1 安裝
安裝
yum install samba -y
卸載
yum remove samba* -y
配置文件
安裝完成后可以查看到配置文件
ls /etc/samba
會自動產生三個文件 smb.conf
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.
[global]
workgroup = SAMBA #設置主機工作組
security = user #以user或share驗證方式訪問
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @printadmin root
force group = @printadmin
create mask = 0664
directory mask = 0775
lmhosts
127.0.0.1 localhost
smb.conf.example 和smb.conf 類似
# This is the main Samba configuration file. For detailed information about the # options listed here, refer to the smb.conf(5) manual page. Samba has a huge # number of configurable options, most of which are not shown in this example. # # The Samba Wiki contains a lot of step-by-step guides installing, configuring, # and using Samba: # https://wiki.samba.org/index.php/User_Documentation # # In this file, lines starting with a semicolon (;) or a hash (#) are # comments and are ignored. This file uses hashes to denote commentary and # semicolons for parts of the file you may wish to configure. # # NOTE: Run the "testparm" command after modifying this file to check for basic # syntax errors. # #--------------- # Security-Enhanced Linux (SELinux) Notes: # # Turn the samba_domain_controller Boolean on to allow a Samba PDC to use the # useradd and groupadd family of binaries. Run the following command as the # root user to turn this Boolean on: # setsebool -P samba_domain_controller on # # Turn the samba_enable_home_dirs Boolean on if you want to share home # directories via Samba. Run the following command as the root user to turn this # Boolean on: # setsebool -P samba_enable_home_dirs on # # If you create a new directory, such as a new top-level directory, label it # with samba_share_t so that SELinux allows Samba to read and write to it. Do # not label system directories, such as /etc/ and /home/, with samba_share_t, as # such directories should already have an SELinux label. # # Run the "ls -ldZ /path/to/directory" command to view the current SELinux # label for a given directory. # # Set SELinux labels only on files and directories you have created. Use the # chcon command to temporarily change a label: # chcon -t samba_share_t /path/to/directory # # Changes made via chcon are lost when the file system is relabeled or commands # such as restorecon are run. # # Use the samba_export_all_ro or samba_export_all_rw Boolean to share system # directories. To share such directories and only allow read-only permissions: # setsebool -P samba_export_all_ro on # To share such directories and allow read and write permissions: # setsebool -P samba_export_all_rw on # # To run scripts (preexec/root prexec/print command/...), copy them to the # /var/lib/samba/scripts/ directory so that SELinux will allow smbd to run them. # Note that if you move the scripts to /var/lib/samba/scripts/, they retain # their existing SELinux labels, which may be labels that SELinux does not allow # smbd to run. Copying the scripts will result in the correct SELinux labels. # Run the "restorecon -R -v /var/lib/samba/scripts" command as the root user to # apply the correct SELinux labels to these files. # #-------------- # #======================= Global Settings ===================================== [global] # ----------------------- Network-Related Options ------------------------- # # workgroup = the Windows NT domain name or workgroup name, for example, MYGROUP. # # server string = the equivalent of the Windows NT Description field. # # netbios name = used to specify a server name that is not tied to the hostname, # maximum is 15 characters. # # interfaces = used to configure Samba to listen on multiple network interfaces. # If you have multiple interfaces, you can use the "interfaces =" option to # configure which of those interfaces Samba listens on. Never omit the localhost # interface (lo). # # hosts allow = the hosts allowed to connect. This option can also be used on a # per-share basis. # # hosts deny = the hosts not allowed to connect. This option can also be used on # a per-share basis. # workgroup = MYGROUP server string = Samba Server Version %v ; netbios name = MYSERVER ; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24 ; hosts allow = 127. 192.168.12. 