Samba是在Linux和UNIX系统上实现SMB协议的一个免费软件,由服务器及客户端程序构成。SMB(Server Messages Block,信息服务块)是一种在局域网上共享文件和打印机的一种通信协议,它为局域网内的不同计算机之间提供文件及打印机等资源的共享服务。SMB协议是客户机/服务器型协议,客户机通过该协议可以访问服务器上的共享文件系统、打印机及其他资源。
一、配置SMB共享
- 协议:SMB(TCP 139)、CIFS(TCP 445)
- 配置文件:/etc/samba/smb.conf;/etc/fstab
- 软件包说明:
- samba 服务器端软件,主要提供samba服务器的守护程序,共享文档,日志的轮替,开机默认选项
- samba-common //主要提供samba服务器的设置文件与设置文件语法检验程序testparm
- smbclient //客户端软件,主要提供linux主机作为客户端时,所需要的工具指令集。
服务端:
1.安装samba
[root@localhost doc]# yum install samba-client samba-common samba -y
2用户管理
创建Samba账户,设置Samba独立的密码
pdbedit命令说明
pdbedit 命令用于管理Samba服务的帐户信息数据库,格式为:”pdbedit [选项] 帐户”
第一次把用户信息写入到数据库时需要使用-a参数,以后修改用户密码、删除用户等等操作就不再需要了。
pdbedit -L :查看samba用户
pdbedit -a -u user:添加samba用户
pdbedit -x -u user:删除samba用户
[root@localhost ~]# pdbedit -a vincent
new password:
retype new password:
Unix username: vincent
NT username:
Account Flags: [U ]
User SID: S-1-5-21-779336089-3447107930-3279685289-1000
Primary Group SID: S-1-5-21-779336089-3447107930-3279685289-513
Full Name:
Home Directory: \\localhost\vincent
HomeDir Drive:
Logon Script:
Profile Path: \\localhost\vincent\profile
Domain: LOCALHOST
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Wed, 06 Feb 2036 10:06:39 EST
Kickoff time: Wed, 06 Feb 2036 10:06:39 EST
Password last set: Tue, 05 Jun 2018 07:03:42 EDT
Password can change: Tue, 05 Jun 2018 07:03:42 EDT
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[root@localhost /]# pdbedit -L
vincent:1001:
[root@localhost /]# pdbedit -x -u vincent
更改用户密码
[root@localhost /]# smbpasswd -a vincent
New SMB password:
Retype new SMB password:
查看用户ID
[root@localhost /]# id jzx
uid=1002(jzx) gid=1005(jzx) groups=1005(jzx)
查看samba服务占用端口:
[root@server test]# netstat -antlupe | grep smb
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 0 56252 4627/smbd
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 0 56253 4627/smbd
tcp6 0 0 :::445 :::* LISTEN 0 56250 4627/smbd
tcp6 0 0 :::139 :::* LISTEN 0 56251 4627/smbd
客户端:
[root@server test]# rpm -qc samba-common
/etc/logrotate.d/samba
/etc/samba/lmhosts
/etc/samba/smb.conf
/etc/sysconfig/samba
1、查看Samba服务器的共享资料
[root@server test]# smbclient -L //172.25.254.141
Enter root's password:
Anonymous login successful
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
public Disk Public Stuff
movies Disk MOVIEEEEE
work Disk work
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
Anonymous login successful
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
2.查看用户
[root@server ~]# yum install samba-client -y
查看文件
[root@localhost /]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Processing section "[public]"
Processing section "[movies]"
Unknown parameter encountered: "valid user"
Ignoring unknown parameter "valid user"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
[global]
workgroup = MYGROUP
server string = Samba Server Version %v
log file = /var/log/samba/log.%m
max log size = 50
idmap config * : backend = tdb
cups options = raw
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
print ok = Yes
browseable = No
[public]
comment = Public Stuff
path = /share
guest ok = Yes
[movies]
comment = MOVIEEEEE
path = /movie
