一、SAMBA服務簡介
samba是1991年由Andrew Tridgel開發實現,主要用於Windows和unix文件共享。samba實現了共享文件和打印,實現在線編輯,登錄SAMBA用戶的身份認證,可以進行NetBIOS名稱解析和外圍設備共享。相關的軟件包有samba,這個包主要提供smb服務。smb是Server Message Block的縮寫意思是服務器消息塊,IBM發布,最早是DOS網絡文件共享協議。samba-client這個軟件包是客戶端軟件,samba-common通用軟件包 ,cifs-utils 也是smb客戶端工具 ,samba-winbind 這個包主要有和Windows AD域相關的組件;samba服務相關進程有兩個,一個是smbd 提供smb(cifs)服務 監聽在TCP的139和445端口。另外一個和名稱解析相關nmbd NetBIOS名稱解析默認工作在UDP的137和138。如果我們訪問的samba服務器不用名稱解析,nmbd這個服務是可以不用開的。samba的主配置文件是/etc/samba/smb.conf,配置文件的幫助文檔可以使用man smb.conf 來查看。samba同apache類似,它也有配置文件語法檢測的工具: testparm [-v] [/etc/samba/smb.conf],默認情況它不需要跟samba的配置文件路徑。samba除了服務端工具,還提供了客戶端工具,如smbclient,mount.cifs;cifs是common internet file system的縮寫,我們可以理解為它是SMB的升級協議,由微軟實現。
二、SAMBA服務配置文件說明
/etc/samba/smb.conf繼承了.ini文件的格式,用[ ]分成了不同的部分,其中全局設置是[global]語句下設置,這里主要設置服務器的通用或全局配置,除了全局配置,還有特定目錄共享的設置如[homes] 用戶的家目錄共享,[printers] 定義打印機資源和服務,[sharename] 自定義的共享目錄配置,當然自定義目錄中括號的名字就是我們共享出來的目錄名稱,這個名稱是可以和共享目錄的名稱不一樣,它其實就是給恭喜那個目錄起了一個名字而已。/etc/samba/smb.conf這個文件中以井號和分號開始的都是注釋,中括號中的名稱大小寫不敏感。
配置文件宏定義
%m:客戶端主機的NetBIOS名
%H:當前用戶家目錄路徑
%g:當前用戶所屬組
%L:samba服務器的NetBIOS名
%T:當前日期和時間
%M:客戶端主機的FQDN
%U:當前用戶用戶名
%h:samba服務器的主機名
%I(大寫i):客戶端主機的IP
%S:可登錄的用戶名
2.1、SAMBA服務器全局配置指令說明
workgroup 指定工作組名稱
server string 主機注釋信息
netbios name 指定NetBIOS名
interfaces 指定服務偵聽接口和IP
hosts allow 可用“,” ,空格,或tab分隔,默認允許所有主機訪問,也可在每個共享獨立配置,如在[global]設置,將應用並覆蓋所有共享設置
IPv4 network/prefix: 172.25.0.0/24 IPv4前綴: 172.25.0.
IPv4 network/netmask: 172.25.0.0/255.255.255.0
主機名: desktop.example.com
以example.com后綴的主機名: .example.com
示例:
hosts allow = 172.25.
hosts allow = 172.25. .example.com
hosts deny 拒絕指定主機訪問
config file=/etc/samba/conf.d/%U 用戶獨立的配置文件
Log file=/var/log/samba/log.%m 不同客戶機采用不同日志
log level = 2 日志級別,默認為0,不記錄日志
max log size=50 日志文件達到50K,將輪循rotate,單位KB
Security三種認證方式:
share:匿名(CentOS7不再支持)
user:samba用戶(采有linux用戶,samba的獨立口令)
domain:使用DC(DOMAIN CONTROLLER)認證
passdb backend = tdbsam 密碼數據庫格式;samba用戶必須是Linux用戶,為了安全建議使用/sbin/nologin的shell類型
三、安裝、配置和使用SAMBA服務
1、安裝
[root@test ~]# yum install samba -y ……省略部分類容 Installed: samba.x86_64 0:4.6.2-8.el7 Dependency Installed: avahi-libs.x86_64 0:0.6.31-17.el7 cups-libs.x86_64 1:1.6.3-29.el7 libldb.x86_64 0:1.1.29-1.el7 libtalloc.x86_64 0:2.1.9-1.el7 libtdb.x86_64 0:1.3.12-2.el7 libtevent.x86_64 0:0.9.31-1.el7 libwbclient.x86_64 0:4.6.2-8.el7 pytalloc.x86_64 0:2.1.9-1.el7 samba-client-libs.x86_64 0:4.6.2-8.el7 samba-common.noarch 0:4.6.2-8.el7 samba-common-libs.x86_64 0:4.6.2-8.el7 samba-common-tools.x86_64 0:4.6.2-8.el7 samba-libs.x86_64 0:4.6.2-8.el7 Complete! [root@test ~]# rpm -qf /etc/samba/smb.conf samba-common-4.6.2-8.el7.noarch [root@test ~]#
說明:安裝samba服務默認會安裝一些依賴的工具包,如上所示,其中配置文件/etc/samba/smb.conf文件就來自samba-common這個包。
2、配置目錄共享
[root@test ~]# cat /etc/samba/smb.conf
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.
