1.samba作用
Samba服务可用于将Linux文件系统作为CIFS/SMB网络文件共享进行共享。
.软件包:
Samba-common ##Samba的支持文件
Samba-client ##客户端应用程序
Samba ##服务器应用程序
.服务名称:smb nmb
.服务端口:通常使用TCP/445进行所有连接。还使用UDP137、UDP138和TCP/139进行向后兼容
.主配置文件:/etc/samba/smb.con
2.samba的安装
服务器端(ip为172.25.254.104):
yum install samba-client.x86_64 samba-common.x86_64 samba.x86 -y
systemctl stop firewalld
systemctl start smb.service
setsebool -P samba_enable_home_dirs on
smbpasswd -a student ##student必须是本机用户
pdbedit -L ##查看
pdbedit -x student ##删除samba上的student用户
测试:
smbclient -L //172.25.254.104 -U student
smbclient //172.25.254.104/student -U student
3.samba共享目录
vim /etc/samba/smb.conf
[共享名称]
comment = 共享说明
path = 共享目录路径
:wq
[root@localhost ~]# mkdir /westos
[root@localhost ~]# vim /etc/samba/smb.conf ##samba共享目录的配置文件
在最后面写:
[TEST]
comment = westos directory
path = /westos
server string = hello
writable = yes
write list = @student
valid users = +student
browseable = no
admin users = westos
:wq
[root@localhost ~]# systemctl restart smb.service
[root@localhost ~]# smbclient -L //172.25.254.104
[root@localhost ~]# smbclient //172.25.254.104/westos -U westos
[root@localhost ~]# semanage fcontext -a -t samba_share_t '/westos(/.*)?'
[root@localhost ~]# restorecon -RvvF /westos/
[root@localhost ~]# chmod +777 /westos/
[root@localhost ~]# touch /westos/testfile
[root@localhost ~]# smbclient //172.25.254.104/westos -U westos
[root@localhost ~]# vim /etc/samba/smb.conf
Vim:
hosts allow = 127. 172.25.254. ##白名单 127.代表允许本机访问 172.25.254.代表允许ip是172.25.254网段的主机访问
hosts deny = 127. 172.25.254. ##黑名单 127.代表拒绝本机访问 172.25.254.代表拒绝ip是172.25.254网段的主机访问
workgroup ##用于指定Windows工作组或网络域名
:wq
[root@localhost ~]# semanage fcontext -a -t samba_share_t'/westos(/.*)?' ##更改上下文
[root@localhost ~]# restorecon -RvvF /westos/
[root@localhost ~]# systemctl restart smb.service
[root@localhost ~]# smbclient -L //172.25.254.104
[root@localhost ~]# smbclient //172.25.254.104/westos -U westos
[root@localhost ~]# systemctl start firewalld
[root@localhost ~]# firewall-cmd --add-service=samba --permanent
[root@localhost ~]# firewall-cmd --reload
4.samba的保护
samba_enable_home_dirs和use_samba_home_dirs SELinux布尔值
samba_enable_home_dirs布尔值允许本地Linux主目录作为CIFS文件共享导出至其他
系统。另一方面 use_samba_home_dirs布尔值允许挂载远程CIFS文件共享并将其用作本地Linux主目录。
setsebool -P samba_enable_home_dirs on
samba_share_t
用于共享用户自定义samba共享
chcon -R -t samba_share_t /smbshare 或 semanage fcontext -a -tsamba_share_t '/smbshare(/.*)?'
