samba伺服器配置 配置文件 1. /etc/samba/smb.conf samba的主要配置文件,可設置全局參數和共用目錄的參數 2. /etc/samba/lmhosts 通過hostname來訪問samba: 3. /etc/samba/smbusers 由於windows和linux里的 ...
samba伺服器配置
配置文件
- /etc/samba/smb.conf
samba的主要配置文件,可設置全局參數和共用目錄的參數 - /etc/samba/lmhosts
通過hostname來訪問samba: - /etc/samba/smbusers
由於windows和linux里的管理員和訪客賬號名稱不一致,可使用此配置文件來設置一個映射,比如administrator映射成root: - /etc/sysconfig/samba
配置smbd,nmbd啟動時帶的參數 - /var/lib/samba/private/{passdb.tdb, secrets.tdb}
管理samba的用戶賬號/密碼時,會用到的資料庫檔案
可用命令
smbd, nmbd:smbd提供文件和列印共用伺服器,nmbd提供NetBIOS名稱服務和瀏覽支持,幫助客戶端定位伺服器,處理所有基於UDP的協議
tdbdump, tdbtool:samba使用了tdb資料庫,可以使用tdb工具來查看資料庫內容
smbstatus:查看samba的狀態
smbpasswd, pdbedit:伺服器功能,用於管理samba的用戶賬號和密碼,早期是使用smbpasswd命令,後來因為使用了tdb資料庫,所以推薦使用pdbedit命令來管理用戶數據
mount.cifs:用來掛載分享目錄
smbclient:samba客戶端
nmblookup:查找NetBIOS name
smbtree:未知,可能是用來查找網路鄰居的吧
testparm:驗證smb.conf文件的內容是否合法
工作模式
samba伺服器有5種工作模式,分別為:
- share,用戶對samba伺服器的訪問不需要身份驗證,允許匿名訪問,用戶的訪問許可權僅由相應用戶對共用文件的訪問許可權決定
- user,使用用戶名和密碼訪問samba伺服器,
- server,使用另外一臺伺服器專門用來做身份驗證,samba服務只提供文件和印表機共用服務
- domain,域模式,不常用
- ads,最新的一種工作模式,也不太常用
通過設置security選項即可設置samba的工作模式:security = share
配置項
全局
全局必須的配置項有:workgroup,netbios name,serverstirng,log file,max log size,security,passdb backend,load printer
workgroup = rhel_6.3
server string = Samba Server Version %v
netbios name = rhel
# logs split per machine
log file = /var/log/samba/log.%m
# max 500KB per log file, then rotate
max log size = 500
security = user
passdb backend = tdbsam
load printers = no共用目錄
不需要密碼的共用
需要將全局參數中的security設置成share(暫不清楚,在user工作模式下通過設置guest ok好像也可以,需要驗證)
最小化配置:
[test]
comment = test
path = /tmp
read only = no
guest ok = yes
create mask = 644其中:
read only預設為yes,表示只允許讀,不允許寫,所以需要修改
guest ok預設是no,表示不允許匿名訪問
create mask預設是744,導致客戶端創建的文件都是可執行文件,所以需要修改
註意:
writable和writeable是同義詞
writeable和read only是反義同義詞
writeable預設為no
read only預設為yes
完整配置需要配置available和browseable,不過這兩個預設都是yes
用戶名/密碼方式的共用
需要將全局參數中的security設置成user
[win]
comment = win
path = /home/win
read only = yes
create mask = 644
valid users = win這種方式首先需要使用root許可權添加一個賬戶,然後使用smbpasswd -a xxx在samba資料庫添加此用戶的samba密碼
輸入smbpasswd -a xxx 時會直接讓用戶設置這個賬戶的samba密碼
這個用戶信息保存在tdb資料庫里
修改密碼:root許可權下輸入smbpasswd user_name即可修改user_name的samba密碼
配置文件驗證
使用testparm可以驗證smb.conf文件的內容是否合法
[RHEL@localhost ~]$ testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[test]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
[global]
workgroup = TEST
netbios name = TESTNET
server string = Samba Server Version %v
security = SHARE
log file = /var/log/samba/log.%m
max log size = 50
load printers = No
[test]
comment = test
path = /tmp
read only = No
guest ok = Yes客戶端本地驗證samba伺服器共用的內容
smbclient -L //127.0.0.1
當samba伺服器的工作模式被設置成share模式時,需要在上面的命令後面加-N選項表示不請求密碼
[RHEL@localhost ~]$ smbclient -L //127.0.0.1 -N
Domain=[TEST] OS=[Unix] Server=[Samba 3.5.10-125.el6]
Sharename Type Comment
--------- ---- -------
test Disk test
IPC$ IPC IPC Service (Samba Server Version 3.5.10-125.el6)
Domain=[TEST] OS=[Unix] Server=[Samba 3.5.10-125.el6]
Server Comment
--------- -------
TESTNET Samba Server Version 3.5.10-125.el6
Workgroup Master
--------- -------
TEST TESTNET查看samba資料庫里的用戶信息
pdbedit -L
防火牆和SELinux
關閉防火牆:/etc/init.d/iptables stop
設置SELinux為寬容模式:setenforce 0
獲取SELinux的狀態: getenforce
排障
排障總共4種方式,
- nmap掃描是否有139和445埠被監聽
- 映射網路驅動器
- net use命令查看當前有哪些連接
- 重啟(對於修改了密碼後登錄不上非常有效)
常見問題場景:
1、windows訪問時提示找不到網路路徑,並帶有錯誤碼0x80070035,表示samba伺服器未監聽139和445埠(通過nmap可以看到)
2、直接在windows的文件管理器里輸入網路路徑後提示"找不到xxxx,請檢查拼寫並重試",且無錯誤碼,
通過映射網路驅動器發現windows給出了詳細的信息:SMB1協議不安全,需要使用SMB2以上的安全的協議,
這種情況一般出現在win 10上,解決辦法有兩個,一是升級samba伺服器,二是給win 10添加SMB1支持(在程式與功能裡面可以啟用)
3、windows訪問時提示無許可權
一般來說應該是和SELinux有關
解決辦法也有兩個:
- 如果共用的是家目錄,使用setsebool -P samba_enable_home_dirs on命令即可,
