实验开始前:
[root@localhost ~]# systemctl stop firewalld
SMB文件共享
通用Internet文件系统(CIFS)也称为服务器信息块(SMB),是适用于MicrosoftWindows服务器和客户端的标准文件和打印机共享系统。Samba服务可用于将Linux文件系统作为CIFS/SMB网络文件共享进行共享,并将Linux打印机作为CIFS/SMB打印机共享进行共享
Samba服务的组成部分
1. 软件包:
Samba-common – Samba的支持文件
Samba-client – 客户端应用程序
Samba – 服务器应用程序
2. 服务名称:smb nmb
3. 服务端口: 通常使用TCP/445进行所有连接。还使用UDP137、UDP138和TCP/139进行向后兼容
4. 主配置文件:/etc/samba/smb.conf
1)服务的安装:
[root@localhost ~]# yum install samba samba-client.x86_64 samba-common -y
[root@localhost ~]# systemctl start smb nmb
[root@localhost ~]# systemctl enable smb nmb
2)添加smb用户
[root@localhost ~]# id student
uid=1000(student) gid=1000(student) groups=1000(student),10(wheel)
[root@localhost ~]# smbpasswd -a student ##添加samba用户
New SMB password:
Retype new SMB password:
Added user student.
[root@localhost ~]# smbclient -L //172.25.254.113
Enter root's password:
Connection to 172.25.254.113 failed (Error NT_STATUS_CONNECTION_REFUSED)
[root@localhost ~]# pdbedit -L ##查看smb用户信息
student:1000:Student User
[root@localhost ~]# setsebool -P samba_enable_home_dirs on##在selinux中设定smb用户可以访问自己的家目录
Boolean enable_samba_home_dirs is not defined
[root@localhost ~]# getsebool -a | grep samba
[root@localhost ~]# smbpasswd -x student ##删除samba用户
测试:
[root@localhost ~]# smbclient //172.25.254.113/student -U student
Enter student's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
smb: \> ls
. D 0 Thu Jul 10 19:06:52 2014
.. D 0 Thu Jul 10 18:19:09 2014
.bash_logout H 18 Wed Jan 29 07:45:18 2014
.bash_profile H 193 Wed Jan 29 07:45:18 2014
.bashrc H 231 Wed Jan 29 07:45:18 2014
.ssh DH 0 Thu Jul 10 18:19:10 2014
.config DH 0 Thu Jul 10 19:06:53 2014
40913 blocks of size 262144. 28503 blocks available
smb: \> quit
[root@localhost ~]#
3)共享目录的基本设定
[root@localhost ~]# vim /etc/samba/smb.conf
321 [haha] ##共享目录
322 comment = local directory ##对共享目录的描述
323 path = /smbshare ##共享目录的绝对路径
89 workgroup = WESTOS ##组名的更改(可改可不改,如果改就在这改)
[root@localhost ~]# systemctl restart smb.service
####当共享目录为用户自建立目录时
[root@localhost ~]# mkdir /smbshare ##自己建立的文件
[root@localhost ~]# touch /smbshare/westosha
[root@localhost ~]# semanage fcontext -a -t samba_share_t '/smbshare(/.*)?' ##安全上下文的统一
[root@localhost ~]# restorecon -RvvF /smbshare刷新
context system_u:object_r:default_t:s0->system_u:object_r:samba_share_t:s0
restorecon reset /smbshare/westosha context system_u:object_r:default_t:s0->system_u:object_r:samba_share_t:s0
测试:
[root@foundation13 Desktop]# smbclient //172.25.254.113/haha -U student
Enter student's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
smb: \> quit
[root@foundation13 Desktop]# smbclient //172.25.254.113/haha -U student
Enter student's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
smb: \> ls
. D 0 Sat Jun 3 14:25:33 2017
.. D 0 Sat Jun 3 14:25:16 2017
westosha N 0 Sat Jun 3 14:25:33 2017
10473900 blocks of size 1024. 7296000 blocks available
smb: \> quit
[root@localhost ~]# setsebool -P samba_enable_home_dirs 0
[root@localhost ~]# systemctl restart smb.service
[root@localhost ~]# cd /mnt
[root@localhost mnt]# ls
[root@localhost mnt]# touch file{1..5}
[root@localhost mnt]# ls
file1 file2 file3 file4 file5
[root@localhost mnt]# getsebool -a | grep samba
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_portmapper --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_use_samba --> off
use_samba_home_dirs --> off
virt_sandbox_use_samba --> off
virt_use_samba --> off
####当共享目录为系统建立目录
[root@localhost mnt]# setsebool -P samba_export_all_ro on##只读共享
[root@localhost mnt]# systemctl restart smb.service
[root@localhost mnt]# getsebool -a | grep samba
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> on
samba_export_all_rw --> off##读写共享
samba_portmapper --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_use_samba --> off
use_samba_home_dirs --> off
virt_sandbox_use_samba --> off
virt_use_samba --> off
[root@localhost smbshare]# vim /etc/samba/smb.conf
321 [haha]
322 comment = local directory
323 path = /mnt
[root@localhost smbshare]# systemctl restart smb.service
测试:
[root@foundation13 Desktop]# smbclient //172.25.254.113/haha -U student
Enter student's password:
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
smb: \> ls
. D 0 Sat Jun 3 14:36:40 2017
.. D 0 Sat Jun 3 14:25:16 2017
file1 N 0 Sat Jun 3 14:36:40 2017
