SMB文件共享
通用Internet文件系统(CIFS)也称为服务器信息块(SMB),是适用于MicrosoftWindows服务器和客户端的标准文件和打印机共享系统。
Samba服务可用于将Linux文件系统作为CIFS/SMB网络文件共享进行共享,并将Linux打印机作为CIFS/SMB打印机共享进行共享。
Samba服务的组成部分
1. 软件包:
Samba-common – Samba的支持文件
Samba-client – 客户端应用程序
Samba – 服务器应用程序
2. 服务名称:smb nmb
3. 服务端口: 通常使用TCP/445进行所有连接。还使用UDP137、UDP138和TCP/139进行向后兼容
4. 主配置文件:/etc/samba/smb.conf
3/etc/samba/smb.conf: [global]部分
workgroup
hosts allow
用于指定Windows工作组或网络域名。
hosts allow是用逗号、空格或制表符分隔的允许访问服务的主机集合。如果在[global]部分中指定, 将适用于所有服务,无论单个服务是否具有不同的设置。 您可以按名称或IP号指定主机。例如,您可以使用allow hosts = 192.168.0. 表示允许一个网络。
安全性
该选项影响客户端如何响应Samba,并且在smb.conf文件中是最重要的设置之一。
security = user
客户端必须通过有效的用户名和密码登录。
security = domain
只有当计算机已添加到NT域时才能正常工作。它要求将encrypted passwords 参数设置为yes。在该模式中,Samba通过将用户名/密码传递至
Windows NT主域控制器或备份域控 制器来进行验证,与Windows NT Server采用的方式完全一样。请注意,有效的UNIX用户以及域控制 器上的账户必须仍然存在,以允许Samba具有有效的UNIX账户,可用以映射文件访问。您必须设置 passwd server参数,为Samba提供服务器,以验证密码。
4security = server
Samba将通过将用户名/密码传递至另一个SMB服务器来尝试进行验证。您必须设置password server参数, 为samba提供服务器, 以验证密码。
security = ads
amba在ADS realm中作为域成员。如要在该模式下操作,运行Samba的
计算机需要安装并配置Kerberos,并且需要使用net实用程序将Samba加入ADS realm。
/etc/samba/smb.conf:其他部分
[homes]
此共享(默认情况下启用)是一个特别共享,通过CIFS使用户的主目录可。它包括browseable= no, 因此在用户进行身份验证之前,将不会显示为可用共享。共享名称可以指定为homes(在这种情况下, Samba服务器会将其转换为用户的主目录路径)或username。
[printers]
默认情况下也可用,将共享当前可用的打印机 。
[share]
如果您想要设置其他共享,请将共享名称放置在括号中,如上所示。共享需要至少一个path参
数。
5SMB用户
useradd
security = user需要UNIX和Samba账户信息。添加用户(最好使用与Samba账户一样的名称),
或 在/etc/samba/smbusers中放置条目(有一些示例)。如果您创建仅Samba用户,请将UNIX密
码设置为/sbin/nologin。
[root@serverX ~]# useradd -s /sbin/nologin wxh
smbpasswd
如果您没有Samba密码服务器,则必须在本地计算机上创建身份验证数据。使用smbpasswd创 Samba账户和密码。
如果smbpasswd只传递一个用户名而不带任何选项,它将尝试更改账户密码。传递-a选项将添加账户 并设置密码。
[root@serverX ~]# smbpasswd -a wxh
New SMB password: westos
Retype new SMB password: westos
Added user wxh.
www.westos.org
6保护SMB
samba_enable_home_dirs和use_samba_home_dirs SELinux布尔值
samba_enable_home_dirs布尔值允许本地Linux主目录作为CIFS文件共享导出至其他系统。另一方面 use_samba_home_dirs布尔值允许挂载远程CIFS文件共享并将其用作本地Linux主目录。
# setsebool -P samba_enable_home_dirs on
samba_share_t
用于共享用户自定义samba共享
# chcon -R -t samba_share_t /smbshare
或 # semanage fcontext -a -t samba_share_t '/smbshare(/.*)?'