[global]
workgroup = SAMBA
security = user
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = root
create mask = 0664
directory mask = 0775
[share]
comment = this is test share
path = /data/smb_dir
[root@test ~]#
說明:以上配置在原有的配置文件中新加了一個[share]語句塊,它表示把/data/smb_dir目錄共享出去,並且共享出去的名字叫share。
[root@test ~]# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[share]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
# Global parameters
[global]
workgroup = SAMBA
printcap name = cups
security = USER
idmap config * : backend = tdb
cups options = raw
[homes]
comment = Home Directories
browseable = No
inherit acls = Yes
read only = No
valid users = %S %D%w%S
[printers]
comment = All Printers
path = /var/tmp
browseable = No
printable = Yes
create mask = 0600
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
create mask = 0664
directory mask = 0775
write list = root
[share]
comment = this is test share
path = /data/smb_dir
[root@test ~]#
說明:語法檢查沒有問題后,新建目錄,然后再重啟服務
[root@test ~]# mkdir /data/smb_dir -p [root@test ~]# systemctl restart smb [root@test ~]#
說明:到此我們就把一個目錄給共享出來了,接下來我們用smbclients工具來查看共享出來的目錄情況
[root@test ~]# smbclient -L 192.168.0.10
Enter SAMBA\root's password:
Anonymous login successful
OS=[Windows 6.1] Server=[Samba 4.6.2]
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
share Disk this is test share
IPC$ IPC IPC Service (Samba 4.6.2)
Anonymous login successful
OS=[Windows 6.1] Server=[Samba 4.6.2]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@test ~]#
說明:-L選項表示列出指定主機上的共享文件列表,通常情況后面沒有指定用戶和密碼,表示匿名用戶;當然后面也可以用-U指定用戶名%指定密碼,如下所示
[root@test ~]# smbclient -L 192.168.0.232 -U qiuhom%...
Domain=[QIUHOM] OS=[Windows 7 Ultimate 7601 Service Pack 1] Server=[Windows 7 Ultimate 6.1]
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk 遠程管理
C$ Disk 默認共享
D$ Disk 默認共享
IPC$ IPC 遠程 IPC
print$ Disk 打印機驅動程序
Share Disk
Connection to 192.168.0.232 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
NetBIOS over TCP disabled -- no workgroup available
[root@test ~]#
3、管理SAMBA用戶
添加samba用戶
[root@test ~]# useradd -s /sbin/nologin sambauser1 [root@test ~]# useradd -s /sbin/nologin sambauser2 [root@test ~]# smbpasswd -a sambauser1 New SMB password: Retype new SMB password: Added user sambauser1. [root@test ~]# smbpasswd -a sambauser2 New SMB password: Retype new SMB password: Added user sambauser2. [root@test ~]#
說明:samba服務的用戶必須是Linux系統的用戶,如果不Linux系統不存在用戶,用smbpasswd 這個命令是添加不上用戶的。為了Linux系統的安全,這兩個賬號都只用於登錄samba服務,所用shell類型給修改成/sbin/nologin是比較安全的;除此之外,添加用戶也可以用pdbedit命令來添加,如下所示
[root@test ~]# useradd -s /sbin/nologin sambauser3 [root@test ~]# pdbedit -a -u sambauser3 new password: retype new password: Unix username: sambauser3 NT username: Account Flags: [U ] User SID: S-1-5-21-1369552498-1030126791-3625437691-1002 Primary Group SID: S-1-5-21-1369552498-1030126791-3625437691-513 Full Name: Home Directory: \\test\sambauser3 HomeDir Drive: Logon Script: Profile Path: \\test\sambauser3\profile Domain: TEST Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Wed, 06 Feb 2036 23:06:39 CST Kickoff time: Wed, 06 Feb 2036 23:06:39 CST Password last set: Wed, 29 Jan 2020 02:15:48 CST Password can change: Wed, 29 Jan 2020 02:15:48 CST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF [root@test ~]#
說明:用pdbedit添加用戶 可以看到用戶賬號的信息
修改用戶密碼
[root@test ~]# smbpasswd sambauser1 New SMB password: Retype new SMB password: [root@test ~]#
說明:修改用戶密碼直接跟要修改密碼的用戶名即可,不需要指定選項
查看samba用戶列表
