SAMBA的配置文件
一、/etc/samba/smb.conf主配置文件,此文件中有丰富的说明注释
二、/etc/samba/lmhosts此文件的主要用途是对应netbios name与主机名的IP地址。有点像/etc/hosts的功能,但这个文件对应的是NETBIOS名,不是FQDN,不要混了。但现在通常SAMBA的功能很强大,一般开机就能自动检测到netbios name,所以此文件不太重要了。
三、/etc/samba/smbpasswd此文件默认不存在,是SAMBA默认的用户/密码对应表。也就是SAMBA用户和密码存放的文件。此文件拥有人是ROOT,权限一般是600
服务器配置概要
将Linux服务器配置成Samba服务器的步骤:
(1)配置/etc/samba/smb.conf文件(SAMBA的主配置文件)
(2)使用smbpasswd命令使Linux系统用户成为Samba用户,命令格式如下:
smbpasswd –a 用户名
该命令也可用来修改Samba用户的密码。
(3)要想能用NETBIOS名来让LINUX SAMBA以命令行来访问WINDOWS机器,我们要修改/etc/samba/lmhosts文件。把IP与NETBIOS名对应起来。
主配置文件的大体设置
以井号(#)和分号(;)开始的行和空行被忽略,以外斜线(\)结束的行将在下一行继续。
段名和参数名不分大小写。
[global] 段
在这个段的参数是全局有效的。
workgroup
说明:这个参数用来指定samba所要加入的工作组,另外如果在设置了security=domain,则workgroup可以指定域名。例如:
workgroup = wgp1
指明工作组为wgp1 (一般与WIN所在工作组一致,否则查找速度将减慢)
netbios name
说明:这个参数指定samba的netbios名,可以不设置,samba将会使用机器的DNS名的第一部分,如果你的机器的DNS名是host1.domain,就用host1 例如:
netbios name = public
指定NetBios名为public
server string
说明:这个参数指定在浏览列表里的机器描述,和MS WINDOWS 里配置网络时的描述是一样的。可以是任何字符串。也可以不填,samba会用缺省的 samba %v,即samba 尾随它的版本号,不过如果要模仿NT象一点的话,可以填一下。例如:
server string = Master File Server
安全参数
security
说明:这是个重要的安全配置参数,有4个值,分别是share、user、server和domain,定义了samba的基本安全级,通常是 user
security = user
这是samba的默认配置,这种情况下要求用户在访问共享资源之前资源必须先提供用户名和密码进行验证。
securtiy = share
这是几乎没有安全性的级别,任何用户都可以不要用户名和口令访问服务器上的资源。
security = server
和user安全级类似,但用户名和密码是递交到另外一个SMB服务器去验证,比如递交给一台NT服务器。如果递交失败,就退到user安全级,从用户端看来,server和user这两个级别是没什么分别的。
security = domain
这种安全级别要求网络上存在一台NT PDC,samba把用户名和密码递交给NT PDC去验证。
从用户端看来,user级以上的安全级其实是没什么分别的,只是服务器验证的方式不同,但这三种安全级都要求用户在本Linux机器上也要系统帐户。否则是不能访问的。
另外在RED HAT企业 版中还有一个选项是ads,为正在联接一个WINDOWS 2000/2003活动目录中的一个member server。
共享资源设置参数 (这部分是对每个共享目录或者设备进行权限方面的设定)
comment
说明:就是对共享的描述,可以是任意的字符串
例如
comment = Share Stuff
path
说明: path是提供共享服务的路径,可以用%u %m这样的宏来代替路径里的unix用户和客户机的Netbios名。
例如:如果我们不打算用home段做为客户的共享,而是在/home/share/ 下为每个Linux用户以他的用户名建个目录,作为他的共享目录,这样path就可以写成
path = /home/share/%u;
用户在连接到这共享时具体的路径会被他的用户名代替,要注意这个用户名路径一定要存在,否则,客户机在访问时会找不到网络路径。
writeable 说明:指定共享路径是否可以写,值是yes或no(与read only参数有些抵触,如果READ ONLY为NO,而WRIEABLE为NO时,谁在后面出现听谁的)
browseable
说明:指定共享是否可以浏览,默认是yes
available
说明:指定共享资源是否可用,默认是yes,设为no则关闭该资源的共享服务,用户无法连接到该资源上。
public
说明:这个参数指明是否允许guest帐户访问,值为yes或no,另一个和public相同意义的参数是guest ok。
高级参数的配置
宏
在基本配置里有提到一些参数的可以尾随%u、%m,这是samba里定义的宏,宏用百分号后面跟一字符表示,在具体运作的时候就用实际的参数来代替。常用的宏有
%S = 当前登录的用户名,用于替代共享名
%P = 当前服务的根路径
