SMB文件共享
通用Internet文件系統(CIFS)也稱爲服務器信息塊(SMB),是適用於MicrosoftWindows服務器和客戶端的標準文件和打印機共享系統。
Samba服務可用於將Linux文件系統作爲CIFS/SMB網絡文件共享進行共享,並將Linux打印機作爲CIFS/SMB打印機共享進行共享。
Samba服務的組成部分
1. 軟件包:
Samba-common – Samba的支持文件
Samba-client – 客戶端應用程序
Samba – 服務器應用程序
2. 服務名稱:smb nmb
3. 服務端口: 通常使用TCP/445進行所有連接。還使用UDP137、UDP138和TCP/139進行向後兼容
4. 主配置文件:/etc/samba/smb.conf
3/etc/samba/smb.conf: [global]部分
workgroup
hosts allow
用於指定Windows工作組或網絡域名。
hosts allow是用逗號、空格或製表符分隔的允許訪問服務的主機集合。如果在[global]部分中指定, 將適用於所有服務,無論單個服務是否具有不同的設置。 您可以按名稱或IP號指定主機。例如,您可以使用allow hosts = 192.168.0. 表示允許一個網絡。
安全性
該選項影響客戶端如何響應Samba,並且在smb.conf文件中是最重要的設置之一。
security = user
客戶端必須通過有效的用戶名和密碼登錄。
security = domain
只有當計算機已添加到NT域時才能正常工作。它要求將encrypted passwords 參數設置爲yes。在該模式中,Samba通過將用戶名/密碼傳遞至
Windows NT主域控制器或備份域控 制器來進行驗證,與Windows NT Server採用的方式完全一樣。請注意,有效的UNIX用戶以及域控制 器上的賬戶必須仍然存在,以允許Samba具有有效的UNIX賬戶,可用以映射文件訪問。您必須設置 passwd server參數,爲Samba提供服務器,以驗證密碼。
4security = server
Samba將通過將用戶名/密碼傳遞至另一個SMB服務器來嘗試進行驗證。您必須設置password server參數, 爲samba提供服務器, 以驗證密碼。
security = ads
amba在ADS realm中作爲域成員。如要在該模式下操作,運行Samba的
計算機需要安裝並配置Kerberos,並且需要使用net實用程序將Samba加入ADS realm。
/etc/samba/smb.conf:其他部分
[homes]
此共享(默認情況下啓用)是一個特別共享,通過CIFS使用戶的主目錄可。它包括browseable= no, 因此在用戶進行身份驗證之前,將不會顯示爲可用共享。共享名稱可以指定爲homes(在這種情況下, Samba服務器會將其轉換爲用戶的主目錄路徑)或username。
[printers]
默認情況下也可用,將共享當前可用的打印機 。
[share]
如果您想要設置其他共享,請將共享名稱放置在括號中,如上所示。共享需要至少一個path參
數。
5SMB用戶
useradd
security = user需要UNIX和Samba賬戶信息。添加用戶(最好使用與Samba賬戶一樣的名稱),
或 在/etc/samba/smbusers中放置條目(有一些示例)。如果您創建僅Samba用戶,請將UNIX密
碼設置爲/sbin/nologin。
[root@serverX ~]# useradd -s /sbin/nologin wxh
smbpasswd
如果您沒有Samba密碼服務器,則必須在本地計算機上創建身份驗證數據。使用smbpasswd創 Samba賬戶和密碼。
如果smbpasswd只傳遞一個用戶名而不帶任何選項,它將嘗試更改賬戶密碼。傳遞-a選項將添加賬戶 並設置密碼。
[root@serverX ~]# smbpasswd -a wxh
New SMB password: westos
Retype new SMB password: westos
Added user wxh.
www.westos.org
6保護SMB
samba_enable_home_dirs和use_samba_home_dirs SELinux布爾值
samba_enable_home_dirs布爾值允許本地Linux主目錄作爲CIFS文件共享導出至其他系統。另一方面 use_samba_home_dirs布爾值允許掛載遠程CIFS文件共享並將其用作本地Linux主目錄。
# setsebool -P samba_enable_home_dirs on
samba_share_t
用於共享用戶自定義samba共享
# chcon -R -t samba_share_t /smbshare
或 # semanage fcontext -a -t samba_share_t '/smbshare(/.*)?'