[root@test ~]# pdbedit -L sambauser1:1002: sambauser3:1004: sambauser2:1003: [root@test ~]# pdbedit -L -v --------------- Unix username: sambauser1 NT username: Account Flags: [U ] User SID: S-1-5-21-1369552498-1030126791-3625437691-1000 Primary Group SID: S-1-5-21-1369552498-1030126791-3625437691-513 Full Name: Home Directory: \\test\sambauser1 HomeDir Drive: Logon Script: Profile Path: \\test\sambauser1\profile Domain: TEST Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Wed, 06 Feb 2036 23:06:39 CST Kickoff time: Wed, 06 Feb 2036 23:06:39 CST Password last set: Wed, 29 Jan 2020 02:17:38 CST Password can change: Wed, 29 Jan 2020 02:17:38 CST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF --------------- Unix username: sambauser3 NT username: Account Flags: [U ] User SID: S-1-5-21-1369552498-1030126791-3625437691-1002 Primary Group SID: S-1-5-21-1369552498-1030126791-3625437691-513 Full Name: Home Directory: \\test\sambauser3 HomeDir Drive: Logon Script: Profile Path: \\test\sambauser3\profile Domain: TEST Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Wed, 06 Feb 2036 23:06:39 CST Kickoff time: Wed, 06 Feb 2036 23:06:39 CST Password last set: Wed, 29 Jan 2020 02:15:48 CST Password can change: Wed, 29 Jan 2020 02:15:48 CST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF --------------- Unix username: sambauser2 NT username: Account Flags: [U ] User SID: S-1-5-21-1369552498-1030126791-3625437691-1001 Primary Group SID: S-1-5-21-1369552498-1030126791-3625437691-513 Full Name: Home Directory: \\test\sambauser2 HomeDir Drive: Logon Script: Profile Path: \\test\sambauser2\profile Domain: TEST Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Wed, 06 Feb 2036 23:06:39 CST Kickoff time: Wed, 06 Feb 2036 23:06:39 CST Password last set: Wed, 29 Jan 2020 02:08:54 CST Password can change: Wed, 29 Jan 2020 02:08:54 CST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF [root@test ~]#
說明:-L表示列出賬號列表,-v表示列出賬號的詳細信息
刪除用戶和密碼
[root@test ~]# smbpasswd -x sambauser3 Deleted user sambauser3. [root@test ~]# pdbedit -L sambauser1:1002: sambauser2:1003: [root@test ~]# pdbedit -x -u sambauser2 [root@test ~]# pdbedit -L sambauser1:1002: [root@test ~]#
說明:smbpasswd和pdbedit兩個命令都是可以刪除用戶的,兩者的區別是smbpasswd命令刪除用戶后要提示,pdbedit不提示
用新建的用戶去連接samba服務
[root@test ~]# smbclient //192.168.0.10/share -U sambauser1%admin
Domain=[TEST] OS=[Windows 6.1] Server=[Samba 4.6.2]
smb: \> ls
. D 0 Wed Jan 29 01:52:43 2020
.. D 0 Wed Jan 29 01:52:43 2020
48209924 blocks of size 1024. 45019976 blocks available
smb: \>
說明:smbclient 這個命令行工具同FTP命令行工具類似,用法都差不多。在Windows上使用就需要用UNC路徑,它的格式是\\sambserver\sharename 如下所示
測試新建的sambauser1權限
[root@test ~]# ls
[root@test ~]# cp /etc/fstab ./f1
[root@test ~]# ls
f1
[root@test ~]# smbclient //192.168.0.10/share -U sambauser1%admin
Domain=[TEST] OS=[Windows 6.1] Server=[Samba 4.6.2]
smb: \> ls
. D 0 Wed Jan 29 01:52:43 2020
.. D 0 Wed Jan 29 01:52:43 2020
48209924 blocks of size 1024. 45019800 blocks available
smb: \> !ls
f1
smb: \> put f1
NT_STATUS_ACCESS_DENIED opening remote file \f1
smb: \> ls
. D 0 Wed Jan 29 01:52:43 2020
.. D 0 Wed Jan 29 01:52:43 2020
48209924 blocks of size 1024. 45019800 blocks available
smb: \> q
[root@test ~]#
說明:我們往共享出來的目錄里上傳f1文件,它提示我們訪問拒絕。這是因為說明呢?是我們的賬號權限不對?還是文件系統權限不對? 這樣,我們把共享出來的目錄權限改成777權限,然后在上傳文件看看可以上傳上去不?這樣就可以排除出到底是賬號權限不夠還是共享目錄的權限太嚴格
[root@test ~]# ll -d /data/smb_dir/
drwxr-xr-x 2 root root 16 Jan 29 03:26 /data/smb_dir/
[root@test ~]# chmod 777 /data/smb_dir/
[root@test ~]# ll -d /data/smb_dir/
drwxrwxrwx 2 root root 16 Jan 29 03:26 /data/smb_dir/
[root@test ~]# smbclient //192.168.0.10/share -U sambauser1%admin
Domain=[TEST] OS=[Windows 6.1] Server=[Samba 4.6.2]
smb: \> ls
. D 0 Wed Jan 29 03:28:39 2020
.. D 0 Wed Jan 29 01:52:43 2020
48209924 blocks of size 1024. 45019872 blocks available
smb: \> !ls
f1
smb: \> put f1
NT_STATUS_ACCESS_DENIED opening remote file \f1
smb: \> q
[root@test ~]#
說明:我們把共享出來的目錄權限修改成777后還是不能正常上傳,這是為什么呢 ? 其實我們拿sambauser1這個用戶去登錄samba服務器的時候,它默認是用Linux系統上的sambauser1這個用的權限去訪問共享目錄。所以我們在共享目錄上不用給777,給sambauser1有讀寫執行權限就好了。它這里不能上傳說明不是文件系統本身權限導致了,是因為samba服務共享出來默認權限是只讀權限,所以我們要在配置文件中明卻告訴samba服務,我們共享出來的目錄是允許寫的;接下來修改共享目錄的權限為755,然后給sambauser1讀寫執行權限,然后在配置文件中明確指定共享目錄可寫
[root@test ~]# ll -d /data/smb_dir/
drwxrwxrwx 2 root root 6 Jan 29 03:28 /data/smb_dir/
[root@test ~]# chmod 755 /data/smb_dir/