%u = 当前登录的用户名
%g = 给定%u的所在的主工作组名
%H = 给定的%u的宿主目录
%v = Samba 版本号
%h = 运行Samba的机器的主机名(注意是HOSTNAME即HOSTS中的名字不是NETBIOS名,即LMHOSTS中的名字)
%m = 客户机的NETBIOS名
%M= 客户机的HOSTNAME名
%L = SAMBA服务器的 NetBIOS 名
%T = 当前的日期和时间
%iI=客户当前IP地址。
灵活地应用宏可以很方便地管理比较复杂的网络
共享资源参数
admin users
这个参数用来赋予用户对共享资源的管理员权限,意味着这些用户可以root一样进行所有的文件操作,当然只局限在这个共享资源上。这个选项要慎用,因为任何这样的用户可以对该共享上的文件随意进行操作。缺省是admin users = no。
例如:
admin users = Su_27
那么Su_27这个用户就是这个共享资源的管理员。
valid users
说明:指定共享资源的有效用户,即允许访问该资源的用户。
例如:valid users = user1, user2
那么user1和user2是有效用户
invalid users
说明:和valid users 相反,指定那些用户不可访问这共享资源。
max connections (S)
说明:指定一个服务的最大连接数目,用户连接到该服务时如这个服务的连接数目已经达到指定值,这个新的连接请求将被拒绝。
例如: max connections = 100
最大连接数为100
Samba服务器配置一例
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not many any basic syntactic errors.
#
#======================= Global Settings =====================================
[global]
# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = Workgroup ;计算机所在的工作组名或域名
netbios name = fileserver ;即在,网上邻居中显示的计算机名
# server string is the equivalent of the NT Description field
server string = Samba Server ;计算机描述
This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
; hosts allow = 192.168.1. 192.168.2. 127. ;允许访问的计算机的IP地址
; hosts allow = 172.16.0. 172.16.3. 127.
# if you want to automatically load your printer list rather
# than setting them up individually then you'll need this
; printcap name = /etc/printcap加载打印机的配置路径
load printers = no是否将打印机共享
# It should not be necessary to spell out the print system type unless
# yours is non-standard. Currently supported print systems include:
# bsd, sysv, plp, lprng, aix, hpux, qnx
; printing = cups一种打印驱动模式,即LINUX支持的标准打印类型。其LINUX支持的打印类型有bsd, sysv, plp, lprng, aix, hpux, qnx
# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
; guest account = nobody
guest account = guest ;允许访问(不需要用户名与密码)也可以指定任何系统内置的一个帐号做为来宾帐号。
# this tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/%m.log.会给用户在此目录下做每个SAMBA用户登录的日志。
# Put a capping on the size of the log files (in Kb).
max log size = 50日志 文件限制在50K内
# Security mode. Most people will want user level security. See
# security_level.txt for details.
security = share
; security = user
# Use password server option only with security = server
; password server = 此行的作用为如果上面的选项为SERVER,则SAMBA服务器在做身份识别的时候,把WIN机器发过来的密码同用户名交给此项设定的密码服务器验证。
