1、建立samba共享,共享目录为/data,要求:(描述完整的过程)
1)共享名为shared,工作组为magedu;
2)添加组develop,添加用户gentoo,centos和ubuntu,其中gentoo和centos以develop为附加组,ubuntu不属于develop组;密码均为用户名;
3)添加samba用户gentoo,centos和ubuntu,密码均为“mageedu”;
4)此samba共享shared仅允许develop组具有写权限,其他用户只能以只读方式访问;
5)此samba共享服务仅允许来自于172.16.0.0/16网络的主机访问;
实验环境:
samba服务器:172.16.10.11(CentOS 7.2)
samba客户端:172.16.10.12(CentOS 7.2)
1、samba服务器配置
1)安装samba软件包,启动服务,并查看相关端口监听状态
[root@localhost ~]# yum install -y samba
[root@localhost ~]# systemctl start smb.service
[root@localhost ~]# systemctl start nmb.service
[root@localhost ~]# ss -tunlp | egrep 'smb|nmb'
udp UNCONN 0 0 172.16.10.255:137 *:* users:(("nmbd",pid=13450,fd=22))
udp UNCONN 0 0 172.16.10.11:137 *:* users:(("nmbd",pid=13450,fd=21))
udp UNCONN 0 0 172.16.10.255:138 *:* users:(("nmbd",pid=13450,fd=24))
udp UNCONN 0 0 172.16.10.11:138 *:* users:(("nmbd",pid=13450,fd=23))
udp UNCONN 0 0 *:137 *:* users:(("nmbd",pid=13450,fd=15))
udp UNCONN 0 0 *:138 *:* users:(("nmbd",pid=13450,fd=16))
tcp LISTEN 0 50 *:139 *:* users:(("smbd",pid=13437,fd=38))
tcp LISTEN 0 50 *:445 *:* users:(("smbd",pid=13437,fd=37))
2)创建共享目录
[root@localhost ~]# mkdir /data
3)创建系统用户及系统组,并修改附加组
[root@localhost ~]# useradd centos [root@localhost ~]# useradd gentoo [root@localhost ~]# useradd ubuntu [root@localhost ~]# echo centos | passwd --stdin centos Changing password for user centos. passwd: all authentication tokens updated successfully. [root@localhost ~]# echo gentoo | passwd --stdin gentoo Changing password for user gentoo. passwd: all authentication tokens updated successfully. [root@localhost ~]# echo ubuntu | passwd --stdin ubuntu Changing password for user ubuntu. passwd: all authentication tokens updated successfully. [root@localhost ~]# groupadd develop [root@localhost ~]# usermod -G develop centos [root@localhost ~]# usermod -G develop gentoo
4)对共享目录赋予相关系统权限
[root@localhost ~]# ls -ld /data/ drwxr-xr-x. 2 root root 6 Sep 4 14:40 /data/ [root@localhost ~]# setfacl -m g:develop:rwx /data [root@localhost ~]# getfacl /data/ getfacl: Removing leading '/' from absolute path names # file: data/ # owner: root # group: root user::rwx group::r-x group:develop:rwx mask::rwx other::r-x
5)添加并验证samba用户
[root@localhost ~]# smbpasswd -a centos New SMB password: Retype new SMB password: Added user centos. [root@localhost ~]# smbpasswd -a gentoo New SMB password: Retype new SMB password: Added user gentoo. [root@localhost ~]# smbpasswd -a ubuntu New SMB password: Retype new SMB password: Added user ubuntu. [root@localhost ~]# pdbedit -L centos:1000:centos ubuntu:1002: gentoo:1001:
6)修改samba配置文件/etc/samba/smb.conf,修改并添加如下内容
[root@localhost ~]# vim /etc/samba/smb.conf workgroup = magedu [shared] comment = shared dir path = /data write list = @develop hosts allow = 172.16.
