码迷,mamicode.com
首页 > 其他好文 > 详细

Samba服务器相关配置及实验过程

时间:2016-01-10 01:47:08      阅读:1336      评论:0      收藏:0      [点我收藏+]

标签:samba   linux   服务器   安全性   

Samba服务器


    又叫操作系统集成工具
    能验证IP网段。还能验证身份
    安全性比NFS优越的多
    
SMB:tcp/139和tcp/445
NetBIOS: udp/137和udp/138

samba软件目前可以提供的功能---->一般用前两个,主要是第一个
    文件共享
    主机名解析
    WINDOWS活动目录的支持(3.0以上的版本)---->将linux添加到域,成为域控制器,不过很少有人这么做
        (LDAP协议)
        
三个功能分别放在三个脚本上:根据需要打开

    文件共享---->smb
    主机名解析---->nmb
    活动目录(LDAP)--->winbind

受selinux影响比较深,最好selinux改成permissive或者disabled禁用

实现两种类型的访问控制:
    1.IP地址的访问控制
        hosts deny
        hosts allow
    2.基于用户名和密码的访问控制
        类似于虚拟用户的方法完成认证-->并不是真正的系统用户,也不是真正的虚拟用户,而是在系统用户的基础上重新定义了虚拟用户
        首先得失系统用户(存在于/etc/passwd中的用户)
        在基于系统用户进行二次加密,并且将加密的内容保存在其他的文件中---->所以说类似,又叫半虚拟用户

主配置文件
/etc/samba.smb.conf
/var/lib/samba 跟samba有关的私密性文件

[root@localhost ~]# rpm -q samba-common
samba-common-3.5.4-68.el6.i686
[root@localhost ~]# rpm -q samba-client
samba-client-3.5.4-68.el6.i686
[root@localhost ~]# rpm -q samba
package samba is not installed
[root@localhost ~]# rpm -q libtalloc
libtalloc-2.0.1-1.1.el6.i686
[root@localhost ~]# rpm -q libtdb
libtdb-1.2.1-2.el6.i686
[root@localhost ~]# rpm -q libtevent
libtevent-0.9.8-8.el6.i686

用yum来卸载,解决依赖关系
[root@localhost ~]# yum -y erase samba-common samba-client libtalloc libtdb libtevent

[root@localhost ~]# rpm -q xinetd
package xinetd is not installed
[root@localhost ~]# cp /mnt/cdrom/Packages/xinetd-2.3.14-29.el6.i686.rpm ./

[root@localhost ~]# ls
anaconda-ks.cfg
install.log
install.log.syslog
libtalloc-2.0.7-2.el6.i686.rpm
libtdb-1.2.10-1.el6.i686.rpm
libtevent-0.9.18-3.el6.i686.rpm
samba-3.6.23-20.el6.i686.rpm
samba-client-3.6.23-20.el6.i686.rpm
samba-common-3.6.23-20.el6.i686.rpm
samba-doc-3.6.23-20.el6.i686.rpm
samba-swat-3.6.23-20.el6.i686.rpm
samba-winbind-3.6.23-20.el6.i686.rpm
samba-winbind-clients-3.6.23-20.el6.i686.rpm
samba-winbind-devel-3.6.23-20.el6.i686.rpm
xinetd-2.3.14-29.el6.i686.rpm

[root@localhost ~]# rpm -ivh *.rpm            安装所有
warning: libtalloc-2.0.7-2.el6.i686.rpm: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY
warning: xinetd-2.3.14-29.el6.i686.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
Preparing...                ########################################### [100%]
   1:libtalloc              ########################################### [  8%]
   2:libtevent              ########################################### [ 17%]
   3:libtdb                 ########################################### [ 25%]
   4:samba-common           ########################################### [ 33%]
   5:samba-winbind          ########################################### [ 42%]
   6:samba-winbind-clients  ########################################### [ 50%]
   7:samba                  ########################################### [ 58%]
   8:xinetd                 ########################################### [ 67%]
   9:samba-winbind-devel    ########################################### [ 75%]
  10:samba-doc              ########################################### [ 83%]
  11:samba-swat             ########################################### [ 92%]
  12:samba-client           ########################################### [100%]