[root@test ~]# ll -d /data/smb_dir/
drwxr-xr-x 2 root root 6 Jan 29 03:28 /data/smb_dir/
[root@test ~]# setfacl -m u:sambauser1:rwx /data/smb_dir/
[root@test ~]# getfacl /data/smb_dir/
getfacl: Removing leading '/' from absolute path names
# file: data/smb_dir/
# owner: root
# group: root
user::rwx
user:sambauser1:rwx
group::r-x
mask::rwx
other::r-x
[root@test ~]# tail /etc/samba/smb.conf
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = root
create mask = 0664
directory mask = 0775
[share]
comment = this is test share
path = /data/smb_dir
read only=No
[root@test ~]# systemctl restart smb
[root@test ~]#
說明:我們把共享目錄的權限給sambauser1讀寫執行權限,並在samba的配置文件中明確配置了共享目錄read only=No ,這個選項和writable=yes是一樣的意思,任意選一個都表示可寫,接下來我們再來測試是否可正常上傳文件
[root@test ~]# smbclient //192.168.0.10/share -U sambauser1%admin
main=[TEST] OS=[Windows 6.1] Server=[Samba 4.6.2]
smb: \> ls
. D 0 Wed Jan 29 03:28:39 2020
.. D 0 Wed Jan 29 01:52:43 2020
48209924 blocks of size 1024. 45019860 blocks available
smb: \> !ls
f1
smb: \> put f1
putting file f1 as \f1 (97.8 kb/s) (average 97.9 kb/s)
smb: \> ls
. D 0 Wed Jan 29 03:42:51 2020
.. D 0 Wed Jan 29 01:52:43 2020
f1 A 501 Wed Jan 29 03:42:51 2020
48209924 blocks of size 1024. 45019724 blocks available
smb: \> q
[root@test ~]# ls /data/smb_dir/
f1
[root@test ~]# ll /data/smb_dir/
total 4
-rwxr--r-- 1 sambauser1 sambauser1 501 Jan 29 03:42 f1
[root@test ~]#
說明:可以看到我們把f1文件已經成功上傳上去了,在共享的真正目錄里也看到了f1文件,但是上傳上去的權限有點不對,我們希望上傳到服務器上的文件不擁有執行權限。我們如果要對上傳和新建的文件和目錄有權限的限制,還需要在配置文件中指定,新建文件的權限和目錄的權限
[root@test ~]# tail -6 /etc/samba/smb.conf
[share]
comment = this is test share
path = /data/smb_dir
read only=No
create mask=0644
directory mask=0755
[root@test ~]# systemctl restart smb
[root@test ~]# smbclient //192.168.0.10/share -U sambauser1%admin
Domain=[TEST] OS=[Windows 6.1] Server=[Samba 4.6.2]
smb: \> ls
. D 0 Wed Jan 29 04:03:19 2020
.. D 0 Wed Jan 29 03:58:37 2020
48209924 blocks of size 1024. 45019496 blocks available
smb: \> !ls
f1 passwd
smb: \> mput f1 passwd
Put file f1? y
putting file f1 as \f1 (122.3 kb/s) (average 122.3 kb/s)
Put file passwd? y
putting file passwd as \passwd (645.0 kb/s) (average 296.5 kb/s)
smb: \> mkdir newdir
smb: \> ls
. D 0 Wed Jan 29 04:04:10 2020
.. D 0 Wed Jan 29 03:58:37 2020
f1 N 501 Wed Jan 29 04:04:02 2020
passwd N 1321 Wed Jan 29 04:04:03 2020
newdir D 0 Wed Jan 29 04:04:10 2020
48209924 blocks of size 1024. 45019436 blocks available
smb: \> q
[root@test ~]# ll /data/smb_dir/
total 8
-rw-r--r-- 1 sambauser1 sambauser1 501 Jan 29 04:04 f1
drwxr-xr-x 2 sambauser1 sambauser1 6 Jan 29 04:04 newdir
-rw-r--r-- 1 sambauser1 sambauser1 1321 Jan 29 04:04 passwd
[root@test ~]#
說明:我們在配置文件中給指定共享目錄里明確指定新建文件的權限和目錄權限后,上傳和新建目錄的權限就沒有問題了
基於特定用戶和組的共享
[root@test ~]# tail -6 /etc/samba/smb.conf
[share2]
path=/data/smb_dir2
writeable=no
valid users=sambauser2,sambauser3
browseable=no
write list=sambauser2
[root@test ~]# mkdir /data/smb_dir2
[root@test ~]# getent passwd sambauser2
sambauser2:x:1003:1003::/home/sambauser2:/sbin/nologin
[root@test ~]# getent passwd sambauser3
sambauser3:x:1004:1004::/home/sambauser3:/sbin/nologin
[root@test ~]# pdbedit -a -u sambauser2
new password:
retype new password:
Unix username: sambauser2
NT username:
Account Flags: [U ]
User SID: S-1-5-21-1369552498-1030126791-3625437691-1004
Primary Group SID: S-1-5-21-1369552498-1030126791-3625437691-513
Full Name:
Home Directory: \\test\sambauser2
HomeDir Drive:
Logon Script:
Profile Path: \\test\sambauser2\profile
Domain: TEST
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Wed, 06 Feb 2036 23:06:39 CST
Kickoff time: Wed, 06 Feb 2036 23:06:39 CST
Password last set: Wed, 29 Jan 2020 04:19:09 CST
Password can change: Wed, 29 Jan 2020 04:19:09 CST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[root@test ~]# pdbedit -a -u sambauser3
new password:
retype new password:
Unix username: sambauser3
NT username:
Account Flags: [U ]
User SID: S-1-5-21-1369552498-1030126791-3625437691-1005
Primary Group SID: S-1-5-21-1369552498-1030126791-3625437691-513
Full Name:
Home Directory: \\test\sambauser3
HomeDir Drive:
Logon Script:
Profile Path: \\test\sambauser3\profile
Domain: TEST
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Wed, 06 Feb 2036 23:06:39 CST
Kickoff time: Wed, 06 Feb 2036 23:06:39 CST
Password last set: Wed, 29 Jan 2020 04:19:19 CST
Password can change: Wed, 29 Jan 2020 04:19:19 CST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[root@test ~]# pdbedit -L
sambauser2:1003:
sambauser1:1002:
sambauser3:1004:
[root@test ~]# setfacl -m u:sambauser2:rwx /data/smb_dir2
[root@test ~]# setfacl -m u:sambauser3:rwx /data/smb_dir2
[root@test ~]# getfacl /data/smb_dir2
getfacl: Removing leading '/' from absolute path names
# file: data/smb_dir2
# owner: root
# group: root
user::rwx
user:sambauser2:rwx
user:sambauser3:rwx
group::r-x
mask::rwx
other::r-x
[root@test ~]# systemctl restart smb
[root@test ~]#
說明:以上在samba服務上有重新共享了一個目錄為share2 ,這個共享目錄只能有sambauser2和sambauser3這兩個用戶才能訪問其他用戶沒法訪問;sambauser2對這個共享目錄可寫,sambauser3對其不可寫,接下來測試下是否是這樣的
[root@test ~]# smbclient -L 192.168.0.10 -U sambauser1%admin
Domain=[TEST] OS=[Windows 6.1] Server=[Samba 4.6.2]
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
share Disk this is test share
IPC$ IPC IPC Service (Samba 4.6.2)
sambauser1 Disk Home Directories
Domain=[TEST] OS=[Windows 6.1] Server=[Samba 4.6.2]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@test ~]# smbclient -L 192.168.0.10 -U sambauser2%admin
Domain=[TEST] OS=[Windows 6.1] Server=[Samba 4.6.2]
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
share Disk this is test share
IPC$ IPC IPC Service (Samba 4.6.2)
sambauser2 Disk Home Directories
Domain=[TEST] OS=[Windows 6.1] Server=[Samba 4.6.2]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@test ~]#
說明:從上面的信息看,sambauser1和sambauser2都是看不到share2這個共享目錄的,因為我們在配置文件中設置了browsable=no,這個就表示不允許所有用戶看到此共享目錄,也就是把此共享給隱藏了
[root@test ~]# smbclient //192.168.0.10/share2 -U sambauser1%admin
Domain=[TEST] OS=[Windows 6.1] Server=[Samba 4.6.2]
tree connect failed: NT_STATUS_ACCESS_DENIED
[root@test ~]# smbclient //192.168.0.10/share2 -U sambauser2%admin
Domain=[TEST] OS=[Windows 6.1] Server=[Samba 4.6.2]
smb: \> ls
. D 0 Wed Jan 29 04:17:15 2020
.. D 0 Wed Jan 29 04:17:15 2020
48209924 blocks of size 1024. 45019880 blocks available
smb: \> q
[root@test ~]#
說明:sambauser1訪問share2被拒絕了,sambauser2是可以正常訪問的,說明我們設置的針對特定目錄讓特定的用戶訪問是可以的,如果是針對組的話,需要在配置文件中寫組名,組名前用@或者+就表示組名,否則它會認為你寫的是用戶名稱
[root@test ~]# smbclient //192.168.0.10/share2 -U sambauser2%admin
Domain=[TEST] OS=[Windows 6.1] Server=[Samba 4.6.2]
smb: \> ls
. D 0 Wed Jan 29 04:17:15 2020
.. D 0 Wed Jan 29 04:17:15 2020
48209924 blocks of size 1024. 45019880 blocks available
smb: \> !ls
f1 passwd
smb: \> put f1
putting file f1 as \f1 (61.2 kb/s) (average 61.2 kb/s)
smb: \> ls
. D 0 Wed Jan 29 04:34:20 2020
.. D 0 Wed Jan 29 04:17:15 2020
f1 A 501 Wed Jan 29 04:34:20 2020
48209924 blocks of size 1024. 45019788 blocks available
smb: \> q
[root@test ~]# smbclient //192.168.0.10/share2 -U sambauser3%admin
Domain=[TEST] OS=[Windows 6.1] Server=[Samba 4.6.2]
smb: \> ls
. D 0 Wed Jan 29 04:34:20 2020
.. D 0 Wed Jan 29 04:17:15 2020
f1 A 501 Wed Jan 29 04:34:20 2020
48209924 blocks of size 1024. 45019788 blocks available
smb: \> put passwd
NT_STATUS_ACCESS_DENIED opening remote file \passwd
smb: \> ls
. D 0 Wed Jan 29 04:34:20 2020
.. D 0 Wed Jan 29 04:17:15 2020
f1 A 501 Wed Jan 29 04:34:20 2020
48209924 blocks of size 1024. 45019868 blocks available
smb: \> q
[root@test ~]#
說明:我們用sambauser2登錄到share2里面是可以正常上傳文件,但是sambauser3在里面上傳文件被拒絕了,說明我們設置的針對特定的用戶給特定的權限也是實現了。
實現不同的用戶訪問同一共享名稱后,以不同的權限進入不同目錄
[root@test ~]# vim /etc/samba/smb.conf
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.