192.168.13. # --------------------------- Logging Options ----------------------------- # # log file = specify where log files are written to and how they are split. # # max log size = specify the maximum size log files are allowed to reach. Log # files are rotated when they reach the size specified with "max log size". # # log files split per-machine: log file = /var/log/samba/log.%m # maximum size of 50KB per log file, then rotate: max log size = 50 # ----------------------- Standalone Server Options ------------------------ # # security = the mode Samba runs in. This can be set to user, share # (deprecated), or server (deprecated). # # passdb backend = the backend used to store user information in. New # installations should use either tdbsam or ldapsam. No additional configuration # is required for tdbsam. The "smbpasswd" utility is available for backwards # compatibility. # security = user passdb backend = tdbsam # ----------------------- Domain Members Options ------------------------ # # security = must be set to domain or ads. # # passdb backend = the backend used to store user information in. New # installations should use either tdbsam or ldapsam. No additional configuration # is required for tdbsam. The "smbpasswd" utility is available for backwards # compatibility. # # realm = only use the realm option when the "security = ads" option is set. # The realm option specifies the Active Directory realm the host is a part of. # # password server = only use this option when the "security = server" # option is set, or if you cannot use DNS to locate a Domain Controller. The # argument list can include My_PDC_Name, [My_BDC_Name], and [My_Next_BDC_Name]: # # password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name] # # Use "password server = *" to automatically locate Domain Controllers. ; security = domain ; passdb backend = tdbsam ; realm = MY_REALM ; password server = <NT-Server-Name> # ----------------------- Domain Controller Options ------------------------ # # security = must be set to user for domain controllers. # # passdb backend = the backend used to store user information in. New # installations should use either tdbsam or ldapsam. No additional configuration # is required for tdbsam. The "smbpasswd" utility is available for backwards # compatibility. # # domain master = specifies Samba to be the Domain Master Browser, allowing # Samba to collate browse lists between subnets. Do not use the "domain master" # option if you already have a Windows NT domain controller performing this task. # # domain logons = allows Samba to provide a network logon service for Windows # workstations. # # logon script = specifies a script to run at login time on the client. These # scripts must be provided in a share named NETLOGON. # # logon path = specifies (with a UNC path) where user profiles are stored. # # ; security = user ; passdb backend = tdbsam ; domain master = yes ; domain logons = yes # the following login script name is determined by the machine name # (%m): ; logon script = %m.bat # the following login script name is determined by the UNIX user used: ; logon script = %u.bat ; logon path = \\%L\Profiles\%u # use an empty path to disable profile support: ; logon path = # various scripts can be used on a domain controller or a stand-alone # machine to add or delete corresponding UNIX accounts: ; add user script = /usr/sbin/useradd "%u" -n -g users ; add group script = /usr/sbin/groupadd "%g" ; add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u" ; delete user script = /usr/sbin/userdel "%u" ; delete user from group script = /usr/sbin/userdel "%u" "%g" ; delete group script = /usr/sbin/groupdel "%g" # ----------------------- Browser Control Options ---------------------------- # # local master = when set to no, Samba does not become the master browser on # your network. When set to yes, normal election rules apply. # # os level = determines the precedence the server has in master browser # elections. The default value should be reasonable. # # preferred master = when set to yes, Samba forces a local browser election at # start up (and gives itself a slightly higher chance of winning the election). # ; local master = no ; os level = 33 ; preferred master = yes #----------------------------- Name Resolution ------------------------------- # # This section details the