[root@rong ~]# yum -y install samba (安裝samba)
[root@rong ~]# vi /etc/samba/smb.conf (編輯配置文件)
考慮到用本機的用戶名不太安全,所以做smb帳號映射
在配置文件裏添加:username map = /etc/samba/smbusers
smbusers文件的意思是右邊爲映射出來的帳號,可以用來訪問samba,設置samba密碼可以和系統帳號的密碼不同,以提高安全性。
====================== Global Settings ===================================== [global] //設置samba服務整體環境 workgroup = workgroup //設置工作組名 server string = rong server //服務器的名說明 ; hosts allow = 192.168.0. 127. //限制可訪問此服務的IP範圍,默認是全部 允許的,要是想設設置去掉前面的";" printcap name = /etc/printcap //打印機配置文件 load printers = yes //是否共享打印機 # bsd, sysv, plp, lprng, aix, hpux, qnx, cups printing = cups //打印機的類型.標準打印機類型包括以上幾種. ; guest account = pcguest //pcguest爲用戶名.可改去掉前邊的";"讓用戶以 pcguest身份匿名登錄,但保證/etc/passwd中有此人. log file = /var/log/samba/%m.log //爲登錄服務器的用戶建立不同的日誌文件. max log size = 0 //日誌文件的大小,"0"代表無限制 //以下是smb.conf文件對服務器安全級別的設置 security = SHARE //安全性的級別共四種.share、user、server、domain ; password server = 密碼驗證服務器. ; password level = 8 //密碼級別 ; username level = 8 encrypt passwords = yes //用戶密碼加密,當然也可以不加密 smb passwd file = /etc/samba/smbpasswd //將密碼服務器設置爲samba server. 需要這個東東來指定驗證文件.這個是文件的路徑,如果samba server是指定的win server這個不須要 ; ssl CA certFile = /usr/share/ssl/certs/ca-bundle.crt unix password sync = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* pam password change = yes ; username map = /etc/samba/smbusers //如果每個windows用戶在samba服務器 中有帳戶這個可以不設 ; include = /etc/samba/smb.conf.%m obey pam restrictions = yes ; interfaces = 192.168.12.2/24 192.168.13.2/24 如果多網段要在這裏列出 ; remote announce = 192.168.1.255 192.168.2.44 ; local master = no ; os level = 33 ; domain master = yes ; preferred master = yes ; domain logons = yes ; logon script = %m.bat ; logon script = %U.bat ; logon path = \\%L\Profiles\%U ; wins support = yes //wins server支持 ; wins server = w.x.y.z ; wins proxy = yes //wins 代理設置 dns proxy = no //dns代理設置 ; preserve case = no ; short preserve case = no ; default case = lower ; case sensitive = no #============================ Share Definitions ============================== [homes] //用戶訪問自已目錄的設置 comment = Home Directories //說明(以下同理) browseable = no//設定目錄可不可以別人瀏覽 writeable = yes//用戶寫入自己的權限 valid users = %S create mode = 0664 directory mode = 0775 ; [netlogon] //此段域用戶登錄目錄設置 ; comment = Network Logon Service ; path = /usr/local/samba/lib/netlogon ; guest ok = yes ; writable = no ; share modes = no ;[Profiles] ; path = /usr/local/samba/profiles ; browseable = no ; guest ok = yes [printers] //打印機設置 comment = All Printers path = /var/spool/samba browseable = no printable = yes ;[tmp] //用戶共享資源設置 ; comment = Temporary file space ; path = /tmp //可以自定義目錄,去掉前邊的";"就OK了 ; read only = no //是否只讀或可寫 ; public = yes ;[public] //用戶共享資源設置 ; comment = Public Stuff ; path = /home/samba ; public = yes ; writable = yes ; printable = no ; write list = @staff ;[fredsprn] ; comment = Fred's Printer ; valid users = fred ; path = /home/fred ; printer = freds_printer ; public = no ; writable = no ; printable = yes ;[fredsdir] ; comment = Fred's Service ; path = /usr/somewhere/private ; valid users = fred ; public = no ; writable = yes ; printable = no ;[pchome] ; comment = PC Directories ; path = /usr/local/pc/%m ; public = no ; writable = yes ;[public] ; path = /usr/somewhere/else/public ; public = yes ; only guest = yes ; writable = yes ; printable = no ;[myshare] ; comment = Mary's and Fred's stuff ; path = /usr/somewhere/shared ; valid users = mary fred ; public = no ; writable = yes ; printable = no ; create mask = 0765 [my work] comment = is me work path = /root/my work valid users angel public = yes writeable = yes