解析顺序:
hosts --> DNS缓存 --> DNS Serber --> lmhosts
   
[root@localhost ~]# ls /etc/samba/
lmhosts(本地主机的hosts文件) smb.conf    smbusers映射

[root@localhost ~]# cat /etc/samba/smbusers
# Unix_name = SMB_name1 SMB_name2 ...
root = administrator admin
nobody = guest pcguest smbguest

[root@localhost ~]# cat /etc/samba/lmhosts 格式和hosts文件一样
127.0.0.1 localhost

[root@localhost ~]# ls /var/lib/samba/ 私密性的东西
private  scripts  winbindd_privileged权限






[root@localhost ~]# vim /etc/samba/smb.conf

标题下(中括号)所有的语句是针对下面生效,直到下一个中括号
[global]
        workgroup = MYGROUP    改成WORKGROUP    windows的工作组
        server string = Samba Server Version %v        被识别的主机名    %v叫宏,表示版本号
        
;       netbios name = MYSERVER        netbios名称 windows的主机名

;       interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24     多个则空格隔开
;       hosts allow = 127. 192.168.12. 192.168.13.        白名单 部分网络地址,网络部分写出来 ,主机部分省略
注释掉的意思是所有主机所有IP都可访问        
# --------------------------- Logging Options -----------------------------
#
# Log File let you specify where to put logs and how to split them up.
#
# Max Log Size let you specify the max size log files should reach

        # logs split per machine
        log file = /var/log/samba/log.%m    %m代表客户端主机的名字 macheine
        # max 50KB per log file, then rotate
        max log size = 50        隐藏单位为KB  达到50KB滚动   5M写成5120 或5000
# ----------------------- Standalone Server Options ------------------------
#
# Scurity can be set to user, share(deprecated) or server(deprecated)
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.

        security = user            安全级别
        passdb backend = tdbsam    用户存在哪 默认在/var/lib/samba
                                :/etc/samba/smbpasswd
安全级别security
    1.share    只允许匿名用户(来宾用户win--->guest,linux-->nobody)访问
    2.user    使用本地的tdb数据库文件保存samba用户和密码---->对于保存在tdb数据库的用户进行验证
    3.server    使用一台专用的服务器来进行用户身份验证,windows服务器--->server 必须是基于windows的redis服务器
    4.domain     使用一台活动目录域控制器来进行用户身份验证

# ----------------------- Domain Members Options ------------------------
#
# Security must be set to domain or ads活动目录
#
# Use the realm option only with security = ads
# Specifies the Active Directory realm the host is part of
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
#
# Use password server option only with security = server or if you can‘t
# use the DNS to locate Domain Controllers
# The argument list may include:
#   password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
#   password server = *


;       security = domain
;       passdb backend = tdbsam
;       realm = MY_REALM

;       password server = <NT-Server-Name>

# ----------------------- Browser Control Options ----------------------------
#
# set local master to no if you don‘t want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
#
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
#
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
;       local master = no        本地管理员 ,注释掉的话本地管理员为root
;       os level = 33            操作系统的等级决定优先级
;       preferred master = yes    更受欢迎的管理员

#----------------------------- Name Resolution -------------------------------
# Windows Internet Name Serving Support Section:
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
#
# - WINS Support: Tells the NMBD component of Samba to enable it‘s WINS Server
#
# - WINS Server: Tells the NMBD components of Samba to be a WINS Client
#
# - WINS Proxy: Tells Samba to answer name resolution queries on
#   behalf of a non WINS capable client, for this to work there must be
#   at least one        WINS Server on the network. The default is NO.
#
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups.

;       wins support = yes
;       wins server = w.x.y.z
;       wins proxy = yes

;       dns proxy = yes

# --------------------------- Printing Options -----------------------------
#共享一台打印机,很少用
# Load Printers let you load automatically the list of printers rather
# than setting them up individually
#
# Cups Options let you pass the cups libs custom options, setting it to raw
# for example will let you use drivers on your Windows clients
#
# Printcap Name let you specify an alternative printcap file
#
# You can choose a non default printing system using the Printing option

        load printers = yes
        cups options = raw    通用unix打印服务

;       printcap name = /etc/printcap
        #obtain list of printers automatically on SystemV
;       printcap name = lpstat
;       printing = cups