support for the Windows Internet Name Service (WINS). # # Note: Samba can be either a WINS server or a WINS client, but not both. # # wins support = when set to yes, the NMBD component of Samba enables its WINS # server. # # wins server = tells the NMBD component of Samba to be a WINS client. # # wins proxy = when set to yes, Samba answers name resolution queries on behalf # of a non WINS capable client. For this to work, there must be at least one # WINS server on the network. The default is no. # # dns proxy = when set to yes, Samba attempts to resolve NetBIOS names via DNS # nslookups. ; wins support = yes ; wins server = w.x.y.z ; wins proxy = yes ; dns proxy = yes # --------------------------- Printing Options ----------------------------- # # The options in this section allow you to configure a non-default printing # system. # # load printers = when set you yes, the list of printers is automatically # loaded, rather than setting them up individually. # # cups options = allows you to pass options to the CUPS library. Setting this # option to raw, for example, allows you to use drivers on your Windows clients. # # printcap name = used to specify an alternative printcap file. # load printers = yes cups options = raw ; printcap name = /etc/printcap # obtain a list of printers automatically on UNIX System V systems: ; printcap name = lpstat ; printing = cups # --------------------------- File System Options --------------------------- # # The options in this section can be un-commented if the file system supports # extended attributes, and those attributes are enabled (usually via the # "user_xattr" mount option). These options allow the administrator to specify # that DOS attributes are stored in extended attributes and also make sure that # Samba does not change the permission bits. # # Note: These options can be used on a per-share basis. Setting them globally # (in the [global] section) makes them the default for all shares. ; map archive = no ; map hidden = no ; map read only = no ; map system = no ; store dos attributes = yes #============================ Share Definitions ============================== [homes] comment = Home Directories browseable = no writable = yes ; valid users = %S ; valid users = MYDOMAIN\%S [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes # Un-comment the following and create the netlogon directory for Domain Logons: ; [netlogon] ; comment = Network Logon Service ; path = /var/lib/samba/netlogon ; guest ok = yes ; writable = no ; share modes = no # Un-comment the following to provide a specific roaming profile share. # The default is to use the user's home directory: ; [Profiles] ; path = /var/lib/samba/profiles ; browseable = no ; guest ok = yes # A publicly accessible directory that is read only, except for users in the # "staff" group (which have write permissions): ; [public] ; comment = Public Stuff ; path = /home/samba ; public = yes ; writable = no ; printable = no ; write list = +staff
samba 軟件目錄結構
/etc/samba/smb.conf #samba服務的主要配置文件
/etc/samba/lmhosts #samba服務的域名設定,主要設置IP地址對應的域名,類似linux系統的/etc/hosts
/etc/samba/smbusers #samba服務設置samba虛擬用戶的配置文件
/var/log/samba #samab服務存放日志文件
/var/lib/samba/private/{passdb.tdb,secrets.tdb} #存放samba的用戶賬號和密碼數據庫文檔
2 配置
2.1 找到win的工作組
轉到Windows PC並啟動命令提示符。輸入命令:
> net config workstation
從輸出中我們可以清楚地看到工作站域指向' WORKGROUP '。稍后將在Linux機器上對其進行配置。
2.2 設置smb.conf
先復制一份
cp smb.conf smb.conf.copy
編輯smb.conf
vim /etc/samba/smb.conf
[global]
workgroup = WORKGROUP
server string = Samba Server %v #samba服務注釋
netbios name = centos-8
security = user
map to guest = bad user
dns proxy = no
[ttt]
path = /myweb
browsable =yes
writable = yes
guest ok = yes
;read only = no #共享文件可讀,不能與writable共用
2.3 全局參數設置
#全局設置參數 [global] config file = /etc/samba/smb.conf.%U #可以讓你使用另一個配置文件來覆蓋缺省的配置文件。如果文件 不存在,則該項無效。 workgroup = WORKGROUP #工作組名稱 server string = Samba Server Version %v #主機的簡易說明 netbios name = MYSERVER #主機的netBIOS名稱,如果不填寫則默認服務器DNS的一部分,workgroup和netbios name名字不要設置成一樣 interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24 #設置samba服務器監聽網卡,可以寫網卡名稱或IP地址,默認注釋 hosts allow = 127. 192.168.12. 192.168.13. #設置允許連接到samba服務器的客戶端,默認注釋 hosts deny =192.168.12.0/255.255.255.0 #設置不允許連接到samba服務器的客戶端,默認注釋 log level =1 #日志文件安全級別,0~10級別,默認0 log file = /var/log/samba/%m #產生日志文件的命名,默認以訪問者IP地址命名 max log size = 50 #日志文件最大容量50,默認50,單位為KB,0表示不限制
