1.samba作用
Samba服務可用於將Linux文件系統作爲CIFS/SMB網絡文件共享進行共享。
.軟件包:
Samba-common ##Samba的支持文件
Samba-client ##客戶端應用程序
Samba ##服務器應用程序
.服務名稱:smb nmb
.服務端口:通常使用TCP/445進行所有連接。還使用UDP137、UDP138和TCP/139進行向後兼容
.主配置文件:/etc/samba/smb.con
2.samba的安裝
服務器端(ip爲172.25.254.104):
yum install samba-client.x86_64 samba-common.x86_64 samba.x86 -y
systemctl stop firewalld
systemctl start smb.service
setsebool -P samba_enable_home_dirs on
smbpasswd -a student ##student必須是本機用戶
pdbedit -L ##查看
pdbedit -x student ##刪除samba上的student用戶
測試:
smbclient -L //172.25.254.104 -U student
smbclient //172.25.254.104/student -U student
3.samba共享目錄
vim /etc/samba/smb.conf
[共享名稱]
comment = 共享說明
path = 共享目錄路徑
:wq
[root@localhost ~]# mkdir /westos
[root@localhost ~]# vim /etc/samba/smb.conf ##samba共享目錄的配置文件
在最後面寫:
[TEST]
comment = westos directory
path = /westos
server string = hello
writable = yes
write list = @student
valid users = +student
browseable = no
admin users = westos
:wq
[root@localhost ~]# systemctl restart smb.service
[root@localhost ~]# smbclient -L //172.25.254.104
[root@localhost ~]# smbclient //172.25.254.104/westos -U westos
[root@localhost ~]# semanage fcontext -a -t samba_share_t '/westos(/.*)?'
[root@localhost ~]# restorecon -RvvF /westos/
[root@localhost ~]# chmod +777 /westos/
[root@localhost ~]# touch /westos/testfile
[root@localhost ~]# smbclient //172.25.254.104/westos -U westos
[root@localhost ~]# vim /etc/samba/smb.conf
Vim:
hosts allow = 127. 172.25.254. ##白名單 127.代表允許本機訪問 172.25.254.代表允許ip是172.25.254網段的主機訪問
hosts deny = 127. 172.25.254. ##黑名單 127.代表拒絕本機訪問 172.25.254.代表拒絕ip是172.25.254網段的主機訪問
workgroup ##用於指定Windows工作組或網絡域名
:wq
[root@localhost ~]# semanage fcontext -a -t samba_share_t'/westos(/.*)?' ##更改上下文
[root@localhost ~]# restorecon -RvvF /westos/
[root@localhost ~]# systemctl restart smb.service
[root@localhost ~]# smbclient -L //172.25.254.104
[root@localhost ~]# smbclient //172.25.254.104/westos -U westos
[root@localhost ~]# systemctl start firewalld
[root@localhost ~]# firewall-cmd --add-service=samba --permanent
[root@localhost ~]# firewall-cmd --reload
4.samba的保護
samba_enable_home_dirs和use_samba_home_dirs SELinux布爾值
samba_enable_home_dirs布爾值允許本地Linux主目錄作爲CIFS文件共享導出至其他
系統。另一方面 use_samba_home_dirs布爾值允許掛載遠程CIFS文件共享並將其用作本地Linux主目錄。
setsebool -P samba_enable_home_dirs on
samba_share_t
用於共享用戶自定義samba共享
chcon -R -t samba_share_t /smbshare 或 semanage fcontext -a -tsamba_share_t '/smbshare(/.*)?'