# --------------------------- Filesystem Options ---------------------------
#
# The following options can be uncommented if the filesystem supports    如果文件系统支持这些扩展属性并生效可以取消注释
# Extended Attributes and they are enabled (usually by the mount option
# user_xattr). Thess options will let the admin store the DOS attributes
# in an EA and make samba not mess with the permission bits.
#
# Note: these options can also be set just per share, setting them in global
# makes them the default for all shares

;       map archive = no
;       map hidden = no
;       map read only = no
;       map system = no
;       store dos attributes = yes    存储dos属性

#============================ Share Definitions ==============================

[homes]
        comment = Home Directories    说明、注释、描述 = 家目录(所有用户的家)
        browseable = no            可浏览的 = no 不能随意浏览,登陆的用户是谁,就能看见谁的家
        writable = yes            可写的,是不是有写权限,共享权限当中的写权限
;       valid users = %S        有效用户--->白名单  %S登陆shell对应的用户--->当前用户
;       valid users = MYDOMAIN\%S    

comment = Home Directories    注释信息,描述信息
browseable = no            
writable = yes            
valid users = username1 username2 @groupname1 @groupname2 空格隔开    
用户的白名单--->注释掉则为所有人都能访问
invalid users = username1 username2 @groupname1 @groupname2
用户的黑名单
valid users = MYDOMAIN\%S    


[printers]
        comment = All Printers
        path = /var/spool/samba    
        browseable = no    可浏览的
        guest ok = no
        writable = no
        printable = yes    可打印的
        
path = /PATH/TO/SHARED_DIR        
    共享的目录的路径,绝对路径
guest ok = no
    是否允许来宾访问,相当于public = no
write list = +staff
    哪些用户或组可以访问并可以写,但是功能更强大
    相当于
        valid users = +staff
        writable =yes
create mode = 0644    不写默认744
    用户创建的文件在linux中被识别的权限
dir[ectory] mod = 0755 不写默认775
    用户创建的目录在linux中被识别的权限


主配置文件格式:        
        
[global]
        
[homes]

[printers]

[public]

注释符号有两种:
    #用来注释说明信息
    ;用来注释配置语句

statement = value (最好等号两边留空格)

xxx = yes | Yes | no | No 全大写没试过,建议尝试

安全级别security = user
    1.share    只允许匿名用户(来宾用户win--->guest,linux-->nobody)访问
    2.user    使用本地的tdb数据库文件保存samba用户和密码---->对于保存在tdb数据库的用户进行验证
    3.server    使用一台专用的服务器来进行用户身份验证,windows服务器--->server 必须是基于windows的redis服务器
    4.domain     使用一台活动目录域控制器来进行用户身份验证

comment = Home Directories    注释信息,描述信息
browseable = no            
writable = yes            
valid users = username1 username2 @groupname1 @groupname2 空格隔开    
用户的白名单--->注释掉则为所有人都能访问
invalid users = username1 username2 @groupname1 @groupname2
用户的黑名单
valid users = MYDOMAIN\%S    
path = /PATH/TO/SHARED_DIR        
    共享的目录的路径,绝对路径
guest ok = no
    是否允许来宾访问,相当于public = no
write list = +staff
    哪些用户或组可以访问并可以写,但是功能更强大
    相当于
        valid users = +staff
        writable =yes
create mode = 0644    不写默认744
    用户创建的文件在linux中被识别的权限
dir[ectory] mod = 0755 不写默认775
    用户创建的目录在linux中被识别的权限



[名称最好是纯字母]

服务器端

[root@localhost ~]# vim /etc/samba/smb.conf
[myshare]
        comment = my share dir
        path = /var/shared
        public = no
        writable = yes

[root@localhost ~]# ls /var/shared/ -ld
drwxr-xr-x. 3 root root 4096 May 29 03:51 /var/shared/

[root@localhost ~]# ls /var/shared/ -ld
drwxr-xr-x. 3 root root 4096 May 29 03:51 /var/shared/
[root@localhost ~]# chmod 1777 /var/shared

[root@localhost ~]# service smb start
Starting SMB services:                                        [  OK  ]
[root@localhost ~]# service nmb start
Starting NMB services:                                     [  OK  ]


