最近smaba因为安全问题需要升级.需要下载代码和安全补丁,重新编译安装。
下面是步骤。
1.下载代码。我选择的版本是 4.7.5. https://download.samba.org/pub/samba/stable/samba-4.7.5.tar.gz
下载补丁:https://www.samba.org/samba/ftp/patches/security/samba-4.7.5-security-2018-03-13.patch
解压到本地,应用补丁:
~/code/samba/samba-4.7.5$ patch -p 1 < ../samba-4.7.5-security-2018-03-13.patch
patching file source3/rpc_server/spoolss/srv_spoolss_nt.c
patching file selftest/knownfail.d/samba4.ldap.passwords.python
patching file source4/dsdb/tests/python/passwords.py
patching file source4/dsdb/samdb/ldb_modules/password_hash.c
patching file source4/dsdb/samdb/ldb_modules/password_hash.c
patching file source4/dsdb/samdb/ldb_modules/acl.c
patching file source4/dsdb/samdb/ldb_modules/acl.c
patching file source4/dsdb/samdb/ldb_modules/acl.c
patching file source4/dsdb/samdb/ldb_modules/acl.c
patching file source4/dsdb/samdb/ldb_modules/acl.c
patching file selftest/knownfail.d/samba4.ldap.passwords.python
patching file source4/dsdb/samdb/ldb_modules/acl.c
patching file source4/dsdb/samdb/ldb_modules/acl.c
patching file source4/dsdb/samdb/samdb.h
patching file source4/libcli/ldap/ldap_controls.c
patching file source4/setup/schema_samba4.ldif
patching file source4/dsdb/samdb/ldb_modules/acl.c
patching file source4/dsdb/samdb/ldb_modules/password_hash.c
patching file source4/dsdb/samdb/ldb_modules/acl.c
2. 配置,编译
$ ./configure --with-systemd
$ make -i -j4
$ sudo make install
3. export samba环境变量
sudo vi /etc/ld.so.conf.d/samba.conf
添加:
/usr/local/samba/lib
然后,执行 ldconfig.
sudo vi /etc/profile.d/samba.sh
添加:
export PATH=$PATH:/usr/local/samba/bin:/usr/local/samba/sbin
sudo vi /etc/sudoers
修改:
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
为
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/samba/bin:/usr/local/samba/sbin"
4. 配置samba
拷贝配置文件:
~/code/samba/samba-4.7.5$ sudo cp packaging/RHEL/setup/smb.conf /usr/local/samba/etc/
将workgroup改为:
workgroup = WORKGROUP
添加新用户:
~/code/samba/samba-4.7.5$ sudo /usr/local/samba/bin/smbpasswd -a charles
New SMB password:
Retype new SMB password:
Added user charles.
5. systemd配置
拷贝 service文件:
~/code/samba/samba-4.7.5$ sudo cp packaging/systemd/*.service /lib/systemd/system/
注意,由于samba没有安装到标准目录下,上面的service文件小做一下修改。比如:
$ cat smb.service
[Unit]
Description=Samba SMB Daemon
After=syslog.target network.target nmb.service winbind.service
[Service]
Type=notify
NotifyAccess=all
PIDFile=/run/smbd.pid
LimitNOFILE=16384
EnvironmentFile=-/etc/sysconfig/samba
ExecStart=/usr/local/samba/sbin/smbd --foreground --no-process-group $SMBDOPTIONS
ExecReload=/usr/bin/kill -HUP $MAINPID
LimitCORE=infinity
[Install]
WantedBy=multi-user.target
可以执行下面的命令测试:
/lib/systemd/system$ sudo systemctl start samba.service
如果需要开机启动,执行enable 命令。
目前遇到的问题是,samba.service 无法启动:
$ journalctl -xe
Mar 20 02:53:22 china samba[26988]: Copyright Andrew Tridgell and the Samba Team 1992-2017
Mar 20 02:53:23 china samba[26988]: [2018/03/20 02:53:23.022836, 0] ../source4/smbd/server.c:600(binary_smbd_main)
Mar 20 02:53:23 china samba[26988]: At this time the 'samba' binary should only be used for either:
Mar 20 02:53:23 china samba[26988]: 'server role = active directory domain controller' or to access the ntvfs file server
Mar 20 02:53:23 china samba[26988]: You should start smbd/nmbd/winbindd instead for domain member and standalone file ser
Mar 20 02:53:23 china samba[26988]: [2018/03/20 02:53:23.022972, 0] ../lib/util/become_daemon.c:111(exit_daemon)
Mar 20 02:53:23 china samba[26988]: STATUS=daemon failed to start: Samba detected misconfigured 'server role' and exited.
Mar 20 02:53:23 china systemd[1]: samba.service: Main process exited, code=exited, status=1/FAILURE
Mar 20 02:53:23 china systemd[1]: Failed to start Samba AD Daemon.
-- Subject: Unit samba.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit samba.service has failed.
--
-- The result is failed.
1. https://www.samba.org/samba/history/security.html