# restorecon -vvFR /smbshare
samba_export_all_ro 和 samba_export_all_rw
用於共享系統目錄
# setsebool -P samba_export_all_ro on
# setsebool -P samba_export_all_rw on
7訪問CIFS共享
連接到CIFS文件共享的四個基本方法:
1. 圖形訪問CIFS共享
轉至 “網絡” --> “連接服務器”。填寫以下字段:
Server Address : 172.25.0.11
Userame: wxh
Password: westos
2. 命令行FTP方式訪問CIFS共享:
[root@server0 ~]# smbclient -L server0.example.com -U wxh
Enter wxh's password: westos
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Sharename
Type
---------
IPC$
smbshare
wxh
Comment
----
IPC
Disk
Disk
-------
IPC Service (Samba Server Version 4.1.1)
test
Home Directories
8[root@server0 ~]# smbclient //server0.example.com/smbshare -U wxh
Enter wxh's password: westos
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
smb: \> ls
. D 0 Thu Dec 18 17:27:27 2014
.. D 0 Thu Dec 18 11:37:20 2014
testfile
N
12 Thu Dec 18 11:38:03 2014
3. 手動掛載CIFS共享
[root@server0 ~]# mount -o username=wxh //server0.example.com/smbshare /mnt/wxh
4. 永久掛載CIFS共享
將以下行添加到/etc/fstab:
//server0.example.com/smbshare /mnt/wxh
cifs
credentials=/root/userpasswd 0 0
創建/root/userpasswd:
user=wxh
pass=westos
10SMB多用戶掛載
Demo: (desktopX)
安裝cifs-utils軟件包,它包含了cifscreds命令:
# yum install -y cifs-utils
創建smb多用戶掛載目錄:
# mkdir /mnt/multiuser
建立smb認證文件:
# echo 'username=brian' > /root/smb-multiuser.txt
# echo 'password=redhat' > /root/smb-multiuser.txt
編輯/etc/fstab,永久掛載smb共享:
//server0/smbshare /mnt/multiuser cifs credentials=/root/smb-multiuser.txt,multiuser,
sec=ntlmssp 0 0
# mount -a
11# su - brian
$ touch /mnt/multiuser/test.txt
touch: cannot touch ‘/mnt/multiuser/brian.txt’: Permission denied
$ cifscreds add server0
Password: redhat
$ echo "multiuser" > /mnt/multiuser/brian.txt
$ cat /mnt/multiuser/brian.txt
multiuser
$ exit
# su - rob
$ cifscreds add server0
Password: redhat
$ echo "multiuser" > /mnt/multiuser/rob.txt
-bash: /mnt/multiuser/rob.txt: Permission denied
$ cat /mnt/multiuser/brian.txt
multiuser
操作實例
(1)安裝samba以及添加samba用戶
[root@localhost ~]# yum search samba
Loaded plugins: langpacks
rhel_dvd | 4.1 kB 00:00
(1/2): rhel_dvd/primary_db | 3.4 MB 00:00
(2/2): rhel_dvd/group_gz | 134 kB 00:00
================= N/S matched: samba =================
samba-client.x86_64 : Samba client programs
samba-common.x86_64 : Files used by both Samba servers
: and clients
samba-libs.i686 : Samba libraries
samba-libs.x86_64 : Samba libraries
samba-python.x86_64 : Samba Python libraries
samba-winbind.x86_64 : Samba winbind
samba-winbind-modules.i686 : Samba winbind modules
samba-winbind-modules.x86_64 : Samba winbind modules
samba.x86_64 : Server and Client software to
: interoperate with Windows machines
Name and summary matches only, use "search all" for everything.