[root@localhost ~]# echo test > /var/shared/test.file

客户端
smbclient
    -L :以列表显示服务器的共享文件夹
    -U USERNAME :以USERNAME用户的身份进行身份验证--->服务器端被授权能够访问服务器的用户

特殊的命令提示符:命令跟FTP几乎一样
smb: \>

在服务器上添加samba用户
smbpasswd
    -a:添加用户
    -d:禁用用户
    -e:启用用户
    -x:删除用户

[root@localhost ~]# useradd hadoop
[root@localhost ~]# useradd hive
[root@localhost ~]# smbpasswd -a hadoop
New SMB password:
Retype new SMB password:
Added user hadoop.
[root@localhost ~]# ls /var/lib/samba/private/
passdb.tdb用户名  secrets.tdb加密密码
[root@localhost ~]#
[root@localhost ~]# ls -l /var/lib/samba/private/
total 832
-rw-------. 1 root root 421888 May 29 08:35 passdb.tdb
-rw-------. 1 root root 430080 May 29 08:28 secrets.tdb

这个用户能访问samba服务器但是不能登陆


客户端
[root@localhost ~]# smbclient -L //192.168.100.1 -U hadoop
Enter hadoop‘s password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.23-20.el6]

    Sharename       Type      Comment
    ---------       ----      -------
    myshare         Disk      my share dir
    IPC$(隐藏文件)            IPC(进程间通信机制)       IPC Service (Samba Server Version 3.6.23-20.el6)
    hadoop          Disk      Home Directories    用户的家
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.23-20.el6]

    Server               Comment
    ---------            -------
    LOCALHOST            Samba Server Version 3.6.23-20.el6

    Workgroup            Master
    ---------            -------
    MYGROUP              LOCALHOST
    WORKGROUP            LYJ


客户端

[root@localhost ~]# smbclient  //192.168.100.1/myshare -U hadoop
Enter hadoop‘s password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.23-20.el6]
smb: \>
smb: \>
smb: \> !pwd        叹号调用本地
/root
smb: \> pwd
Current directory is \\192.168.100.1\myshare\
smb: \> lcd /tmp
smb: \> !pwd
/tmp
smb: \> ls
  .                                   D        0  Fri May 29 08:30:17 2015
  ..                                  D        0  Fri May 29 08:28:13 2015
  test.file                                    5  Fri May 29 08:30:17 2015
  cdrom                              DR        0  Thu Sep 23 06:24:55 2010

        39109 blocks of size 524288. 34441 blocks available
smb: \> get test.file
getting file \test.file of size 5 as test.file (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \> dir
  .                                   D        0  Fri May 29 08:30:17 2015
  ..                                  D        0  Fri May 29 08:28:13 2015
  test.file                                    5  Fri May 29 08:30:17 2015
  cdrom                              DR        0  Thu Sep 23 06:24:55 2010

        39109 blocks of size 524288. 34441 blocks available
smb: \> lcd /etc
smb: \> put fstab
putting file fstab as \fstab (14.8 kb/s) (average 14.8 kb/s)
smb: \> ls
  .                                   D        0  Fri May 29 08:43:10 2015
  ..                                  D        0  Fri May 29 08:28:13 2015
  fstab                               A      861  Fri May 29 08:43:10 2015
  test.file                                    5  Fri May 29 08:30:17 2015
  cdrom                              DR        0  Thu Sep 23 06:24:55 2010

        39109 blocks of size 524288. 34441 blocks available
smb: \>
smb: \> quit
[root@localhost ~]# ls /tmp/
test.file  yum.log 刚下载的

服务器
[root@localhost ~]# ls /var/shared/
cdrom  fstab(具有执行权限)  test.file
[root@localhost ~]# ls /var/shared/ -l
total 14
dr-xr-xr-x. 9 root   root   6144 Sep 23  2010 cdrom
-rwxr--r--. 1 hadoop hadoop  861 May 29 08:43 fstab            744权限
-rw-r--r--. 1 root   root      5 May 29 08:30 test.file

客户端

[root@localhost ~]# smbclient  //192.168.100.1/myshare -U hadoop
Enter hadoop‘s password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.23-20.el6]
smb: \> mkdir abc
smb: \> ls
  .                                   D        0  Fri May 29 08:45:21 2015
  ..                                  D        0  Fri May 29 08:28:13 2015
  abc                                 D        0  Fri May 29 08:45:21 2015
  fstab                               A      861  Fri May 29 08:43:10 2015
  test.file                                    5  Fri May 29 08:30:17 2015
  cdrom                              DR        0  Thu Sep 23 06:24:55 2010