# Password Level allows matching of _n_ characters of the password for
# all combinations of upper and lower case.
; password level = 8
; username level = 8(对于从前的几款老式的WINDOWS系统对于大小写密码支持的不是很好,所以开启上面的两个参数的意义是在密码为8位的用户名与密码的帐号里自动匹配所有的大小写测试)
# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
# Do not enable this option unless you have read those documents
encrypt passwords = yes(加密明文的SAMBA密码进行发送)
smb passwd file = /etc/samba/smbpasswd验证密码所在的目录
# The following are needed to allow password changing from Windows to
# update the Linux sytsem password also.
# NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above.
# NOTE2: You do NOT need these to allow workstations to change only
# the encrypted SMB passwords. They allow the Unix password
# to be kept in sync with the SMB password.
; unix password sync = Yes
; passwd program = /usr/bin/passwd %u
; passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *pass$
# Unix users can map to different SMB User names
; username map = /etc/smbusers
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /etc/smb.conf.%m
# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
socket ptions = TCP_NODELAY
# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
; interfaces = 192.168.12.2/24 192.168.13.2/24
# Configure remote browse list synchronisation here
# request announcement to, or browse list sync from:
# a specific host or from / to a whole subnet (see below)
; remote browse sync = 192.168.3.25 192.168.5.255
# Cause this host to announce itself to local subnets here
; remote announce = 192.168.1.255 192.168.2.44
# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
; local master = no
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
; os level = 33
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
; domain master = yes
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
; preferred master = yes
# Use only if you have an NT server on your network that has been
# configured at install time to be a primary domain controller.
; domain controller =
# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations.
; domain logons = yes
# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
; logon script. = %m.bat
# run a specific logon batch file per username
; logon script. = %U.bat
# Where to store roving profiles (only for Win95 and WinNT)
# %L substitutes for this servers netbios name, %U is username
# You must uncomment the [Profiles] share below
; logon path = \\%L\Profiles\%U
# All NetBIOS names must be resolved to IP Addresses
# 'Name Resolve Order' allows the named resolution mechanism to be specified
# the default order is "host lmhosts wins bcast". "host" means use the unix
# system gethostbyname() function call that will use either /etc/hosts OR
# DNS or NIS depending on the settings of /etc/host.config, /etc/nsswitch.conf
# and the /etc/resolv.conf file. "host" therefore is system configuration
# dependant. This parameter is most often of use to prevent DNS lookups
# in order to resolve NetBIOS names to IP Addresses. Use with care!
# The example below excludes use of name resolution for machines that are NOT
# on the local network segment
# - OR - are not deliberately to be known via lmhosts or via WINS.
; name resolve rder = wins lmhosts bcast
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
; wins support = yes把该服务器配置为WINS服务器
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
; wins server = 192.168.1.100也可以指定一个WINS服务器,让自己成为WINS客户
# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one WINS Server on the network. The default is NO.
; wins proxy = yes(针对老式计算机,不用设置)
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
dns proxy = no(针对老式计算机,不用设置)
# Case Preservation can be handy - system default is _no_
# NOTE: These can be set on a per share basis
; preserve case = no
; short preserve case = no
# Default case is normally upper case for all DOS files
; default case = lower
# Be very careful with case sensitivity - it can break things!
; case sensitive = no
(整个上面这段为讨论与WINDWOS文件系统的大小写问题因为微软的系统是一个大小写不区分 的系统,默认用默认值即可。因为修改可能造成与WINDOWS的不兼容问题)
#============================ Share Definitions ==============================
[homes]作为登录用户,自己访问自己目录的设置。
; comment = Home Directories目录说明
; browseable = no用户私人目录不需要给别人浏览。
; writable = yes也可以用read nly=no来替代
# Un-comment the following and create the netlogon directory for Domain Logons
; [netlogon]域用户登录目录设置。
; comment = Network Logon Service
; path = /home/netlogon
; guest k = yes
; writable = no
; share modes = no
# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
;[Profiles]
; path = /home/profiles
; browseable = no
; guest k = yes
# NOTE: If you have a BSD-style. print system there is no need to
# specifically define each individual printer
[printers]打印机共享
comment = All Printers说明共享全部打印机
path = /var/spool/samba打印机池,用户必须手工创建该目录。
browseable = no
# Set public = yes to allow user 'guest account' to print
guest k = no
writable = no
printable = yes用户是否可以打印
# This one is useful for people to share files
;[tmp]
; comment = Temporary file space
; path = /tmp
; read nly = no可以写入
; public = yes即目录是否共享给来宾帐号。
# A publicly accessible directory, but read only, except for people in
# the "staff" group
[public]
comment = Public Stuff
path = /home/soft
public = yes
guest k = yes以上两个public=yes代表来宾帐号能访问此共享目录,但guest ok代表密码不是必须的,可以不加。
writable = yes
printable = no
write list = @staff此参数告诉我们不必要让所有人访问共享目录,可以有staff这个组的成员能访问,但在passwd和shadow文件中要存在这个组。