[global]
workgroup = SAMBA
security = user
config file=/etc/samba/conf.d/%U
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = root
create mask = 0664
directory mask = 0775
[share]
"/etc/samba/smb.conf" 48L, 930C written
[root@test ~]# mkdir -p /etc/samba/conf.d/
[root@test ~]# cat >/etc/samba/conf.d/sambauser2
[share2]
path=/smb/sambauser2/
read only=no
^C
[root@test ~]# cat /etc/samba/conf.d/sambauser2
[share2]
path=/smb/sambauser2/
read only=no
[root@test ~]# mkdir -pv /smb/sambauser2
mkdir: created directory ‘/smb’
mkdir: created directory ‘/smb/sambauser2’
[root@test ~]# setfacl -m u:sambauser2:rwx /smb/sambauser2
[root@test ~]# getfacl /smb/sambauser2
getfacl: Removing leading '/' from absolute path names
# file: smb/sambauser2
# owner: root
# group: root
user::rwx
user:sambauser2:rwx
group::r-x
mask::rwx
other::r-x
[root@test ~]# touch /smb/sambauser2/smb_user2.txt
[root@test ~]# systemctl restart smb
[root@test ~]#
說明:以上配置表達的意思是sambauser2訪問share2這個共享目錄時,它和sambauser3訪問share2時不時訪問的同一目錄。我們在主配置文件中的全局配置中加上了config file=/etc/samba/conf.d/%U 這句話表示用戶訪問共享目錄時代配置文件是/etc/samba/conf.d/和用戶名同名的文件。這個和FTP那個配置有點類似,用戶訪問服務器,讀取不同的配合文件。這樣就實現了不同的用戶擁有各自的配置文件。當然如果這個目錄下沒有當前訪問用戶的配置文件,那么他就是用主配置文件中的配置生效。接下來測試下,看看sambauser2訪問share2這個共享目錄時,是不是訪問的我們給指定的目錄下了,如果是,我們可以看到smb_user2.txt這個文件
[root@test ~]# smbclient //192.168.0.10/share2 -U sambauser2%admin
Domain=[TEST] OS=[Windows 6.1] Server=[Samba 4.6.2]
smb: \> ls
. D 0 Wed Jan 29 04:54:52 2020
.. D 0 Wed Jan 29 04:53:38 2020
smb_user2.txt N 0 Wed Jan 29 04:54:52 2020
48209924 blocks of size 1024. 45019672 blocks available
smb: \> !ls
f1 passwd
smb: \> mkdir user2
smb: \> ls
. D 0 Wed Jan 29 05:05:25 2020
.. D 0 Wed Jan 29 04:53:38 2020
smb_user2.txt N 0 Wed Jan 29 04:54:52 2020
user2 D 0 Wed Jan 29 05:05:25 2020
48209924 blocks of size 1024. 45019600 blocks available
smb: \> q
[root@test ~]# smbclient //192.168.0.10/share2 -U sambauser3%admin
Domain=[TEST] OS=[Windows 6.1] Server=[Samba 4.6.2]
smb: \> ls
. D 0 Wed Jan 29 04:34:20 2020
.. D 0 Wed Jan 29 04:17:15 2020
f1 A 501 Wed Jan 29 04:34:20 2020
48209924 blocks of size 1024. 45019792 blocks available
smb: \> q
[root@test ~]#
說明:可以看到sambauser2訪問share2 是可以看到smb_user2.txt,說明他訪問的目錄是/smb/sambauser2這個目錄,況且他也是可以在里面創建目錄的,說明寫的權限生效了;sambauser3訪問share2則訪問的是主配置文件中定義目錄中的文件
實現不同的客戶機采用不同的日志
[root@test ~]# grep -v ^"#" /etc/samba/smb.conf|head
[global]
workgroup = SAMBA
security = user
config file=/etc/samba/conf.d/%U
log file=/var/log/samba/log.%m
log level=2
passdb backend = tdbsam
[root@test ~]#
說明:以上配置表示不同的客戶端主機訪問就把日志記錄到/var/log/samba/log.客戶端主機名結尾的日志文件中
[root@test ~]# systemctl restart smb
[root@test ~]# ll /var/log/samba/
total 4
drwx------ 3 root root 18 Jan 29 01:43 cores
-rw-r--r-- 1 root root 3670 Jan 29 05:17 log.smbd
drwx------ 2 root root 6 Aug 7 2017 old
[root@test ~]# smbclient //192.168.0.10/share2 -U sambauser2%admin
Domain=[TEST] OS=[Windows 6.1] Server=[Samba 4.6.2]
smb: \> ls
. D 0 Wed Jan 29 05:05:25 2020
.. D 0 Wed Jan 29 04:53:38 2020
smb_user2.txt N 0 Wed Jan 29 04:54:52 2020