        39109 blocks of size 524288. 34441 blocks available
smb: \>

服务器
[root@localhost ~]# ls /var/shared/ -l
total 18
drwxr-xr-x. 2 hadoop hadoop 4096 May 29 08:45 abc
dr-xr-xr-x. 9 root   root   6144 Sep 23  2010 cdrom
-rwxr--r--. 1 hadoop hadoop  861 May 29 08:43 fstab
-rw-r--r--. 1 root   root      5 May 29 08:30 test.file


[root@localhost ~]# !vim
vim /etc/samba/smb.conf
[myshare]
        comment = my share dir
        path = /var/shared
        public = no
        writable = yes
        create mode = 0644
        dir mode =0755

[root@localhost ~]# service smb restart
Shutting down SMB services:                                [  OK  ]
Starting SMB services:                                     [  OK  ]


客户端
[root@localhost ~]# smbclient  //192.168.100.1/myshare -U hadoop
Enter hadoop‘s password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.23-20.el6]
smb: \> lcd /etc/
smb: \> put mtab
putting file mtab as \mtab (15.2 kb/s) (average 15.2 kb/s)


服务器
[root@localhost ~]# ls /var/shared/ -l
total 22
drwxr-xr-x. 2 hadoop hadoop 4096 May 29 08:45 abc
dr-xr-xr-x. 9 root   root   6144 Sep 23  2010 cdrom
-rwxr--r--. 1 hadoop hadoop  861 May 29 08:43 fstab
-rw-r--r--. 1 hadoop hadoop  357 May 29 08:47 mtab
-rw-r--r--. 1 root   root      5 May 29 08:30 test.file

[root@localhost ~]# useradd alice
[root@localhost ~]# useradd bob
[root@localhost ~]# useradd cobe
[root@localhost ~]# useradd david

[root@localhost ~]# smbpasswd -a hive
New SMB password:
Retype new SMB password:
Added user hive.
[root@localhost ~]# smbpasswd -a alice
New SMB password:
Retype new SMB password:
Added user alice.
[root@localhost ~]# smbpasswd -a bob
New SMB password:
Retype new SMB password:
Added user bob.
[root@localhost ~]# smbpasswd -a cobe
New SMB password:
Retype new SMB password:
Added user cobe.
[root@localhost ~]# smbpasswd -a david
New SMB password:
Retype new SMB password:
Mismatch - password unchanged.
Unable to get new password.
[root@localhost ~]# smbpasswd -a david
New SMB password:
Retype new SMB password:
Added user david.

[root@localhost ~]# smbclient  //192.168.100.1/myshare -U david
Enter david‘s password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.23-20.el6]
smb: \> ls
  .                                   D        0  Fri May 29 08:47:28 2015
  ..                                  D        0  Fri May 29 08:28:13 2015
  mtab                                       357  Fri May 29 08:47:28 2015
  abc                                 D        0  Fri May 29 08:45:21 2015
  fstab                               A      861  Fri May 29 08:43:10 2015
  test.file                                    5  Fri May 29 08:30:17 2015
  cdrom                              DR        0  Thu Sep 23 06:24:55 2010

        39109 blocks of size 524288. 34441 blocks available
smb: \> rm fstab
NT_STATUS_ACCESS_DENIED deleting remote file \fstab
smb: \> lcd /etc/
smb: \> put issue
putting file issue as \issue (9.2 kb/s) (average 9.2 kb/s)
smb: \> ls
  .                                   D        0  Fri May 29 08:50:45 2015
  ..                                  D        0  Fri May 29 08:28:13 2015
  mtab                                       357  Fri May 29 08:47:28 2015
  abc                                 D        0  Fri May 29 08:45:21 2015
  fstab                               A      861  Fri May 29 08:43:10 2015
  test.file                                    5  Fri May 29 08:30:17 2015
  cdrom                              DR        0  Thu Sep 23 06:24:55 2010
  issue                                       75  Fri May 29 08:50:45 2015