restorecon -vvFR /smbshare
samba_export_all_ro 和 samba_export_all_rw
用於共享系統目錄
setsebool -P samba_export_all_ro on
setsebool -P samba_export_all_rw on
5.訪問CIFS共享
連接到CIFS文件共享的四個基本方法:
(1)圖形訪問CIFS共享
轉至 “網絡” --> “連接服務器”。填寫以下字段:
Server Address : 172.25.0.11
Userame: wxh
Password: westos
(2)命令行FTP方式訪問CIFS共享:
[root@localhost ~]# smbclient -L server0.example.com -U wxh
[root@localhost ~]# smbclient //server0.example.com/smbshare -U wxh
(3)手動掛載CIFS共享
[root@localhost ~]# mount -o username=wxh //server0.example.com/smbshare/mnt/wxh
(4)永久掛載CIFS共享
[root@localhost ~]# vim /etc/fstab
vim:
server0.example.com/smbshare /mnt/wxh cifs credentials=/root/userpasswd 0 0
:wq
[root@localhost ~]# vim /root/userpasswd ##新建文件userpasswd
vim:
usernaame=samba用戶名
password=samba用戶密碼
:wq
6.samba多用戶掛載
[root@localhost ~]# yum install cifs-utils -y ##安裝cifs-utils軟件包,它包含了cifscreds命令
[root@localhost ~]# vim /root/passfile
vim:
username=samba用戶
possword=samba用戶密碼
:wq
[root@localhost ~]# mount //172.25.254.104/westos /mnt -o credentials=/root/smbpassfile,multiuser,sec=ntlmssp
測試:
su - westos ##前提是westos屬於samba用戶
ls /mnt ##不能查看
cifscreds add 172.25.254.104
ls /mnt ##可以查看
su - student ##student不是samba用戶
ls /mnt ##不能查看
cifscreds add 172.25.254.104
ls /mnt ##依然不能查看
7.nfs
(1)
[root@localhost ~]# yum install nfs-utils -y
[root@localhost ~]# systemctl start nfs ##打開nfs
[root@localhost ~]# firewall-cmd -permanent --add-service=nfs
[root@localhost ~]# firewall-cmd -permanent --add-service=rpc-bind
[root@localhost ~]# firewall-cmd -permanent --add-service=mountd
[root@localhost ~]# firewall-cmd --reload
[root@localhost ~]# vim /etc/exports
vim:
/westos 172.25.254.0/24(rw) ##rw是可讀可寫 ro是可讀
:wq
[root@localhost ~]# exportfs -rv
在真機上測試:
[root@foundation4 ~]# showmount -e 172.25.254.104
Export list for 172.25.254.104:
/westos 172.25.254.0/24
[root@foundation4 ~]# mount 172.25.254.104:/westos /mnt/
[root@foundation4 ~]# ls /mnt/
westosfile
[root@foundation4 ~]# touch /mnt/file
[root@foundation4 ~]# ll /mnt/
-rw-r--r-- 1 nfsnobody nfsnobody 0 May 2 13:34 file
(2)
[root@localhost ~]# vim /etc/exports
vim:
/westos 172.25.254.0/24(rw,no_root_squash) ##no_root_squash是指westos用戶以root身份上傳文件
:wq
[root@localhost ~]# exportfs -rv
在真機上測試:
[root@foundation4 ~]# touch /mnt/file1
[root@foundation4 ~]# ll /mnt/
-rw-r--r-- 1 nfsnobody nfsnobody 0 May 2 13:34 file
-rw-r--r-- 1 root nfsnobody 0 May 213:37 file1
8.加密
[root@server0 mnt]# yum install sssd krb5-workstation -y
[root@server0 mnt]# vim auth-config.sh
vim:
#!/bin/bash
echo install packages...
yum install sssd krb5-workstation -y &> /dev/null
echo configure...
authconfig \
--enableldap \
--enablekrb5 \
--disableldapauth \
--enableldaptls \
--ldaploadcacert="http://172.25.254.254/pub/example-ca.crt" \
--ldapserver="classroom.example.com" \
--ldapbasedn="dc=example,dc=com" \
--krb5realm="EXAMPLE.COM" \
--krb5adminserver="classroom.example.com" \
--krb5kdc="classroom.example.com" \
--update && echo success !
:wq
[root@server0 mnt]# sh auth-config.sh
[root@server0 mnt]# id ldapuser1 ##測試
[root@server0 mnt]# yum install nfs-utils -y
[root@server0 mnt]# systemctl dtop firewalld
[root@server0 mnt]# mkdir /westos
[root@server0 mnt]# systemctl start nfs
[root@server0 mnt]# vim /etc/exports
[root@server0 mnt]# exports -rv
exporting 172.25.4.0/24:/westos
[root@server0 mnt]# vim /etc/sysconfig/nfs
vim:
PRCNFSDARGS="-V 4.2"
:wq
[root@server0 mnt]# systemctl restart nfs
[root@server0 mnt]# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/server0.key
[root@server0 mnt]# systemctl start nfs-secure-server
[root@server0 mnt]# vim /etc/exports
vim:
/westos 172.25.254.0/24(rw,sec=krb5p)
:wq
[root@server0 mnt]# exportfs -rv
[root@desktop0 ~]# systemctl restart nfs-secure.service
[root@desktop0 ~]# wget -O /etc/krb5.keytabhttp://classroom.example.com/pub/keytabs/desktop0.key
[root@desktop0 ~]# systemctl restart nfs-secure.service
[root@desktop0 ~]# mount -o vers=4.2,sec=krb5p 172.25.4.11:/westos /mnt/
[root@desktop0 ~]# reboot
[root@desktop0 ~]# df
[root@desktop0 ~]# umount /mnt/
[root@desktop0 ~]# mount -o vers=4.2,sec=krb5p 172.25.4.11:/westos /mnt/
[root@desktop0 ~]# df