user2 D 0 Wed Jan 29 05:05:25 2020
48209924 blocks of size 1024. 45019916 blocks available
smb: \> q
[root@test ~]# ll /var/log/samba/
total 12
drwx------ 3 root root 18 Jan 29 01:43 cores
-rw-r--r-- 1 root root 754 Jan 29 05:18 log.192.168.0.10
-rw-r--r-- 1 root root 3670 Jan 29 05:17 log.smbd
-rw-r--r-- 1 root root 625 Jan 29 05:18 log.test
drwx------ 2 root root 6 Aug 7 2017 old
[root@test ~]# cat /var/log/samba/log.test
[2020/01/29 05:18:28.232515, 2] ../source3/param/loadparm.c:2769(lp_do_section)
Processing section "[share2]"
[2020/01/29 05:18:28.232705, 2] ../source3/lib/interface.c:345(add_interface)
added interface ens33 ip=192.168.0.10 bcast=192.168.0.255 netmask=255.255.255.0
[2020/01/29 05:18:28.234784, 2] ../source3/smbd/service.c:822(make_connection_snum)
test (ipv4:192.168.0.10:33624) connect to service share2 initially as user sambauser2 (uid=1003, gid=1003) (pid 10105)
[2020/01/29 05:18:33.956451, 2] ../source3/smbd/service.c:1098(close_cnum)
test (ipv4:192.168.0.10:33624) closed connection to service share2
[root@test ~]#
說明:可看到修改配置文件后,重啟服務,在對應的目錄下是沒有生成日志文件的,然后我們通過訪問samba共享的目錄,在對應的目錄下生成了以主機名結尾的日志文件和ip地址結尾的日志文件。里面記錄了客戶端的主機名信息,IP地址和端口信息,還有訪問了那個共享目錄和以那個用戶身份訪問的
四、掛載CIFS文件系統
上面我們演示了管理和配置samba的共享目錄,但是都是用smbclient 工具去和samba交互使用的。接下來我們演示下怎么掛載cifs文件系統
手動掛載
[root@test ~]# df 文件系統 1K-塊 已用 可用 已用% 掛載點 /dev/mapper/centos-root 27560808 13929596 13631212 51% / devtmpfs 923148 0 923148 0% /dev tmpfs 935012 0 935012 0% /dev/shm tmpfs 935012 17204 917808 2% /run tmpfs 935012 0 935012 0% /sys/fs/cgroup /dev/sda2 1038336 221032 817304 22% /boot /dev/sda1 204580 11364 193216 6% /boot/efi tmpfs 187004 0 187004 0% /run/user/1000 [root@test ~]# mount -t cifs -o username=sambauser2,password=admin //192.168.0.10/share2 /mnt [root@test ~]# df 文件系統 1K-塊 已用 可用 已用% 掛載點 /dev/mapper/centos-root 27560808 13930088 13630720 51% / devtmpfs 923148 0 923148 0% /dev tmpfs 935012 0 935012 0% /dev/shm tmpfs 935012 17204 917808 2% /run tmpfs 935012 0 935012 0% /sys/fs/cgroup /dev/sda2 1038336 221032 817304 22% /boot /dev/sda1 204580 11364 193216 6% /boot/efi tmpfs 187004 0 187004 0% /run/user/1000 //192.168.0.10/share2 48209924 3190212 45019712 7% /mnt [root@test ~]# cd /mnt [root@test mnt]# ls smb_user2.txt user2 [root@test mnt]#
說明:手動掛載需要指定文件系統類型和掛載選項用戶名和密碼來進行掛載,這樣存在不安全風險,別人登錄到Linux系統上查看命令歷史,我們的用戶名和密碼就泄露了,所以還是不建議手動掛載
開機自動掛載
[root@test ~]# df
文件系統 1K-塊 已用 可用 已用% 掛載點
/dev/mapper/centos-root 27560808 13929600 13631208 51% /
devtmpfs 923148 0 923148 0% /dev
tmpfs 935012 0 935012 0% /dev/shm
tmpfs 935012 17204 917808 2% /run
tmpfs 935012 0 935012 0% /sys/fs/cgroup
/dev/sda2 1038336 221032 817304 22% /boot
/dev/sda1 204580 11364 193216 6% /boot/efi
pfs 187004 0 187004 0% /run/user/1000
▽/192.168.0.10/share2 48209924 3190116 45019808 7% /mnt
[root@test ~]# umount /mnt
[root@test ~]# df
文件系統 1K-塊 已用 可用 已用% 掛載點
/dev/mapper/centos-root 27560808 13929600 13631208 51% /
devtmpfs 923148 0 923148 0% /dev
tmpfs 935012 0 935012 0% /dev/shm
tmpfs 935012 17204 917808 2% /run
tmpfs 935012 0 935012 0% /sys/fs/cgroup