# restorecon -vvFR /smbshare
samba_export_all_ro 和 samba_export_all_rw
用于共享系统目录
# setsebool -P samba_export_all_ro on
# setsebool -P samba_export_all_rw on
7访问CIFS共享
连接到CIFS文件共享的四个基本方法:
1. 图形访问CIFS共享
转至 “网络” --> “连接服务器”。填写以下字段:
Server Address : 172.25.0.11
Userame: wxh
Password: westos
2. 命令行FTP方式访问CIFS共享:
[root@server0 ~]# smbclient -L server0.example.com -U wxh
Enter wxh's password: westos
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Sharename
Type
---------
IPC$
smbshare
wxh
Comment
----
IPC
Disk
Disk
-------
IPC Service (Samba Server Version 4.1.1)
test
Home Directories
8[root@server0 ~]# smbclient //server0.example.com/smbshare -U wxh
Enter wxh's password: westos
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
smb: \> ls
. D 0 Thu Dec 18 17:27:27 2014
.. D 0 Thu Dec 18 11:37:20 2014
testfile
N
12 Thu Dec 18 11:38:03 2014
3. 手动挂载CIFS共享
[root@server0 ~]# mount -o username=wxh //server0.example.com/smbshare /mnt/wxh
4. 永久挂载CIFS共享
将以下行添加到/etc/fstab:
//server0.example.com/smbshare /mnt/wxh
cifs
credentials=/root/userpasswd 0 0
创建/root/userpasswd:
user=wxh
pass=westos
10SMB多用户挂载
Demo: (desktopX)
安装cifs-utils软件包,它包含了cifscreds命令:
# yum install -y cifs-utils
创建smb多用户挂载目录:
# mkdir /mnt/multiuser
建立smb认证文件:
# echo 'username=brian' > /root/smb-multiuser.txt
# echo 'password=redhat' > /root/smb-multiuser.txt
编辑/etc/fstab,永久挂载smb共享:
//server0/smbshare /mnt/multiuser cifs credentials=/root/smb-multiuser.txt,multiuser,
sec=ntlmssp 0 0
# mount -a
11# su - brian
$ touch /mnt/multiuser/test.txt
touch: cannot touch ‘/mnt/multiuser/brian.txt’: Permission denied
$ cifscreds add server0
Password: redhat
$ echo "multiuser" > /mnt/multiuser/brian.txt
$ cat /mnt/multiuser/brian.txt
multiuser
$ exit
# su - rob
$ cifscreds add server0
Password: redhat
$ echo "multiuser" > /mnt/multiuser/rob.txt
-bash: /mnt/multiuser/rob.txt: Permission denied
$ cat /mnt/multiuser/brian.txt
multiuser
操作实例
(1)安装samba以及添加samba用户
[root@localhost ~]# yum search samba
Loaded plugins: langpacks
rhel_dvd | 4.1 kB 00:00
(1/2): rhel_dvd/primary_db | 3.4 MB 00:00
(2/2): rhel_dvd/group_gz | 134 kB 00:00
================= N/S matched: samba =================
samba-client.x86_64 : Samba client programs
samba-common.x86_64 : Files used by both Samba servers
: and clients
samba-libs.i686 : Samba libraries
samba-libs.x86_64 : Samba libraries
samba-python.x86_64 : Samba Python libraries
samba-winbind.x86_64 : Samba winbind
samba-winbind-modules.i686 : Samba winbind modules
samba-winbind-modules.x86_64 : Samba winbind modules
samba.x86_64 : Server and Client software to
: interoperate with Windows machines
Name and summary matches only, use "search all" for everything.
[root@localhost ~]# yum install samba-client.x86_64 samba-common.x86_64 samba.x86_64
Loaded plugins: langpacks
Package samba-common-4.1.1-31.el7.x86_64 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package samba.x86_64 0:4.1.1-31.el7 will be installed
---> Package samba-client.x86_64 0:4.1.1-31.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
======================================================
Package Arch Version Repository
Size
======================================================
Installing:
samba x86_64 4.1.1-31.el7 rhel_dvd 527 k
samba-client x86_64 4.1.1-31.el7 rhel_dvd 513 k
Transaction Summary
======================================================
Install 2 Packages
Total download size: 1.0 M
Installed size: 2.9 M
Is this ok [y/d/N]: y
Downloading packages:
(1/2): samba-4.1.1-31.el7.x86_64 | 527 kB 00:00
(2/2): samba-client-4.1.1-31.el7 | 513 kB 00:00
------------------------------------------------------
Total 8.2 MB/s | 1.0 MB 00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : samba-4.1.1-31.el7.x86_64 1/2
Installing : samba-client-4.1.1-31.el7.x86_64 2/2
Verifying : samba-client-4.1.1-31.el7.x86_64 1/2
Verifying : samba-4.1.1-31.el7.x86_64 2/2
Installed:
samba.x86_64 0:4.1.1-31.el7
samba-client.x86_64 0:4.1.1-31.el7
Complete!
