原因是在
UNIX中只有root有权进行改变文件属主的操作。点击这个按钮将使NT尝试把文件的属主改
成当前登录的用户身份,此时samba并不会进行这样的操作。
There is an NT chown command that will work with Samba and allow a user with
Administrator privillage connected to a Samba 2.0.4 server as root to change
the ownership of files on both a local NTFS filesystem or remote mounted NTFS
or Samba drive. This is available as part of the Seclib NT security library
written by Jeremy Allison of the Samba Team, available from the main Samba
ftp site.
有一个chown命令可以和samba一起使用使用户可以管理员权限联接到samba 2.0.4并用
root身份改变位于本地NTFS文件系统或可映射的远程NTFS及samba资源设备上的文件属主
。当然这个由samba开发组成员Jeremy Allison写的Seclib NT安全库部件可以从samba的
主FTP站点获得。
Viewing file or directory permissions
查看文件或目录的权限
-------------------------------------
The third button is the "Permissions" button. Clicking on this brings up a
dialog box that shows both the permissions and the UNIX owner of the file or
directory. The owner is displayed in the form :
对话框中第三个按钮是“Permissions”按钮。点击它可以显示文件或目录的权限及UNIX
属主。属主的显示形式象下面这样:
"SERVERuser (Long name)"
Where SERVER is the NetBIOS name of the Samba server, user is the user name
of the UNIX user who owns the file, and (Long name) is the discriptive string
identifying the user (normally found in the GECOS field of the UNIX password
database).
此处的SERVER是samba服务器的NetBIOS名,user是拥有这个文件的UNIX用户名,而(Long
name)是用来识别用户的描述字串(通常这部分内容可以在UNIX口令数据库的GECOS字段找
到)。
If the parameter "nt acl support" is set to "false" then the file owner will
be shown as the NT user "Everyone" and the permissions will be shown as NT
"Full Control".
如果把"nt acl support"参数设为“false”则文件属主将以NT用户“Everyone”来显示
,同时权限将显示NT的“Full Control”。
The permissions field is displayed differently for files and directories, so
I'll describe the way file permissions are displayed first.
文件和目录显示的权限字段有些区别。所以我先介绍一下文件权限的情况。
File Permissions
文件权限
----------------
The standard UNIX user/group/world triple and the correspinding "read",
"write", "execute" permissions triples are mapped by Samba into a three
element NT ACL with the 'r', 'w', and 'x' bits mapped into the corresponding
NT permissions. The UNIX world permissions are mapped into the global NT
group Everyone, followed by the list of permissions allowed for UNIX world.
The UNIX owner and group permissions are displayed as an NT user icon and an
NT local group icon respectively followed by the list of permissions allowed
for the UNIX user and group.
UNIX标准的user/group/world三项和“read”,“write”,“execute”三个权限可以由
samba映射到NT存取控制表ACL中相应的“r”,“w”“x”位以对应NT的标准权限项。
UNIX的world权限被映射到NT全局组Everyone以跟接UNIX的world对应的权限列表。UNIX的
owner和group权限在NT中分别以用户图标及本地组图标来显示并跟接UNIX中user和group
对应的权限列表。
As many UNIX permission sets don't map into common NT names such as "read",
"change" or "full control" then usually the permissions will be prefixed by
the words "Special Access" in the NT display list.
由于很多UNIX权限设置不能映射到NT中称为“read”“change”“full control”的常用
属性,所以通常情况下这些权限将在NT显示列表中被加上关键字“Special Access”。
But what happens if the file has no permissions allowed for a particular UNIX
user group or world component ? In order to allow "no permissions" to be seen
and modified then Samba overloads the NT "Take Ownership" ACL attribute
(which has no meaning in UNIX) and reports a component with no permissions as
having the NT "O" bit set. This was chosen of course to make it look like a
zero, meaning zero permissions. More details on the decision behind this will
be given below.
但是在文件对于一些特殊的属于user,group或者world的UNIX成员来说并没有访问权限的
情形下将发生什么样的状况呢?为了允许查看和修改“no permissions”权限的文件,
samba越过NT的“Take Ownership”ACL属性(在UNIX中此属性无意义)报告与NT中设置位“
O”权限类似的无权限成分。之所以做出这样的选择,是为了使它看上去和零一样。零,
即意味着零权限。你可以在后面看到关于讨论这个问题的更多细节。
Directory Permissions
目录权限
---------------------
Directories on an NT NTFS file system have two different sets of permissions.
The first set of permissions is the ACL set on the directory itself, this is
usually displayed in the first set of parentheses in the normal "RW" NT
style. This first set of permissions is created by Samba in exactly the same
way as normal file permissions are, described above, and is displayed in the
same way.
NTFS文件系统中的目录有两种不同的权限设定。第一种是目录本身的存取控制列有,它通
常在第一个设定括号中以普通NT的“RW”风格来显示。第一组权限设定由samba以和普通
文件权限一样的方法来建立、描述和显示。
The second set of directory permissions has no real meaning in the UNIX
permissions world and represents the "inherited" permissions that any file
created within this directory would inherit.
目录权限的第二种设定方法在UNIX权限world中没有实际意义,并且表现为和目录一起建
立的任何文件应该继承的“继承”权限。
Samba synthesises these inherited permissions for NT by returning as an NT
ACL the UNIX permission mode that a new file created by Samba on this share
would receive.
Samba 通过建立一个可以在共享资源上得到的新文件来返回类似于NT ACL一样的UNIX权限
模式,为NT合并从UNIX继承而来的许可权限。
Modifying file or directory permissions