# Other examples.
#
# A private printer, usable only by fred. Spool data will be placed in fred's
# home directory. Note that fred must have write access to the spool directory,
# wherever it is.
;[fredsprn](设置仅供一人使用的共享打印机)
; comment = Fred's Printer;
valid users = fred
; path = /homes/fred
; printer = freds_printer
; public = no
; writable = no
; printable = yes
# A private directory, usable only by fred. Note that fred requires write
# access to the directory.
;[fredsdir] (为创建一个私有目录,别人都不能访问,只有fred这个用户能访问)
; comment = Fred's Service
; path = /usr/somewhere/private
; valid users = fred
; public = no
; writable = yes
; printable = no
# a service which has a different directory for each machine that connects
# this allows you to tailor configurations to incoming machines. You could
# also use the %u option to tailor it by user name.
# The %m gets replaced with the machine name that is connecting.
;[pchome]
; comment = PC Directories
; path = /usr/pc/%m
; public = no
; writable = yes
# A publicly accessible directory, read/write to all users. Note that all files
# created in the directory by users will be owned by the default user, so
# any user with access can delete any other user's files. Obviously this
# directory must be writable by the default user. Another user could of course
# be specified, in which case all files would be owned by that user instead.
;[public]
; path = /usr/somewhere/else/public
; public = yes
; only guest = yes
; writable = yes
; printable = no
# The following two entries demonstrate how to share a directory so that two
# users can place files there that will be owned by the specific users. In this
# setup, the directory should be writable by both users and should have the
# sticky bit set on it to prevent abuse. Obviously this could be extended to
# as many users as required.
;[myshare]这个例子是配置一个仅供两个用户访问的目录
; comment = Mary's and Fred's stuff
; path = /usr/somewhere/shared
; valid users = mary fred
; public = no
; writable = yes
; printable = no
; create mask = 0765
我们可以自行在此处添加你共享的目录。并按上面的例子进行相应设置可以 了。
待设置都设置好后,可以用testparm命令测试配置文件的正确性
LINUX客户端如何访问WINDOWS资源
(1)使用smbclient –L netbios名或IP地址 –U username%密码 用于显示指定主机的共享目录
smbclient //netbios名或IP地址/共享名 -U 用户名 以用户身份来访问共享资源
(2)smbmount来挂载远程共享
先创建一个挂载点,mkdir /mnt/winshare
将远程共享挂载到本地挂载点 smbmount //netbios名/共享资源目录 /mnt/winsare -o username=用户名%密码
解除挂载,要用umount
(3)用smbstatus命令可以检测本机共享资源被使用的情况,如谁正在使用共享资源。
(4)配置SAMBA打印共享
一般在图形界面下做,因为配置很简单,在此不再声明。只要将打印机安装成SMB打印机即可。
配置完成后检测打印机配置文件的正确性用到如下命令:
Testprns lp0 /etc/printcap即可查看
注意:在添加大量用户到SMB中时,可用脚本来加入如下脚本:
For user in user1 user2 ….
Do
Useradd $user
Smbpasswd –a $user
done
来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/21173334/viewspace-588682/,如需转载,请注明出处,否则将追究法律责任。
转载于:http://blog.itpub.net/21173334/viewspace-588682/
2万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