7)配置文件检查并重新加载,同时验证samba
[root@localhost ~]# testparm Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[homes]" Processing section "[printers]" Processing section "[shared]" Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions # Global parameters [global] workgroup = MAGEDU server string = Samba Server Version %v security = USER log file = /var/log/samba/log.%m max log size = 50 idmap config * : backend = tdb cups options = raw [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes print ok = Yes browseable = No [shared] comment = shared dir path = /data write list = @develop hosts allow = 172.16. [root@localhost ~]# systemctl reload smb.service
2、samba客户端验证
1)安装samba-client软件包
[root@localhost ~]# yum install -y samba-client
2)查看共享信息,并验证权限
[root@localhost ~]# smbclient -L //172.16.10.11 -U centos Enter centos's password: Domain=[MAGEDU] OS=[Windows 6.1] Server=[Samba 4.2.3] Sharename Type Comment --------- ---- ------- shared Disk shared dir IPC$ IPC IPC Service (Samba Server Version 4.2.3) centos Disk Home Directories Domain=[MAGEDU] OS=[Windows 6.1] Server=[Samba 4.2.3] Server Comment --------- ------- Workgroup Master --------- ------- MYGROUP LOCALHOST [root@localhost ~]# smbclient //172.16.10.11/shared -U gentoo Enter gentoo's password: Domain=[MAGEDU] OS=[Windows 6.1] Server=[Samba 4.2.3] smb: \> ls . D 0 Mon Sep 4 14:40:24 2017 .. DR 0 Mon Sep 4 14:40:24 2017 52403200 blocks of size 1024. 49105360 blocks available smb: \> lcd /etc smb: \> !ls abrt hosts.allow pulse adjtime hosts.deny purple aliases hp python aliases.db idmapd.conf qemu-ga alsa init.d qemu-kvm alternatives inittab radvd.conf anacrontab inputrc rc0.d asound.conf iproute2 rc1.d at.deny ipsec.conf rc2.d at-spi2 ipsec.d rc3.d audisp ipsec.secrets rc4.d audit iscsi rc5.d avahi issue rc6.d bash_completion.d issue.net rc.d bashrc java rc.local binfmt.d jvm rdma brltty jvm-commmon redhat-release brltty.conf kdump.conf request-key.conf centos-release kernel request-key.d centos-release-upstream krb5.conf resolv.conf chkconfig.d ksmtuned.conf rpc chrony.conf ld.so.cache rpm chrony.keys ld.so.conf rsyncd.conf cifs-utils ld.so.conf.d rsyslog.conf cron.d libaudit.conf rsyslog.d cron.daily libibverbs.d rwtab cron.deny libnl rwtab.d cron.hourly libreport samba cron.monthly libuser.conf sane.d crontab libvirt sasl2 cron.weekly locale.conf scl crypttab localtime securetty csh.cshrc login.defs security csh.login logrotate.conf selinux cups logrotate.d services cupshelpers lsm sestatus.conf dbus-1 lvm setroubleshoot dconf machine-id setuptool.d default magic sgml depmod.d mail.rc shadow dhcp makedumpfile.conf.sample shadow- DIR_COLORS man_db.conf shells DIR_COLORS.256color maven skel DIR_COLORS.lightbgcolor mke2fs.conf smartmontools dleyna-server-service.conf modprobe.d sos.conf dnsmasq.conf modules-load.d speech-dispatcher dnsmasq.d motd ssh dracut.conf mtab ssl dracut.conf.d mtools.conf statetab drirc multipath statetab.d e2fsck.conf my.cnf sudo.conf enscript.cfg my.cnf.d sudoers environment nanorc sudoers.d ethertypes netconfig sudo-ldap.conf exports NetworkManager sysconfig exports.d networks sysctl.conf favicon.png nfsmount.conf sysctl.d fcoe nsswitch.conf systemd festival nsswitch.conf.bak system-release filesystems ntp system-release-cpe