[root@localhost ~]# systemctl start smb
[root@localhost ~]# firewall-cmd --add-service=samba --permanent
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# smbclient -L //172.25.254.137
Enter root's password:
Anonymous login successful
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
Anonymous login successful
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@localhost ~]# smbpasswd -a student
New SMB password:
Retype new SMB password:
Added user student.
[root@localhost ~]# useradd westos
[root@localhost ~]# passwd westos
Changing password for user westos.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
[root@localhost ~]# smbpasswd -a westos
New SMB password:
Retype new SMB password:
Added user westos.
[root@localhost ~]# pdbedit -L
student:1000:Student User
westos:1001:
[root@localhost ~]# touch /home/westos/file
[root@localhost ~]# smbclient -L //172.25.254.137/westos -U student
Enter student's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
student Disk Home Directories
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@localhost ~]# smbclient -L //172.25.254.137/westos -U westos
Enter westos's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
westos Disk Home Directories
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@localhost ~]# setsebool -P samba_enable_home_dirs 1
[root@localhost ~]# smbclient //172.25.254.137/westos -U westos
Enter westos's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
smb: \> ls
. D 0 Mon May 1 21:22:41 2017
.. D 0 Mon May 1 21:18:58 2017
.bash_logout H 18 Wed Jan 29 07:45:18 2014
.bash_profile H 193 Wed Jan 29 07:45:18 2014
.bashrc H 231 Wed Jan 29 07:45:18 2014
.mozilla DH 0 Thu Jul 10 18:29:32 2014
.config DH 0 Thu Jul 10 19:06:52 2014
file N 0 Mon May 1 21:22:41 2017
40913 blocks of size 262144. 28594 blocks available
smb: \> quit
(2)共享一个目录test
[root@localhost ~]# mkdir /westos
[root@localhost ~]# vim /etc/samba/smb.conf
[test]
comment = westos directory
path = /westos
[root@localhost ~]# semanage fcontext -a -t samba_share_t '/westos(/.*)?'
[root@localhost ~]# restorecon -RvvF /westos/
restorecon reset /westos context unconfined_u:object_r:default_t:s0->system_u:object_r:samba_share_t:s0
[root@localhost ~]# smbclient //172.25.254.137/test -U westos
Enter westos's password:
Domain=[CRB] OS=[Unix] Server=[Samba 4.1.1]
smb: \> ls
. D 0 Mon May 1 21:57:11 2017
.. D 0 Mon May 1 21:57:11 2017
40913 blocks of size 262144. 28594 blocks available
smb: \> quit
[root@localhost ~]#
(3)samba匿名用户白名单与黑名单
[root@localhost ~]# vim /etc/samba/smb.conf
[root@localhost ~]# systemctl restart smb
[root@localhost ~]# smbclient -L //172.25.254.137
Enter root's password:
Anonymous login successful
Domain=[CRB] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
TEST Disk westos directory
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
Anonymous login successful
Domain=[CRB] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@localhost ~]# vim /etc/samba/smb.conf
[root@localhost ~]# smbclient -L //172.25.254.137
Enter root's password:
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
[root@localhost ~]# vim /etc/samba/smb.conf
[root@localhost ~]# systemctl restart smb
[root@localhost ~]# smbclient -L //172.25.254.137
Enter root's password:
Anonymous login successful
Domain=[CRB] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
TEST Disk westos directory
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
Anonymous login successful
Domain=[CRB] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@localhost ~]# vim /etc/samba/smb.conf
[root@localhost ~]# systemctl restart smb
[root@localhost ~]# smbclient -L //172.25.254.137
Enter root's password:
Anonymous login successful
Domain=[CRB] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
TEST Disk westos directory
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
Anonymous login successful
Domain=[CRB] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@localhost ~]# vim /etc/samba/smb.conf