#####################################################################
瞭解smb.conf的文件就好辦了.我們開始對samba server的四個安全級別分別講解. 1、share級配置 這個在四個等級中是最低的,方法也是最簡單.我們只要對smb.conf文件修改一下就可以了. workgroup = hackase server string = angel server hosts allow = 192.168.1. //限制192.168.1的IP網段可以防問 printcap name = /etc/printcap load printers = yes //共享打印機 printing = cups //打印機用linux標準的 guest account = angel log file = /var/log/samba/%m.log max log size = 20 security = share =================================================================== 其他的設置默認就可以了,也可以像我把所有的註釋刪除.[tmp]這個字段的";"去掉. 路徑可以更改. 重啓一下服務 /etc/samba/smb restart // service smb restart 也可 用testparm測試我們配置的文件是否正確: =================================================================== [root@localhost root]# testparm //測試時[printers]註釋掉了所以這裏沒有. Load smb config files from /etc/samba/smb.conf Processing section "[homes]" Processing section "[tmp]" Processing section "[my]" Loaded services file OK. //如有錯誤,會在這列出錯誤的地方. Press enter to see a dump of your service definitions ================================================================== 用smbclient命令查看網絡共享情況 =================================================================== [root@localhost etc]# smbclient -L localhost //本機名爲localhost Password: Domain=[HACKBASE] OS=[Unix] Server=[Samba 2.2.7a] Sharename Type Comment --------- ---- ------- tmp Disk Temporary file space my Disk is me IPC$ IPC IPC Service (angel server) ADMIN$ Disk IPC Service (angel server) root Printer Home Directories Server Comment --------- ------- Workgroup Master --------- ------- ======================================================================= 2、user級配置 user比share級安全級別高一點點,很簡單的,可以在share基礎上改一下就可以了. 改一下security = share字段爲:security = user.在加上如下字段: guest account = angel //機器上有這個用戶名,如果你沒有那就建一個吧! encrypt passwords=yes smb passwd file=/etc/samba/smbpasswd (1)生成口令文件. #cat/etc/passwd | mksmbpasswd.sh>/etc/samba/smbpasswd 本命令將生成口令文件"/etc/samba/smbpasswd" 這個就是我們 剛加上的"smb passwd file=/etc/samba/smbpasswd" (2)我們知道建賬戶是建在etc/passwd文件裏,我們須要用smbpasswd命令 爲剛纔建立的賬名設置samba server口令. 格式爲:smbpasswd angel (3)重啓samba server服務 user級的也OK了,你可以用testparm and smbclient命測試.windows用戶想 訪問就要輸入angel and passwd.這個就不是誰都可以訪問你的共享 資源了. 3、server 級配置 server級比user級也高那麼一點,只需要user級配置上修改一下就OK了. (1)security = user字段爲:security = server (2)加上password server = ****** //密碼服務器,這個可以是你的windows主域控制器,也 可以是別一個samba server服務器(名子無意思) (3)註釋smb passwd file=/etc/samba/smbpasswd (4)重啓samba server服務,你可以用testparm and smbclient命測試. 好了,又完事一個現在如果一臺windows機器登錄******(password server = ******設置的)域服務器的時候,也就同登錄上了samba server,如 果你以是*****主控域的計算機,那你就可以輸入你自己的賬號密碼打開samba server的文件了, 但是你要保證*****和sambs server的賬號和密碼相同. 4、domain級的配置 domain級的配置是samba server中級別最高的他主要就是把samba加入到域中去, 用域服務器作samba server的密碼服務器. 其實domain級的配置也很簡單,只需要在user級的基礎上修改: (1)加入字段:NETBLOS = main //起一個NETBLOS名,放在smb.conf文件的最上邊 password server = ** //用主域控制器**來做密碼服務器 (2)security = user字段爲:security = domain workgroup = ***** //*****是主域控制器的域名
#################################################################
Windows客戶端用UNC路徑訪問。
Linux客戶端訪問:
smbclient //192.168.0.2/public -U share%sharetest
或者mount -t cifs //192.168.0.2/public /mnt/ -o username=share%sharetest
本文出自 “Mr_Z” 博客,請務必保留此出處http://zhangrong.blog.51cto.com/2196532/933453