firewalld numad.conf tcsd.conf fonts oddjob terminfo fprintd.conf oddjobd.conf tmpfiles.d fstab oddjobd.conf.d trusted-key.key fuse.conf openldap tuned gconf opt udev gcrypt os-release udisks2 gdbinit PackageKit unbound gdbinit.d pam.d updatedb.conf gdm passwd UPower geoclue passwd- usb_modeswitch.conf ghostscript pbm2ppa.conf usb_modeswitch.d gnupg pinforc vconsole.conf GREP_COLORS pkcs11 vimrc groff pki virc group plymouth vmware-tools group- pm wgetrc grub2.cfg pnm2ppa.conf wpa_supplicant grub.d polkit-1 wvdial.conf gshadow popt.d X11 gshadow- postfix xdg gss ppp xinetd.d gssproxy prelink.conf.d xml hba.conf printcap yum host.conf profile yum.conf hostname profile.d yum.repos.d hosts protocols smb: \> put fstab putting file fstab as \fstab (47.7 kb/s) (average 47.7 kb/s) smb: \> ls . D 0 Mon Sep 4 15:21:55 2017 .. DR 0 Mon Sep 4 14:40:24 2017 fstab A 586 Mon Sep 4 15:21:55 2017 52403200 blocks of size 1024. 49105092 blocks available smb: \> exit [root@localhost ~]# smbclient //172.16.10.11/shared -U ubuntu Enter ubuntu's password: Domain=[MAGEDU] OS=[Windows 6.1] Server=[Samba 4.2.3] smb: \> ls . D 0 Mon Sep 4 15:21:55 2017 .. DR 0 Mon Sep 4 14:40:24 2017 fstab A 586 Mon Sep 4 15:21:55 2017 52403200 blocks of size 1024. 49105048 blocks available smb: \> lcd /etc/ smb: \> put issue NT_STATUS_ACCESS_DENIED opening remote file \issue smb: \> exit
2、搭建一套文件vsftp文件共享服务,共享目录为/ftproot,要求:(描述完整的过程)
1)基于虚拟用户的访问形式;
2)匿名用户只允许下载,不允许上传;
3)禁锢所有的用户于其家目录当中;
4)限制最大并发连接数为200;
5)匿名用户的最大传输速率512KB/s;
6)虚拟用户的账号存储在mysql数据库当中;
7)数据库通过NFS进行共享。
实验环境:
192.168.10.11(CentOS 7.2):vsftpd服务器,mariadb服务器;nfs客户端
192.168.10.12(CentOS 7.2):nfs服务器(为mariadb提供数据目录共享);vsftpd客户端
1、nfs服务器配置(192.168.10.12)
1)nfs默认已经安装直接启动,并查看2049端口监听状态
[root@localhost ~]# systemctl start nfs.service [root@localhost ~]# ss -tnlp | grep :2049 LISTEN 0 64 *:2049 *:*
2)数据库共享目录保持两边mysql的用户ID一致,本地手工创建mysql用户,并指定uid为27(mysql用户ID)
[root@localhost ~]# id mysql id: mysql: no such user [root@localhost ~]# useradd -r -u 27 -s /sbin/nologin mysql
3)创建数据库共享目录/mysqldata,修改该目录所有者及所属组为mysql,并导出给mariadb服务器端(注意:由于mariadb初始化时需要root权限,暂时不要压制root权限)
[root@localhost ~]# mkdir /mysqldata [root@localhost ~]# chown -R mysql.mysql /mysqldata [root@localhost ~]# ls -ld /mysqldata/ drwxr-xr-x. 2 mysql mysql 6 Sep 4 20:12 /mysqldata/ [root@localhost ~]# vim /etc/exports /mysqldata 192.168.10.0/24(rw,no_root_squash) [root@localhost ~]# exportfs -r
2、nfs客户端测试,mariadb服务器安装配置(192.168.10.11)
1)安装mariadb-server软件包,nfs客户端测试,创建mariadb数据目录,并将远程nfs共享目录挂载到本地
[root@localhost ~]# yum install -y mariadb-server [root@localhost ~]# showmount -e 192.168.10.12 Export list for 192.168.10.12: /mysqldata 192.168.10.0/24 [root@localhost ~]# mkdir /mysqldata [root@localhost ~]# chown -R mysql.mysql /mysqldata/ [root@localhost ~]# mount -t nfs 192.168.10.12:/mysqldata/ /mysqldata/ [root@localhost ~]# mount | grep mysql 192.168.10.12:/mysqldata on /mysqldata type nfs4 (rw,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.10.11,local_lock=none,addr=192.168.10.12)
2)启动mariadb服务,并移除默认数据目录
[root@localhost ~]# systemctl start mariadb.service [root@localhost ~]# rm -rf /var/lib/mysql/
3)修改配置文件/etc/my.cnf,修改datadir为/mysqldata,同时指定socket路径为/mysqldata/mysql.sock
[
root@localhost ~]# cp /etc/my.cnf{,.bak}