[root@localhost ~]# yum install samba-client.x86_64 samba-common.x86_64 samba.x86_64
Loaded plugins: langpacks
Package samba-common-4.1.1-31.el7.x86_64 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package samba.x86_64 0:4.1.1-31.el7 will be installed
---> Package samba-client.x86_64 0:4.1.1-31.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
======================================================
Package Arch Version Repository
Size
======================================================
Installing:
samba x86_64 4.1.1-31.el7 rhel_dvd 527 k
samba-client x86_64 4.1.1-31.el7 rhel_dvd 513 k
Transaction Summary
======================================================
Install 2 Packages
Total download size: 1.0 M
Installed size: 2.9 M
Is this ok [y/d/N]: y
Downloading packages:
(1/2): samba-4.1.1-31.el7.x86_64 | 527 kB 00:00
(2/2): samba-client-4.1.1-31.el7 | 513 kB 00:00
------------------------------------------------------
Total 8.2 MB/s | 1.0 MB 00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : samba-4.1.1-31.el7.x86_64 1/2
Installing : samba-client-4.1.1-31.el7.x86_64 2/2
Verifying : samba-client-4.1.1-31.el7.x86_64 1/2
Verifying : samba-4.1.1-31.el7.x86_64 2/2
Installed:
samba.x86_64 0:4.1.1-31.el7
samba-client.x86_64 0:4.1.1-31.el7
Complete!
[root@localhost ~]# systemctl start smb
[root@localhost ~]# firewall-cmd --add-service=samba --permanent
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# smbclient -L //172.25.254.137
Enter root's password:
Anonymous login successful
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
Anonymous login successful
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@localhost ~]# smbpasswd -a student
New SMB password:
Retype new SMB password:
Added user student.
[root@localhost ~]# useradd westos
[root@localhost ~]# passwd westos
Changing password for user westos.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
[root@localhost ~]# smbpasswd -a westos
New SMB password:
Retype new SMB password:
Added user westos.
[root@localhost ~]# pdbedit -L
student:1000:Student User
westos:1001:
[root@localhost ~]# touch /home/westos/file
[root@localhost ~]# smbclient -L //172.25.254.137/westos -U student
Enter student's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
student Disk Home Directories
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@localhost ~]# smbclient -L //172.25.254.137/westos -U westos
Enter westos's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
westos Disk Home Directories
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@localhost ~]# setsebool -P samba_enable_home_dirs 1
[root@localhost ~]# smbclient //172.25.254.137/westos -U westos
Enter westos's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
smb: \> ls
. D 0 Mon May 1 21:22:41 2017
.. D 0 Mon May 1 21:18:58 2017
.bash_logout H 18 Wed Jan 29 07:45:18 2014
.bash_profile H 193 Wed Jan 29 07:45:18 2014
.bashrc H 231 Wed Jan 29 07:45:18 2014
.mozilla DH 0 Thu Jul 10 18:29:32 2014
.config DH 0 Thu Jul 10 19:06:52 2014
file N 0 Mon May 1 21:22:41 2017
40913 blocks of size 262144. 28594 blocks available
smb: \> quit
(2)共享一個目錄test
[root@localhost ~]# mkdir /westos
[root@localhost ~]# vim /etc/samba/smb.conf
[test]
comment = westos directory
path = /westos
[root@localhost ~]# semanage fcontext -a -t samba_share_t '/westos(/.*)?'
[root@localhost ~]# restorecon -RvvF /westos/
restorecon reset /westos context unconfined_u:object_r:default_t:s0->system_u:object_r:samba_share_t:s0
[root@localhost ~]# smbclient //172.25.254.137/test -U westos
Enter westos's password:
Domain=[CRB] OS=[Unix] Server=[Samba 4.1.1]
smb: \> ls
. D 0 Mon May 1 21:57:11 2017
.. D 0 Mon May 1 21:57:11 2017
40913 blocks of size 262144. 28594 blocks available
smb: \> quit
[root@localhost ~]#
(3)samba匿名用戶白名單與黑名單
[root@localhost ~]# vim /etc/samba/smb.conf
[root@localhost ~]# systemctl restart smb
[root@localhost ~]# smbclient -L //172.25.254.137
Enter root's password:
Anonymous login successful
Domain=[CRB] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
TEST Disk westos directory
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
Anonymous login successful
Domain=[CRB] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@localhost ~]# vim /etc/samba/smb.conf
[root@localhost ~]# smbclient -L //172.25.254.137
Enter root's password:
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
[root@localhost ~]# vim /etc/samba/smb.conf
[root@localhost ~]# systemctl restart smb
[root@localhost ~]# smbclient -L //172.25.254.137
Enter root's password:
Anonymous login successful