write list = vincent
read only = No
重启服务
[root@localhost /]# service smb restart
Redirecting to /bin/systemctl restart smb.service
2、指定用户登陆Samba服务器
用法如下:
smbclient –L //Samba服务器的ip地址 -U Samba用户名
Samba无密码访问时,password: 直接回车即可。
例如:
# smbclient //10.0.0.163/public -U david
smb: > ? //在这里输入?即可查看在smb命令行可用的所有命令。
[root@server test]# smbclient //172.25.254.141/jzx -U jzx
Enter jzx's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
smb: \> ls
. D 0 Wed Jun 6 06:50:57 2018
.. D 0 Wed Jun 6 06:54:00 2018
.bash_profile H 193 Wed Jan 29 07:45:18 2014
.mozilla DH 0 Thu Jul 10 18:29:32 2014
.config DH 0 Thu Jul 10 19:06:52 2014
.bashrc H 231 Wed Jan 29 07:45:18 2014
.bash_logout H 18 Wed Jan 29 07:45:18 2014
60458 blocks of size 8192. 56095 blocks available
smb: \> quit
登陆Samba服务器后,就可以进行文件的上传与下载,如果有足够的权限,还可以进行修改文件操作。
例如上传文件:
[root@server test]# smbclient //172.25.254.141/jzx -U jzx
Enter jzx's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
smb: \> put /root/test/test.dat
NT_STATUS_OBJECT_PATH_NOT_FOUND opening remote file \/root/test/test.dat
smb: \> quit
[root@server test]# cd /root/test/
[root@server test]# smbclient //172.25.254.141/jzx -U jzx
Enter jzx's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
smb: \> put test.dat
putting file test.dat as \test.dat (164456.7 kb/s) (average 164456.7 kb/s)
注:直接通过路径不能上传文件,需要先进入到文件的所在目录 |
在服务端:
[root@localhost ~]# ls /home/jzx/
test.dat ##写入成功(/home/jzx这个目录是在建立用户时自动生成的)
客户端挂载
1.临时挂载
Samba服务器共享出来的文件还可以在Linux客户端进行挂载,这就要用到mount命令,如下所示:
[root@server test]# mount //172.25.254.141/jzx /mnt -o username=jzx,password=jzx
[root@server test]# df | grep jzx
//172.25.254.141/jzx 483670 136487 317692 31% /mnt
2.永久挂载
(1)修改静态挂载文件
[root@server test]# echo "//172.25.254.141/jzx /mnt cifs defaults,username=jzx,password=jzx 0 0" >> /etc/fstab
reboot后检查挂载详情:
[root@server test]# reboot
[root@server test]# df | grep jzx
//172.25.254.141/jzx 483670 136487 317692 31% /mnt
(2)修改开机自启动配置
[root@server test]# echo "//172.25.254.141/jzx /mnt -o username=jzx,password=jzx0" >> /etc/rc.d/rc.local
[root@server test]# chmod +x /etc/rc.d/rc.local
[root@server test]# reboot
[root@server test]# df | grep jzx
//172.25.254.141/jzx 483670 136487 317692 31% /mnt
更改工作组
服务端:
[root@localhost ~]# vim /etc/samba/smb.conf
You have new mail in /var/spool/mail/root
89 workgroup = JZX ##更改工作组名后重启服务
[root@localhost ~]# systemctl restart smb
客户端检查:
[root@server test]# smbclient -L //172.25.254.141
Enter root's password:
Anonymous login successful
Domain=[JZX] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
public Disk Public Stuff
movies Disk MOVIEEEEE
work Disk work
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
Anonymous login successful
Domain=[JZX] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
添加samba黑白名单
在smb.conf配置中分为:
全局配置:
#================ Global Settings ================
共享文件系统配置:
#============= Share Definitions ===============
在Global Setting中更改工作组:
[root@localhost ~]# vim /etc/samba/smb.conf
95 hosts allow = 172.25.254.141
96 host deny=172.25.254.241
[root@localhost ~]# systemctl restart smb
IP(241)客户机测试:
[root@server test]# smbclient -L //172.25.254.141
