在 Windows Server 世界中的 Active Directory (AD) ,有一個名為 Logon Hours 的功能,它允許設定使用者在特定時段內能夠進行登入。然而,長遠而言,投資一台 Windows Server 可能並不划算。需要考慮購買 Windows Server 授權、使用者 CALs 授權,以及維護成本等,並非僅僅購買一台伺服器的簡單事務。
當前,許多人選擇將 NAS 用作文件伺服器,但是基於時間的存取權限 (Logon Hours) 的功能在這些操作系統中並未廣泛實施。但值得庆幸的是,這些 NAS 都有一個共通點,它們都是基於 Linux,這意味著如果能夠通過 SSH 登入伺服器的終端,便可以使用指令來設定 ACL(存取控制清單)。
本次示範將以 Synology DSM 為例。Synology 配備了自家的套件 synoacltool。以下是使用 synoacltool 檢視文件夾原始 ACL 的範例:
synoacltool -get /volume1/backups/Test_Folder
隨後,您可以使用 -del 來移除 grp_it_staff 的權限:
synoacltool -del /volume1/backups/Test_Folder 1
然後,使用 -add 來重新添加 grp_it_staff 的權限:
synoacltool -add /volume1/backups/Test_Folder group:grp_it_staff:allow:rwxpdDaARWc--:fd--
或者, 使用 -replace 來修改 grp_it_staff 的權限:
deny:
synoacltool -replace /volume1/backups/Test_Folder 0 group:grp_it_staff:deny:rwxpdDaARWc--:fd--
allow:
synoacltool -replace /volume1/backups/Test_Folder 0 group:grp_it_staff:allow:rwxpdDaARWc--:fd--
此外,結合 Synology DSM 的工作排程器(Task Scheduler),例如每日晚上 9 時執行移除權限的指令,然後在每日早上 8 時執行添加權限的指令,可實現更多自動化功能。
Eng
In the world of Windows Server’s Active Directory (AD), there is a feature called Logon Hours, which allows the configuration of user login times within specific periods. However, in the long run, investing in a Windows Server might not be cost-effective. Considerations involve acquiring Windows Server licenses, user CALs, and maintenance costs, beyond just acquiring a server.
Currently, many individuals opt to use NAS as file servers. Nevertheless, the feature of time-based access permissions (Logon Hours) is not extensively implemented in these operating systems. Fortunately, these NAS systems share a common trait—they are all Linux-based. This signifies that if you can access the server’s terminal via SSH, you can use commands to configure ACLs (Access Control Lists).
This demonstration will use Synology DSM as an example. Synology includes its own package called synoacltool. Below is an example of using synoacltool to examine the original ACL of a folder:
synoacltool -get /volume1/backups/Test_Folder
Subsequently, you can use -del
to remove the permissions of grp_it_staff
:
synoacltool -del /volume1/backups/Test_Folder 1
Then, use -add
to re-add the permissions for grp_it_staff
:
synoacltool -add /volume1/backups/Test_Folder group:grp_it_staff:allow:rwxpdDaARWc--:fd--
Alternatively, use -replace
to modify the permissions for grp_it_staff
:
set permission to deny:
synoacltool -replace /volume1/backups/Test_Folder 0 group:grp_it_staff:deny:rwxpdDaARWc--:fd--
set permission to allow:
synoacltool -replace /volume1/backups/Test_Folder 0 group:grp_it_staff:allow:rwxpdDaARWc--:fd--
Furthermore, by integrating Synology DSM’s Task Scheduler, you can automate more functions. For instance, executing the command to remove permissions every night at 9 PM and adding permissions every morning at 8 AM enhances automation capabilities.