如果是添加的目錄,使用命令chcon -t samba_share_t /path給這個目錄添加samba_share_t標簽即可 - 關閉SELinux
原文:
#---------------
# SELINUX NOTES:
#
# If you want to use the useradd/groupadd family of binaries please run:
# setsebool -P samba_domain_controller on
#
# If you want to share home directories via samba please run:
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory you want to share you should mark it as
# "samba_share_t" so that selinux will let you write into it.
# Make sure not to do that on system directories as they may already have
# been marked with othe SELinux labels.
#
# Use ls -ldZ /path to see which context a directory has
#
# Set labels only on directories you created!
# To set a label use the following: chcon -t samba_share_t /path
#
# If you need to share a system created directory you can use one of the
# following (read-only/read-write):
# setsebool -P samba_export_all_ro on
# or
# setsebool -P samba_export_all_rw on
#
# If you want to run scripts (preexec/root prexec/print command/...) please
# put them into the /var/lib/samba/scripts directory so that smbd will be
# allowed to run them.
# Make sure you COPY them and not MOVE them so that the right SELinux context
# is applied, to check all is ok use restorecon -R -v /var/lib/samba/scripts
#
#--------------
版本
3.5.10里使用的是SMB1協議,被證明有漏洞,不推薦使用。
windows客戶端訪問符號鏈接失敗
在/etc/samba/smb.conf里添加如下的內容即可正常
[global]
unix extensions = no
[share]
follow symlinks = yes
wide links = yes其中:
- unix extensions是為了在samba里支持符號鏈接,硬鏈接等特性,主要給UNIX下的samba客戶端使用,對windows客戶端沒有任何用處,所以在windows客戶端訪問時需要關掉這個選項,這個是選項是預設啟用的。
- follow symlinks,這個參數控制samba伺服器是否會跟隨特定samba共用目錄(非global選項)里的符號鏈接,預設是啟用的。
- wide links,這個參數控制是否能夠創建一個鏈接指向samba伺服器未共用的目錄(samba伺服器預設允許創建指向已共用的目錄的鏈接),可能會導致一個安全問題,所以這個參數預設不啟用
man 5 smb.conf中的解釋如下
unix extensions (G)
This boolean parameter controls whether Samba implements the CIFS UNIX
extensions, as defined by HP. These extensions enable Samba to better
serve UNIX CIFS clients by supporting features such as symbolic links,
hard links, etc... These extensions require a similarly enabled client,
and are of no current use to Windows clients.
Note if this parameter is turned on, the wide links parameter will
automatically be disabled.
Default: unix extensions = yes
follow symlinks (S)
This parameter allows the Samba administrator to stop smbd(8) from
following symbolic links in a particular share. Setting this parameter to
no prevents any file or directory that is a symbolic link from being
followed (the user will get an error). This option is very useful to stop
users from adding a symbolic link to /etc/passwd in their home directory
for instance. However it will slow filename lookups down slightly.
This option is enabled (i.e. smbd will follow symbolic links) by default.
Default: follow symlinks = yes
wide links (S)
This parameter controls whether or not links in the UNIX file system may
be followed by the server. Links that point to areas within the directory
tree exported by the server are always allowed; this parameter controls
access only to areas that are outside the directory tree being exported.
Note: Turning this parameter on when UNIX extensions are enabled will
allow UNIX clients to create symbolic links on the share that can point to
files or directories outside restricted path exported by the share
definition. This can cause access to areas outside of the share. Due to
this problem, this parameter will be automatically disabled (with a
message in the log file) if the unix extensions option is on.
Default: wide links = no如何判斷smb.conf里的某些欄位的預設選項
比如follow symlinks欄位預設是yes, 則當在smb.conf里配置了這個欄位等於yes時在testparm里不會顯示這個欄位,如果配置成no則會顯示