Enter root's password:
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
IP(141)客户机测试:
[root@localhost ~]# smbclient -L //172.25.254.141
Unknown parameter encountered: "host deny"
Ignoring unknown parameter "host deny"
Enter root's password:
Anonymous login successful
Domain=[JZX] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
public Disk Public Stuff
movies Disk MOVIEEEEE
work Disk work
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
Anonymous login successful
Domain=[JZX] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
三、smb的SElinux策略
SElinux策略内各项规则的布尔值
允许本地Linux主目录作为CIFS文件共享导出至其他系统 | samba_enable_home_dirs |
---|---|
允许挂载远程CIFS文件共享并将其用作本地Linux主目录 | use_samba_ home_dirs |
smb共目录的selinux安全上下文 | samba_share_t |
共享系统目录 | samba_export_all _ro 和 samba_export_all_rw |
查看 cifs 文件共享的selinx布尔值:
[root@server test]# getsebool -a | grep samba
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_portmapper --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_use_samba --> off
use_samba_home_dirs --> off
virt_sandbox_use_samba --> off
virt_use_samba --> off
打开samba的某项selinux策略:
[root@server test]# setsebool -P samba_create_home_dirs on
[root@server test]# getsebool -a | grep samba_create
samba_create_home_dirs --> on
自定义共享目录
服务端:
[root@localhost ~]# vim /etc/samba/smb.conf
322 [movies]
323 comment = MOVIEEEEE
324 browseable=yes
325 path=/movie
326 # writable=yes #是否可写
327 # valid user = vincent #有效用户
328 # write list =vincent #可写用户
329 # public =yes
330 # host allow=172.25.24.241 #白名单
修改安全上下文
[root@server test]# semanage fcontext -a -t samba_share_t '/share_dir(/.*)?'
[root@server test]# semanage fcontext -l | grep /share_dir #查看/share_dir的安全上下文是否修改成功
/share_dir(/.*)? all files system_u:object_r:samba_share_t:s0
[root@localhost ~]# systemctl restart smb #重启服务
客户端:
[root@server test]# smbclient -L //172.25.254.141/movie -U vincent
Enter vincent's password:
Domain=[JZX] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
public Disk Public Stuff
movies Disk MOVIEEEEE
work Disk work
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
vincent Disk Home Directories
Domain=[JZX] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
多用户挂载
客户端:
[root@server ~]# yum install cifs-utils -y
[root@server ~]# cat <<EOF > /root/smbpass
> username=vincent
> password=vincent
> EOF
挂载
[root@foundation79 Desktop]# mount -o credentials=/root/smbpass,sec=ntlmssp,multiuser //172.25.254.141/movies /mnt
[root@foundation79 Desktop]# df | grep mnt
//172.25.254.141/movies 10473900 3518336 6955564 34% /mnt
匿名用户访问
服务端:
[root@localhost home]# vim /etc/samba/smb.conf
125 map to guest=bad user #将匿名用户映射为guest
322 [movies]
323 comment = MOVIEEEEE
324 path=/movie
325 guest ok=yes #允许匿名用户登陆
客户端:
[root@foundation79 Desktop]# mount //172.25.254.141/movies /mnt -o username=guest,password=""
[root@foundation79 Desktop]# df | grep mnt
//172.25.254.141/movies 10473900 3518288 6955612 34% /mnt
[root@localhost home]# systemctl restart smb
注:查找并关闭进程
[root@server ~]# fuser /mnt/
/mnt: 10496c
[root@server ~]# kill -9 10496
[root@server ~]# Killed (core dumped)
[new_user@server ~]$ logout
There are stopped jobs.