[root@localhost ~]# smbclient -L //172.25.254.137
Enter root's password:
proto
col negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
[root@localhost ~]# vim /etc/samba/smb.conf
(4)匿名用户可写的权力
1.[root@localhost ~]# vim /etc/samba/smb.conf
[TEST]
comment = westos directory
path = /westos
writable = yes
write list = student
[root@localhost ~]# mount //172.25.254.100/TEST /mnt/ -o username=student,password=student
mount: mount //172.25.254.100/TEST on /mnt failed: No route to host
[root@localhost ~]# mount //172.25.254.137/TEST /mnt/ -o username=student,password=student
[root@localhost ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/vda1 10473900 3157536 7316364 31% /
devtmpfs 927072 0 927072 0% /dev
tmpfs 942660 140 942520 1% /dev/shm
tmpfs 942660 17048 925612 2% /run
tmpfs 942660 0 942660 0% /sys/fs/cgroup
//172.25.254.137/TEST 10473900 3157536 7316364 31% /mnt
[root@localhost ~]# cd /mnt
[root@localhost mnt]# systemctl restart smb
[root@localhost mnt]# chmod 777 /westos
[root@localhost mnt]# touch file
[root@localhost mnt]#
2.[root@localhost mnt]# vim /etc/samba/smb.conf
[TEST]
comment = westos directory
path = /westos
writable = yes
write list = @student(student组的人都可写)
[root@localhost mnt]# usermod -G student westos
[root@localhost mnt]# id westos
uid=1001(westos) gid=1001(westos) groups=1001(westos),1000(student)
[root@localhost mnt]# cd
[root@localhost ~]# umount /mnt
[root@localhost ~]# mount //172.25.254.137/TEST /mnt/ -o username=westos,password=student
[root@localhost ~]# cd /mnt
[root@localhost mnt]# touch file1
[root@localhost mnt]# rm -fr file
[root@localhost mnt]#
[root@localhost mnt]# vim /etc/samba/smb.conf
[TEST]
comment = westos directory
path = /westos
writable = yes
write list = @student
valid users = student
valid users = @student
browseable = yes
[root@localhost mnt]# systemctl restart smb
[root@localhost mnt]# smbclient -L //172.25.254.137 -U student
Enter student's password:
Domain=[CRB] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
TEST Disk westos directory
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
student Disk Home Directories
Domain=[CRB] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@localhost mnt]# usermod -G student westos
[root@localhost mnt]# smbclient -L //172.25.254.137 -U westos
Enter westos's password:
Domain=[CRB] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
TEST Disk westos directory
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
westos Disk Home Directories
Domain=[CRB] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@localhost mnt]# vim /etc/samba/smb.conf
[TEST]
comment = westos directory
path = /westos
writable = yes
write list = @student
valid users = student
valid users = @student
browseable = no (不可见)
[root@localhost mnt]# smbclient -L //172.25.254.137 -U westos
Enter westos's password:
Domain=[CRB] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
westos Disk Home Directories
Domain=[CRB] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@localhost mnt]#
[root@localhost mnt]# vim /etc/samba/smb.conf
[TEST]
comment = westos directory
path = /westos
writable = yes
write list = @student
valid users = student
valid users = @student
browseable = no
admin users = westos (超级用户)
(5)匿名用户访问
[root@localhost mnt]# vim /etc/samba/smb.conf
[TEST] ##第一处
comment = westos directory
path = /westos
writable = yes
write list = @student
; valid users = student
; valid users = @student
browseable = no
admin users = westos
guest ok = yes
security = user ##第二处
map to guest = bad user
passdb backend = tdbsam
[root@localhost mnt]# systemctl restart smb
[root@localhost mnt]# smbclient //172.25.254.137/TEST
Enter root's password:
Domain=[CRB] OS=[Unix] Server=[Samba 4.1.1]
smb: \> ls
. D 0 Mon May 1 22:57:03 2017
.. D 0 Mon May 1 21:57:11 2017
file1 N 0 Mon May 1 22:56:55 2017
40913 blocks of size 262144. 28578 blocks available
smb: \>
nfd