2.3.1 security = share
#設置用戶訪問samba服務器的驗證方式 ,一共四種驗證方式。
1. share:用戶訪問Samba Server不需要提供用戶名和口令, 安全性能較低。
2. user:Samba Server共享目錄只能被授權的用戶訪問,由Samba Server負責檢查賬號和密碼的正確性。賬號和密碼要在本Samba Server中建立。
3. server:依靠其他Windows NT/2000或Samba Server來驗證用戶的賬號和密碼,是一種代理驗證。此種安全模式下,系統管理員可以把所有的Windows用戶
和口令集中到一個NT系統上,使用Windows NT進行Samba認證, 遠程服務器可以自動認證全部用戶和口令,如果認證失敗,Samba將使用用戶級安全模式作為替代的方式。
4. domain:域安全級別,使用主域控制器(PDC)來完成認證。
2.3.2 passdb backend = tdbsam
#定義用戶后台類型
1、smbpasswd:使用SMB服務的smbpasswd命令給系統用戶設置SMB密碼
2、tdbsam:創建數據庫文件並使用pdbedit建立SMB獨立用戶,smbpasswd –a username建立samba用戶並設置密碼,不過建立samba用戶
必須先建立系統用戶,也可以使用pdbedit命令來建立samba用戶:
pdbedit –a username:新建Samba賬戶。
pdbedit –x username:刪除Samba賬戶。
pdbedit –L:列出Samba用戶列表,讀取passdb.tdb數據庫文件。
pdbedit –Lv:列出Samba用戶列表的詳細信息。
pdbedit –c “[D]” –u username:暫停該Samba用戶的賬號。
pdbedit –c “[]” –u username:恢復該Samba用戶的賬號。
2.2.3 ldapsam:
基於LDAP服務進行賬戶驗證
username map = /etc/samba/smbusers #配合/etc/samba/smbusers文件設置虛擬用戶
2.4 共享文件設置參數
[share] #自定義共享名稱 comment = This is share software #共享描述 path = /home/testfile #共享目錄路徑 browseable = yes/no #設置共享是否可瀏覽,如果no就表示隱藏,需要通過IP+共享名稱進行訪問 writable = yes/no #設置共享是否具有可寫權限 read only = yes/no #設置共享是否具有只讀權限 admin users = root #設置共享的管理員,如果security =share 時,引項無效,多用戶中間使用逗號隔開,例如admin users = root,user1,user2 valid users = username #設置允許訪問共享的用戶,例如valid users = user1,user2,@group1,@group2(多用戶或組使用逗號隔開,@group表示group用戶組) invalid users = username #設置不允許訪問共享的用戶 write list = username #設置在共享具有寫入權限的用戶,例如例如write list = user1,user2,@group1,@group2(多用戶或組使用逗號隔開,@group表示group用戶組) public = yes/no #設置共享是否允許guest賬戶訪問 guest ok = yes/no #功能同public 一樣 create mask = 0700 #創建的文件權限為700 directory mode = 0700 #創建的文件目錄為 700
2.5 不需要賬號密碼訪問的共享(security = share )
ls -ld /home/smbuser/ #查看共享文件權限
chmod 777 /home/smbuser/ #分配共享文件最大權限
testparm #檢查smb.conf配置文件是否有語法錯誤
netstat -tlnp | grep mbd #查看samba端口,TCP端口139,445 UDP端口 137,138
vim /etc/samba/smb.conf #設置smb.conf配置文件
[global] workgroup = WORKGROUP #設置主機工作組 server string = Samba Server Version %v #samba服務注釋 log level = 1 #設置日志文件安全級別為1 log file = /var/log/samba/%m #設置日志文件名稱,%m以IP地址為名稱 max log size = 50 #設置日志文件最大容量50KB,0表示不限制 security = share #以share驗證方式訪問 passdb backend = tdbsam #定義用戶后台類型 load printers = no #關閉打印共享功能 cups options = raw #打印機選項 [usershare] comment = Home Directories #共享文件描述 path = /home/shareuser #共享路徑 browseable = yes #共享文件可以瀏覽 writable = yes #共享文件可寫 ; read only = yes #共享文件可讀,不能與writable共用 guest ok = yes #允許guest用戶訪問
在linux操作需要進行掛載
yum -y install samba-client #在線安裝samba-client才能使用smbclient命令
smbclient -L //192.168.2.234 #查看samba服務器共享目錄
mount -t cifs //192.168.2.234/usershare /mnt/share #掛載
2.6 需要輸入賬號和密碼訪問的共享(security = user)
標注:創建samba用戶之前必須先創建系統用戶,系統用戶和samba用戶名一樣,但密碼可以設置成不一樣
useradd test01 #創建系統用戶test01
useradd test02 #創建系統用戶test02
passwd test01 #設置系統用戶test01密碼
passwd test01 #設置系統用戶test02密碼
smbpasswd -a test01 #把系統用戶test01添加為samba用戶並設置samba用戶登錄密碼
smbpasswd -a test02 #把系統用戶test02添加為samba用戶並設置samba用戶登錄密碼
pdbedit –L #查看samba用戶
mkdir /home/{smbadmin01,smbuser01} #home創建兩個共享目錄
chmod 777 /home/{smbadmin01,smbuser01} #目錄分配最高權限
vim /etc/samba/smb.conf #設置smb.conf配置文件
[global] workgroup = WORKGROUP #設置主機工作組 server string = Samba Server Version %v #samba服務注釋 log level = 1 #設置日志文件安全級別為1 log file = /var/log/samba/%m #設置日志文件名稱,%m以IP地址為名稱 max log size = 50 #設置日志文件最大容量50KB,0表示不限制 security = user #以user驗證方式訪問 passdb backend = tdbsam #定義用戶后台類型 load printers = no #關閉打印共享功能 cups options = raw #打印機選項 [usershare] comment = Home Directories #共享文件描述 path = /home/smbuser01 #共享路徑 browseable = yes #共享文件可以瀏覽 read only = yes #共享文件可讀,不能與writable共用 valid users = test01,test02 #設置允許訪問共享用戶 [adminshare] comment = Home Directories #共享文件描述 path = /home/smbadmin01 #共享路徑 browseable = yes #共享文件可以瀏覽 writable = yes #共享文件可寫 create make = 0664 #設置用戶創建文件權限0664 directory make = 0775 #設置用戶創建目錄權限0775 write list = test01 #設置允許訪問共享具有寫入權限的用戶
3 使用
啟動
systemctl start smb.service
設為開機啟動
systemctl enable smb.service
重啟
systemctl restart smb.service
組成Samba運行的有兩個服務,一個是SMB,另一個是NMB;SMB是Samba 的核心啟動服務,主要負責建立 Linux Samba服務器與Samba客戶機之間的對話, 驗證用戶身份並提供對文件和打印系統的訪問,只有SMB服務啟動,才能實現文件的共享,監聽139 TCP端口;而NMB服務是負責解析用的,類似與DNS實現的功能,NMB可以把Linux系統共享的工作組名稱與其IP對應起來,如果NMB服務沒有啟動,就只能通過IP來訪問共享文件,監聽137和138 UDP端口。
systemctl start nmb
設為開機啟動
systemctl enable nmb.service
查看狀態
systemctl status smb.service
win連接
輸入密碼
參考閱讀