        39109 blocks of size 524288. 34441 blocks available
smb: \> rm issue
smb: \> ls
  .                                   D        0  Fri May 29 08:50:51 2015
  ..                                  D        0  Fri May 29 08:28:13 2015
  mtab                                       357  Fri May 29 08:47:28 2015
  abc                                 D        0  Fri May 29 08:45:21 2015
  fstab                               A      861  Fri May 29 08:43:10 2015
  test.file                                    5  Fri May 29 08:30:17 2015
  cdrom                              DR        0  Thu Sep 23 06:24:55 2010

        39109 blocks of size 524288. 34441 blocks available
smb: \>



[myshare]
        comment = my share dir
        path = /var/shared
        public = no
        writable = yes
        create mode = 0644
        dir mode =0755
        invalid users = hadoop david cobe黑名单

[root@localhost ~]# smbclient  //192.168.100.1/myshare -U david
Enter david‘s password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.23-20.el6]
tree connect failed: NT_STATUS_ACCESS_DENIED    黑名单
[root@localhost ~]# smbclient  //192.168.100.1/myshare -U hive
Enter hive‘s password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.23-20.el6]
smb: \>

[myshare]
        comment = my share dir
        path = /var/shared
        public = no
        writable = yes
        create mode = 0644
        dir mode =0755
        valid users = hadoop david cobe    白名单,其他用户不允许访问

[root@localhost ~]# smbclient  //192.168.100.1/myshare -U hive
Enter hive‘s password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.23-20.el6]
tree connect failed: NT_STATUS_ACCESS_DENIED

服务器
[root@localhost ~]# groupadd mygroup
[root@localhost ~]# usermod -g mygroup alice
[root@localhost ~]# usermod -g mygroup bob
[root@localhost ~]# usermod -g mygroup david

[myshare]
        comment = my share dir
        path = /var/shared
        public = no
        writable = yes
        create mode = 0644
        dir mode =0755
        valid users = @mygroup 或者+mygroup

客户机
[root@localhost ~]# smbclient  //192.168.100.1/myshare -U alice
Enter alice‘s password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.23-20.el6]
smb: \>

[root@localhost ~]# smbclient  //192.168.100.1/myshare -U hadoop
Enter hadoop‘s password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.23-20.el6]
tree connect failed: NT_STATUS_ACCESS_DENIED
[root@localhost ~]#


服务器
[myshare]
        comment = my share dir
        path = /var/shared
        public = no
        writable = yes
        create mode = 0644
        dir mode =0755
        valid users = @mygroup
        hosts allow = 192.168.100.254真实机    限制IP

客户机
[root@localhost ~]# smbclient  //192.168.100.1/myshare -U alice
Enter alice‘s password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.23-20.el6]
tree connect failed: NT_STATUS_ACCESS_DENIED


XP在运行访问
\\192.168.100.1

服务器
[myshare]
        comment = my share dir
        path = /var/shared
        public = no
        writable = yes
        create mode = 0644
        dir mode =0755
        valid users = @mygroup
        hosts deny = 192.168.10.

利用网页管理,需要先备份一下,否则网页修改的会直接替换 只保留有效信息没有注释
        

[root@localhost ~]# cd /etc/samba/
[root@localhost samba]# ls
lmhosts  smb.conf  smbusers
[root@localhost samba]# cp smb.conf smb.conf.bak
[root@localhost samba]# rpm -q samba-swat
samba-swat-3.6.23-20.el6.i686

[root@localhost samba]# service xinetd start
Starting xinetd:                                           [  OK  ]
[root@localhost samba]# chkconfig --list

xinetd based services:
    chargen-dgram:     off
    chargen-stream:    off
    cvs:               off
    daytime-dgram:     off
    daytime-stream:    off
    discard-dgram:     off
    discard-stream:    off
    echo-dgram:        off
    echo-stream:       off
    rsync:             off
    swat:              off            ---->off 默认没开
    tcpmux-server:     off
    time-dgram:        off
    time-stream:       off


swat 套接字 tcp/901
_____________
|                    |
|    xinetd      |
_____________

[root@localhost samba]# chkconfig swat on
[root@localhost samba]# chkconfig --list

xinetd based services:
    chargen-dgram:     off
    chargen-stream:    off
    cvs:               off
    daytime-dgram:     off
    daytime-stream:    off
    discard-dgram:     off
    discard-stream:    off
    echo-dgram:        off
    echo-stream:       off
    rsync:             off
    swat:              on
    tcpmux-server:     off
    time-dgram:        off
    time-stream:       off