restorecon -vvFR /smbshare
samba_export_all_ro 和 samba_export_all_rw
用于共享系统目录
setsebool -P samba_export_all_ro on
setsebool -P samba_export_all_rw on
5.访问CIFS共享
连接到CIFS文件共享的四个基本方法:
(1)图形访问CIFS共享
转至 “网络” --> “连接服务器”。填写以下字段:
Server Address : 172.25.0.11
Userame: wxh
Password: westos
(2)命令行FTP方式访问CIFS共享:
[root@localhost ~]# smbclient -L server0.example.com -U wxh
[root@localhost ~]# smbclient //server0.example.com/smbshare -U wxh
(3)手动挂载CIFS共享
[root@localhost ~]# mount -o username=wxh //server0.example.com/smbshare/mnt/wxh
(4)永久挂载CIFS共享
[root@localhost ~]# vim /etc/fstab
vim:
server0.example.com/smbshare /mnt/wxh cifs credentials=/root/userpasswd 0 0
:wq
[root@localhost ~]# vim /root/userpasswd ##新建文件userpasswd
vim:
usernaame=samba用户名
password=samba用户密码
:wq
6.samba多用户挂载
[root@localhost ~]# yum install cifs-utils -y ##安装cifs-utils软件包,它包含了cifscreds命令
[root@localhost ~]# vim /root/passfile
vim:
username=samba用户
possword=samba用户密码
:wq
[root@localhost ~]# mount //172.25.254.104/westos /mnt -o credentials=/root/smbpassfile,multiuser,sec=ntlmssp
测试:
su - westos ##前提是westos属于samba用户
ls /mnt ##不能查看
cifscreds add 172.25.254.104
ls /mnt ##可以查看
su - student ##student不是samba用户
ls /mnt ##不能查看
cifscreds add 172.25.254.104
ls /mnt ##依然不能查看
7.nfs
(1)
[root@localhost ~]# yum install nfs-utils -y
[root@localhost ~]# systemctl start nfs ##打开nfs
[root@localhost ~]# firewall-cmd -permanent --add-service=nfs
[root@localhost ~]# firewall-cmd -permanent --add-service=rpc-bind
[root@localhost ~]# firewall-cmd -permanent --add-service=mountd
[root@localhost ~]# firewall-cmd --reload
[root@localhost ~]# vim /etc/exports
vim:
/westos 172.25.254.0/24(rw) ##rw是可读可写 ro是可读
:wq
[root@localhost ~]# exportfs -rv
在真机上测试:
[root@foundation4 ~]# showmount -e 172.25.254.104
Export list for 172.25.254.104:
/westos 172.25.254.0/24
[root@foundation4 ~]# mount 172.25.254.104:/westos /mnt/
[root@foundation4 ~]# ls /mnt/
westosfile
[root@foundation4 ~]# touch /mnt/file
[root@foundation4 ~]# ll /mnt/
-rw-r--r-- 1 nfsnobody nfsnobody 0 May 2 13:34 file
(2)
[root@localhost ~]# vim /etc/exports
vim:
/westos 172.25.254.0/24(rw,no_root_squash) ##no_root_squash是指westos用户以root身份上传文件
:wq
[root@localhost ~]# exportfs -rv
在真机上测试:
[root@foundation4 ~]# touch /mnt/file1
[root@foundation4 ~]# ll /mnt/
-rw-r--r-- 1 nfsnobody nfsnobody 0 May 2 13:34 file
-rw-r--r-- 1 root nfsnobody 0 May 213:37 file1
8.加密
[root@server0 mnt]# yum install sssd krb5-workstation -y
[root@server0 mnt]# vim auth-config.sh
vim:
#!/bin/bash
echo install packages...
yum install sssd krb5-workstation -y &> /dev/null
echo configure...
authconfig \
--enableldap \
--enablekrb5 \
--disableldapauth \
--enableldaptls \
--ldaploadcacert="http://172.25.254.254/pub/example-ca.crt" \
--ldapserver="classroom.example.com" \
--ldapbasedn="dc=example,dc=com" \
--krb5realm="EXAMPLE.COM" \
--krb5adminserver="classroom.example.com" \
--krb5kdc="classroom.example.com" \
--update && echo success !
:wq
[root@server0 mnt]# sh auth-config.sh
[root@server0 mnt]# id ldapuser1 ##测试
[root@server0 mnt]# yum install nfs-utils -y
[root@server0 mnt]# systemctl dtop firewalld
[root@server0 mnt]# mkdir /westos
[root@server0 mnt]# systemctl start nfs
[root@server0 mnt]# vim /etc/exports
[root@server0 mnt]# exports -rv
exporting 172.25.4.0/24:/westos
[root@server0 mnt]# vim /etc/sysconfig/nfs
vim:
PRCNFSDARGS="-V 4.2"
:wq
[root@server0 mnt]# systemctl restart nfs
[root@server0 mnt]# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/server0.key
[root@server0 mnt]# systemctl start nfs-secure-server
[root@server0 mnt]# vim /etc/exports
vim:
/westos 172.25.254.0/24(rw,sec=krb5p)
:wq
[root@server0 mnt]# exportfs -rv
[root@desktop0 ~]# systemctl restart nfs-secure.service
[root@desktop0 ~]# wget -O /etc/krb5.keytabhttp://classroom.example.com/pub/keytabs/desktop0.key
[root@desktop0 ~]# systemctl restart nfs-secure.service
[root@desktop0 ~]# mount -o vers=4.2,sec=krb5p 172.25.4.11:/westos /mnt/
[root@desktop0 ~]# reboot
[root@desktop0 ~]# df
[root@desktop0 ~]# umount /mnt/
[root@desktop0 ~]# mount -o vers=4.2,sec=krb5p 172.25.4.11:/westos /mnt/
[root@desktop0 ~]# df