Domain=[CRB] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
TEST Disk westos directory
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
Anonymous login successful
Domain=[CRB] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@localhost ~]# vim /etc/samba/smb.conf
[root@localhost ~]# systemctl restart smb
[root@localhost ~]# smbclient -L //172.25.254.137
Enter root's password:
Anonymous login successful
Domain=[CRB] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
TEST Disk westos directory
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
Anonymous login successful
Domain=[CRB] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@localhost ~]# vim /etc/samba/smb.conf
[root@localhost ~]# smbclient -L //172.25.254.137
Enter root's password:
proto
col negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
[root@localhost ~]# vim /etc/samba/smb.conf
(4)匿名用戶可寫的權力
1.[root@localhost ~]# vim /etc/samba/smb.conf
[TEST]
comment = westos directory
path = /westos
writable = yes
write list = student
[root@localhost ~]# mount //172.25.254.100/TEST /mnt/ -o username=student,password=student
mount: mount //172.25.254.100/TEST on /mnt failed: No route to host
[root@localhost ~]# mount //172.25.254.137/TEST /mnt/ -o username=student,password=student
[root@localhost ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/vda1 10473900 3157536 7316364 31% /
devtmpfs 927072 0 927072 0% /dev
tmpfs 942660 140 942520 1% /dev/shm
tmpfs 942660 17048 925612 2% /run
tmpfs 942660 0 942660 0% /sys/fs/cgroup
//172.25.254.137/TEST 10473900 3157536 7316364 31% /mnt
[root@localhost ~]# cd /mnt
[root@localhost mnt]# systemctl restart smb
[root@localhost mnt]# chmod 777 /westos
[root@localhost mnt]# touch file
[root@localhost mnt]#
2.[root@localhost mnt]# vim /etc/samba/smb.conf
[TEST]
comment = westos directory
path = /westos
writable = yes
write list = @student(student組的人都可寫)
[root@localhost mnt]# usermod -G student westos
[root@localhost mnt]# id westos
uid=1001(westos) gid=1001(westos) groups=1001(westos),1000(student)
[root@localhost mnt]# cd
[root@localhost ~]# umount /mnt
[root@localhost ~]# mount //172.25.254.137/TEST /mnt/ -o username=westos,password=student
[root@localhost ~]# cd /mnt
[root@localhost mnt]# touch file1
[root@localhost mnt]# rm -fr file
[root@localhost mnt]#
[root@localhost mnt]# vim /etc/samba/smb.conf
[TEST]
comment = westos directory
path = /westos
writable = yes
write list = @student
valid users = student
valid users = @student
browseable = yes
[root@localhost mnt]# systemctl restart smb
[root@localhost mnt]# smbclient -L //172.25.254.137 -U student
Enter student's password:
Domain=[CRB] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
TEST Disk westos directory
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
student Disk Home Directories
Domain=[CRB] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@localhost mnt]# usermod -G student westos
[root@localhost mnt]# smbclient -L //172.25.254.137 -U westos
Enter westos's password:
Domain=[CRB] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
TEST Disk westos directory
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
westos Disk Home Directories
Domain=[CRB] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@localhost mnt]# vim /etc/samba/smb.conf
[TEST]
comment = westos directory
path = /westos
writable = yes
write list = @student
valid users = student
valid users = @student
browseable = no (不可見)
[root@localhost mnt]# smbclient -L //172.25.254.137 -U westos
Enter westos's password:
Domain=[CRB] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
westos Disk Home Directories
Domain=[CRB] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@localhost mnt]#
[root@localhost mnt]# vim /etc/samba/smb.conf
[TEST]
comment = westos directory
path = /westos
writable = yes
write list = @student
valid users = student
valid users = @student
browseable = no
admin users = westos (超級用戶)
(5)匿名用戶訪問
[root@localhost mnt]# vim /etc/samba/smb.conf
[TEST] ##第一處
comment = westos directory
path = /westos
writable = yes
write list = @student
; valid users = student
; valid users = @student
browseable = no
admin users = westos
guest ok = yes
security = user ##第二處
map to guest = bad user
passdb backend = tdbsam
[root@localhost mnt]# systemctl restart smb
[root@localhost mnt]# smbclient //172.25.254.137/TEST
Enter root's password:
Domain=[CRB] OS=[Unix] Server=[Samba 4.1.1]
smb: \> ls
. D 0 Mon May 1 22:57:03 2017
.. D 0 Mon May 1 21:57:11 2017
file1 N 0 Mon May 1 22:56:55 2017
40913 blocks of size 262144. 28578 blocks available
smb: \>
nfd