file2 N 0 Sat Jun 3 14:36:40 2017
file3 N 0 Sat Jun 3 14:36:40 2017
file4 N 0 Sat Jun 3 14:36:40 2017
file5 N 0 Sat Jun 3 14:36:40 2017
10473900 blocks of size 1024. 7305632 blocks available
smb: \>
4)samba的配置参数
更改完配置文件时刻重启生效:systemctl restart smb.service
vim /etc/samba/smb.conf
guest ok = yes ##匿名用户的访问
map to guest = bad user
测试:
[root@foundation13 Desktop]# smbclient //172.25.254.113/haha
Enter kiosk's password: ##直接跳过不用输密码,smb用户里面没有kiosk
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
smb: \> ls
. D 0 Sat Jun 3 14:36:40 2017
.. D 0 Sat Jun 3 14:25:16 2017
file1 N 0 Sat Jun 3 14:36:40 2017
file2 N 0 Sat Jun 3 14:36:40 2017
file3 N 0 Sat Jun 3 14:36:40 2017
file4 N 0 Sat Jun 3 14:36:40 2017
file5 N 0 Sat Jun 3 14:36:40 2017
10473900 blocks of size 1024. 7305624 blocks available
smb: \> quit
###访问控制
1.hosts allow = ip##仅允许当前ip
测试:
[root@foundation13 Desktop]# smbclient //172.25.254.113/haha -U student
Enter student's password:
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
smb: \> ls
. D 0 Sat Jun 3 14:36:40 2017
.. D 0 Sat Jun 3 14:25:16 2017
file1 N 0 Sat Jun 3 14:36:40 2017
file2 N 0 Sat Jun 3 14:36:40 2017
file3 N 0 Sat Jun 3 14:36:40 2017
file4 N 0 Sat Jun 3 14:36:40 2017
file5 N 0 Sat Jun 3 14:36:40 2017
10473900 blocks of size 1024. 7303804 blocks available
smb: \> quit
2.hosts deny = ip ##仅拒绝当前ip
测试:
[root@foundation13 Desktop]# smbclient //172.25.254.113/haha -U student
Enter student's password:
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
tree connect failed: NT_STATUS_ACCESS_DENIED
3.
valid users = 用户 ##当前共享的有效用户
valid users = @westos或+westos ##当前共享的有效用户为westos组
测试:
[root@foundation13 Desktop]# smbclient //172.25.254.113/haha -U westos
Enter westos's password:
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
smb: \> ls
. D 0 Sat Jun 3 14:36:40 2017
.. D 0 Sat Jun 3 14:25:16 2017
file1 N 0 Sat Jun 3 14:36:40 2017
file2 N 0 Sat Jun 3 14:36:40 2017
file3 N 0 Sat Jun 3 14:36:40 2017
file4 N 0 Sat Jun 3 14:36:40 2017
file5 N 0 Sat Jun 3 14:36:40 2017
10473900 blocks of size 1024. 7303804 blocks available
smb: \> quit
[root@foundation13 Desktop]# smbclient //172.25.254.113/haha -U student
Enter student's password:
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
tree connect failed: NT_STATUS_ACCESS_DENIED
[root@localhost smbshare]# usermod -G westos student
[root@foundation13 Desktop]# smbclient //172.25.254.113/haha -U student
Enter student's password:
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
smb: \> ls
. D 0 Sat Jun 3 14:36:40 2017
.. D 0 Sat Jun 3 14:25:16 2017
file1 N 0 Sat Jun 3 14:36:40 2017
file2 N 0 Sat Jun 3 14:36:40 2017
file3 N 0 Sat Jun 3 14:36:40 2017
file4 N 0 Sat Jun 3 14:36:40 2017
file5 N 0 Sat Jun 3 14:36:40 2017
10473900 blocks of size 1024. 7303804 blocks available
smb: \> quit
###读写控制
所有用户均可写
[root@localhost smbshare]# chmod o+w /mnt
[root@localhost smbshare]# setsebool -P samba_export_all_rw on
[root@localhost smbshare]# vim /etc/samba/smb.conf
[haha]
comment = local directory
path = /mnt
writable = yes ##读写控制打开
admin user = westos ##允许用户westos
[root@localhost smbshare]# systemctl restart smb.service
测试:
[root@foundation13 Desktop]# mount -o username=westos,password=westos //172.25.254.113/haha /mnt/
[root@foundation13 Desktop]# cd /mnt
[root@foundation13 mnt]# ls
file1 file2 file3 file4 file5
[root@foundation13 mnt]# touch file6
[root@foundation13 mnt]# ls
file1 file2 file3 file4 file5 file6
设定指定用户可写
write list = student##可写用户
write list = +student##可写用户组
write list = @student
admin users = westos##共享的超级用户指定
5)smb多用户挂载
在client上
[root@foundation13 mnt]# vim /root/haha
1 username=student
2 password=student
测试:
[root@foundation13 mnt]# chmod 600 /root/haha
[root@foundation13 mnt]# yum install cifs-utils -y
[root@foundation13 mnt]# mount -o credentials=/root/haha,multiuser,sec=ntlmssp //172.25.254.113/haha /mnt/
#credentials=/root/haha ##指定挂载时所用到的用户文件
#multiuser ##支持多用户认证
#sec=ntlmssp ##认证方式为标准smb认证方式
[root@foundation13 mnt]# ls
file
[root@foundation13 mnt]# su - kiosk
Last login: Sat Jun 3 16:43:08 CST 2017 on pts/5
[kiosk@foundation13 ~]$ ls /mnt/
ls: cannot access /mnt/: Permission denied##因为没有做smb的认证所以无法访问smb共享
[kiosk@foundation13 ~]$ cifscreds add -u westos 172.25.254.113
Password:
[kiosk@foundation13 ~]$ ls /mnt
file