/dev/sda2 1038336 221032 817304 22% /boot
/dev/sda1 204580 11364 193216 6% /boot/efi
tmpfs 187004 0 187004 0% /run/user/1000
[root@test ~]# echo '//192.168.0.10/share2 /mnt cifs credentials=/etc/samba/smb.txt 0 0' >> /etc/fstab
[root@test ~]# tail -1 /etc/fstab
//192.168.0.10/share2 /mnt cifs credentials=/etc/samba/smb.txt 0 0
[root@test ~]# cat >/etc/samba/smb.txt
username=sambauser2
password=admin
^C
[root@test ~]# cat /etc/samba/smb.txt
username=sambauser2
password=admin
[root@test ~]# ll /etc/samba/smb.txt
-rw-r--r-- 1 root root 35 1月 31 02:01 /etc/samba/smb.txt
[root@test ~]# chmod 600 /etc/samba/smb.txt
[root@test ~]# ll /etc/samba/smb.txt
-rw------- 1 root root 35 1月 31 02:01 /etc/samba/smb.txt
[root@test ~]# mount -a
mount: 文件系統類型錯誤、選項錯誤、//192.168.0.10/share2 上有壞超級塊、
缺少代碼頁或助手程序,或其他錯誤
(對某些文件系統(如 nfs、cifs) 您可能需要
一款 /sbin/mount.<類型> 助手程序)
有些情況下在 syslog 中可以找到一些有用信息- 請嘗試
dmesg | tail 這樣的命令看看。
[root@test ~]#
說明:我們需要在/etc/fstab 寫好掛載策略。上面寫好各個配置文件后,測試掛載出現錯誤,讓我們用dmesg|tail 查看錯誤信息
[root@test ~]# dmesg | tail [2046006.177249] CIFS VFS: No username specified [2046044.418403] No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount.
說明:在網上查了大半天,原因是客戶端沒有安裝cifs-utils包,安裝上在測試掛載就沒有問題
[root@test ~]# yum install cifs-utils 已加載插件:fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.aliyun.com * extras: mirrors.aliyun.com * updates: mirrors.aliyun.com 正在解決依賴關系 --> 正在檢查事務 ---> 軟件包 cifs-utils.x86_64.0.6.2-10.el7 將被 安裝 --> 解決依賴關系完成 依賴關系解決 =========================================================================================================================================================================== Package 架構 版本 源 大小 =========================================================================================================================================================================== 正在安裝: cifs-utils x86_64 6.2-10.el7 base 85 k 事務概要 =========================================================================================================================================================================== 安裝 1 軟件包 總下載量:85 k 安裝大小:175 k Is this ok [y/d/N]: y Downloading packages: cifs-utils-6.2-10.el7.x86_64.rpm | 85 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction 正在安裝 : cifs-utils-6.2-10.el7.x86_64 1/1 驗證中 : cifs-utils-6.2-10.el7.x86_64 1/1 已安裝: cifs-utils.x86_64 0:6.2-10.el7 完畢! [root@test ~]# mount -a [root@test ~]# df 文件系統 1K-塊 已用 可用 已用% 掛載點 /dev/mapper/centos-root 27560808 13931160 13629648 51% / devtmpfs 923148 0 923148 0% /dev tmpfs 935012 0 935012 0% /dev/shm tmpfs 935012 17204 917808 2% /run tmpfs 935012 0 935012 0% /sys/fs/cgroup /dev/sda2 1038336 221032 817304 22% /boot /dev/sda1 204580 11364 193216 6% /boot/efi tmpfs 187004 0 187004 0% /run/user/1000 //192.168.0.10/share2 48209924 3190200 45019724 7% /mnt [root@test ~]# ls /mnt smb_user2.txt user2 xxx [root@test ~]#
說明:把用戶名和密碼寫到一個配置文件中,這樣相對要比寫在命令行里要安全一點。以上就是Linux系統上掛載cifs文件系統全部步驟。在windows 上我們一般都是把共享目錄映射成一個盤符,然后使用就如同使用本機磁盤一樣,具體操作如下
右鍵計算機------->選擇映射網絡驅動器
點擊確定后我們就把samba共享的文件就映射到Windows上的一個網絡磁盤。這個時候我們訪問共享目錄就像訪問本地磁盤一樣。