cid_closed_directory
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
cid_closed_directory [2024/09/28 10:41] team |
cid_closed_directory [2024/09/28 10:51] (current) team |
||
|---|---|---|---|
| Line 86: | Line 86: | ||
| | Use keytab file method | Configures Samba to use a dedicated keytab file as an kerberos authentication method. The krb_principal_names parameter in the cid.conf file can be used to specify principal names that you want to be added to the keytab. | | | Use keytab file method | Configures Samba to use a dedicated keytab file as an kerberos authentication method. The krb_principal_names parameter in the cid.conf file can be used to specify principal names that you want to be added to the keytab. | | ||
| | Add config file to Samba | It allows adding a file containing parameters to be attached to the Global section of the samba configuration file (smb.conf). The contents of this file will be filtered so that there is no conflict with the parameters predefined by the CID. | | | Add config file to Samba | It allows adding a file containing parameters to be attached to the Global section of the samba configuration file (smb.conf). The contents of this file will be filtered so that there is no conflict with the parameters predefined by the CID. | | ||
| + | |||
| + | === Remove from domain === | ||
| + | |||
| + | This function undoes the modifications made in the system for the computer to join the domain, and by the use of the other CID functionalities after that join. | ||
| + | |||
| + | When using it, you can optionally fill in the fields with the credentials of a domain administrator for what the CID try remotely delete the computer account from the AD database. If this fails, the operation of this function will not be affected. | ||
| + | |||
| + | Note: A copy of the files modified during this process is stored in the /var/lib/cid/backups/mod directory. | ||
| + | |||
| + | === Change station behavior === | ||
| + | |||
| + | This function allows you to change the options of the Advanced mode after the system joins an AD domain. | ||
| + | |||
| + | Note: Whenever a change is made through this função, a copy of the affected files in the state before modification is stored in the /var/lib/cid/backups/mod directory. | ||
| + | |||
| + | === Block logon === | ||
| + | |||
| + | This function restricts logon in the system to a specific user or group of the domain. When selecting it you must inform the Account Type (User or Group) and the Account Name. If no type is selected, the User type is assumed by default. | ||
| + | |||
| + | === Unblock logon === | ||
| + | |||
| + | This function removes the logon restriction applied by the block logon function. | ||
| + | |||
| + | === Manage AD accounts in local groups === | ||
| + | This function allows you to associate AD user accounts with groups on the local system so that they can perform specific routines that require the administrative privileges of those groups, in addition to allowing them to run the sudo command. | ||
| + | |||
| + | Authentication for the sudo command can be enabled or disabled via the Enable authentication for "sudo" option in advanced join mode or in Change station behavior. | ||
| + | |||
| + | The CID uses the groups that the default user (usually the first user created on the system) belongs to to determine these groups. You can specify any other user using the defaultuserid parameter, and you can also add other specific groups using the localgroups parameter in the cid.conf file. | ||
| + | |||
| + | In the Add account option, you must inform the type and name of the account in the same way as when using the block logon function. | ||
| + | |||
| + | Note that on Unix systems there is no group nesting. Therefore, when a group account is added, members of that group are individually associated to the local groups as they log on to this system. If you enter an asterisk (*) at the end of the group’s name, all its members will be immediately associated. If the user is removed from the domain group, the user will be automatically removed from local groups on a next login to this computer. | ||
| + | |||
| + | The Remove account option lists domain accounts added to local groups and allows you to select them for removal. | ||
| + | |||
| + | Note: Members of the Domain Admins group are automatically associated with local groups. | ||
| + | |||
| + | === Manage shares === | ||
| + | |||
| + | This function allows you to manage Samba shares intuitively. | ||
| + | |||
| + | The Add share option displays a form where you must enter the arguments to create or update a share. | ||
| + | |||
| + | Three share modes are available: | ||
| + | |||
| + | **Common mode** | ||
| + | |||
| + | This mode allows you to share a directory on one of the local file systems via Samba (SMB protocol). | ||
| + | |||
| + | The directory path to be shared must be entered in the Path argument. If the directory path does not start with a forward slash (/) and you are using a template for the share, the parent directory of the template share is used as the parent directory for this share. If the directory does not exist, it will be created automatically. | ||
| + | |||
| + | The access permissions of the share can be managed locally through the Rule argument, or through a remote Windows system using the Microsoft Management Console (MMC). | ||
| + | |||
| + | When set locally, permissions are translated into extended POSIX ACLs and interpreted by Samba as Windows ACLs. They must be composed of 03 fields separated by colons (:) and have the format **[Type]:Account:[Permission]**, where: | ||
| + | |||
| + | * Type is u for user or g for group; | ||
| + | * Account is a domain user or group; | ||
| + | * Permission is r for read-only, f for full access or d for access denied; | ||
| + | |||
| + | Other important aspects about permissions are: | ||
| + | |||
| + | * You can specify more than one permission at the same time, separating them with a semicolon (;). | ||
| + | * Use a plus sign (+) at the beginning of the expression to append a new permission to the pre-existing permissions of the shared directory. | ||
| + | * Use a minus sign (-) at the beginning of the expression to remove pre-existing permissions on the shared directory. In this case, the expression must contain only the type and name of the account (eg -u:username). | ||
| + | * The everyone term can be used in the Account field to represent all users. | ||
| + | * If no permissions are specified when creating a share, all users will be given read-only permission. | ||
| + | |||
| + | Some examples: | ||
| + | |||
| + | **Allowing full access to the Domain Users group** | ||
| + | |||
| + | g:domain users:f | ||
| + | |||
| + | **Adding read-only permission to the Guest user account** | ||
| + | |||
| + | +u:guest:r | ||
| + | |||
| + | **Removing permissions for the Guest user account** | ||
| + | |||
| + | -u:guest | ||
| + | |||
| + | **Allowing full access to all users and denying access to the Guests group** | ||
| + | |||
| + | u:everyone:f;g:guests:d | ||
| + | |||
| + | **Userfolder mode** | ||
| + | |||
| + | This mode enables the homes section of Samba, which is a special type of file sharing that automatically provides a share with the same name as the user who accesses it. In this mode, the Path argument must contain the path of the parent directory where the diretories for each user are to be created. If this argument is omitted, the /home directory will be assumed by default. CID automatically creates user directories with appropriate permissions as users first access their respective shares. If disk quota is used, it will be automatically applied to each user directory. | ||
| + | |||
| + | |||
| + | |||
cid_closed_directory.1727512869.txt.gz · Last modified: 2024/09/28 10:41 by team
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution 4.0 International