另一种开启方法
[root@localhost samba]# ls /etc/xinetd.d/
chargen-dgram   daytime-dgram   discard-stream  rsync          time-dgram
chargen-stream  daytime-stream  echo-dgram      swat           time-stream
cvs             discard-dgram   echo-stream     tcpmux-server

[root@localhost samba]# vim /etc/xinetd.d/swat
service swat
{
        disable = no        yes改为no
        port            = 901
        socket_type     = stream    基于tcp  ;基于udp叫数据报
        wait            = no        不等待,允许多个请求并行处理
        only_from       = 127.0.0.1        只允许谁访问,想要访问先写允许访问的IP地址
        user            = root
        server          = /usr/sbin/swat    用这个应用程序响应
        log_on_failure  += USERID            登陆失败了怎么样,收集UID记录
}

主机访问
http://192.168.100.1:901

利用网页创建
[temprate]
        comment = tmp share dir
        path = /tmp
        valid users = alice, bob, hadoop
        write list = alice
        read only = No
        available = Yes

[root@localhost ~]# smbclient -L //192.168.100.1/myshare -U alice
Enter alice‘s password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.23-20.el6]

    Sharename       Type      Comment
    ---------       ----      -------
    myshare         Disk      my share dir
    temprate        Disk      tmp share dir
    IPC$            IPC       IPC Service (Samba Server Version 3.6.23-20.el6)
    alice           Disk      Home Directories
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.23-20.el6]

    Server               Comment
    ---------            -------
    LOCALHOST            Samba Server Version 3.6.23-20.el6

    Workgroup            Master
    ---------            -------
    MYGROUP              LOCALHOST
    WORKGROUP            LYJ


cifs
    Common Internet Filesystem 通用网络文件系统
    
    
[root@localhost ~]# rpm -ivh /mnt/cdrom/Packages/cifs-utils-4.4-5.el6.i686.rpm
warning: /mnt/cdrom/Packages/cifs-utils-4.4-5.el6.i686.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
Preparing...                ########################################### [100%]
   1:cifs-utils             ########################################### [100%]    
    
mount -t cifs -o username=alice //192.168.100.1/myshare /mnt/samba     
    
[root@localhost ~]# mount -t cifs -o username=alice //192.168.100.1/myshare /mnt/samba
Password:
[root@localhost ~]# df -hTP | column -t
Filesystem                Type   Size  Used  Avail  Use%  Mounted     on
/dev/sda3                 ext4   20G   1.3G  17G    7%    /
/dev/sda1                 ext4   97M   24M   69M    26%   /boot
tmpfs                     tmpfs  504M  0     504M   0%    /dev/shm
//192.168.100.1/myshare/  cifs   20G   1.4G  17G    8%    /mnt/samba    
    
    
    

[temprate]
        comment = tmp share dir
        path = /tmp
        valid users = alice, bob, hadoop
        write list = alice
        writable = Yes
    
[root@localhost ~]# mount -t cifs -o username=david //192.168.100.1/temprate /mnt/samba
Password:
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)    
    
不重启更改配置文件    
 smbcontrol - send messages to smbd, nmbd or winbindd processes
 
[root@localhost samba]# smbcontrol
[root@localhost samba]# smbcontrol smbd reload-config

    //192.168.100.1/myshare /mnt/samba              cifs    _netdev,username=alice,password=123     0 0

将用户名密码单独写出来:
[root@localhost ~]# vim /etc/samba/abc

username=alice
password=123
       
[root@localhost ~]# vim /etc/fstab
加一条
//192.168.100.1/myshare /mnt/samba              cifs    _netdev,credenials=/etc/samba/abc     0 0    
[root@localhost ~]# chmod 600 /etc/samba/abc         安全考虑将权限设为600


本文出自 “小运维的逆袭” 博客,请务必保留此出处http://liyongjian5179.blog.51cto.com/10134786/1733360

Samba服务器相关配置及实验过程

标签:samba   linux   服务器   安全性   

原文地址:http://liyongjian5179.blog.51cto.com/10134786/1733360

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!