[root@localhost ~]# vim /etc/my.cnf
[mysqld]
datadir=/mysqldata
socket=/mysqldata/mysql.sock
[mysqladmin]
socket=/mysqldata/mysql.sock
4)初始化mariadb(初始化完成后,去掉nfs导出目录选项的no_root_squash)
[root@localhost ~]# mysql_install_db --defaults-file=/etc/my.cnf --datadir=/mysqldata --user=mysql Installing MariaDB/MySQL system tables in '/mysqldata' ... 170904 21:28:07 [Note] /usr/libexec/mysqld (mysqld 5.5.44-MariaDB) starting as process 4551 ... OK Filling help tables... 170904 21:28:07 [Note] /usr/libexec/mysqld (mysqld 5.5.44-MariaDB) starting as process 4559 ... OK To start mysqld at boot time you have to copy support-files/mysql.server to the right place for your system PLEASE REMEMBER TO SET A PASSWORD FOR THE MariaDB root USER ! To do so, start the server, then issue the following commands: '/usr/bin/mysqladmin' -u root password 'new-password' '/usr/bin/mysqladmin' -u root -h localhost.localdomain password 'new-password' Alternatively you can run: '/usr/bin/mysql_secure_installation' which will also give you the option of removing the test databases and anonymous user created by default. This is strongly recommended for production servers. See the MariaDB Knowledgebase at http://mariadb.com/kb or the MySQL manual for more instructions. You can start the MariaDB daemon with: cd '/usr' ; /usr/bin/mysqld_safe --datadir='/mysqldata' You can test the MariaDB daemon with mysql-test-run.pl cd '/usr/mysql-test' ; perl mysql-test-run.pl Please report any problems at http://mariadb.org/jira The latest information about MariaDB is available at http://mariadb.org/. You can find additional information about the MySQL part at: http://dev.mysql.com Support MariaDB development by buying support/new features from MariaDB Corporation Ab. You can contact us about this at [email protected]. Alternatively consider joining our community based development effort: http://mariadb.com/kb/en/contributing-to-the-mariadb-project/
5)添加mysql管理员账号,添加mysql客户端socket路径为/mysqldata/mysql.sock,为pam_mysql模块访问建立socket软链接
[root@localhost ~]# mysqladmin -uroot password "123456" [root@localhost ~]# vim /etc/my.cnf.d/mysql-clients.cnf [mysql] socket=/mysqldata/mysql.sock [root@localhost ~]# mkdir -p /var/lib/mysql [root@localhost ~]# ln -s /mysqldata/mysql.sock /var/lib/mysql/mysql.sock
6)创建vsftpd数据库及users表,添加测试虚拟账号,新建vsftpd账号并赋予查询权限
[root@localhost ~]# mysql -uroot -p123456
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 5.5.44-MariaDB MariaDB Server
Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> create database vsftpd;
Query OK, 1 row affected (0.01 sec)
MariaDB [(none)]> use vsftpd;
Database changed
MariaDB [vsftpd]> create table users (
-> id int AUTO_INCREMENT NOT NULL,
-> name char(20) binary NOT NULL,
-> password char(48) binary NOT NULL,
-> primary key(id)
-> );
Query OK, 0 rows affected (0.02 sec)
MariaDB [vsftpd]> insert into users(name,password) values('adam',password('adam'));
Query OK, 1 row affected (0.01 sec)
MariaDB [vsftpd]> insert into users(name,password) values('eve',password('eve'));
Query OK, 1 row affected (0.00 sec)
MariaDB [vsftpd]> desc users;
+----------+----------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+----------+----------+------+-----+---------+----------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| name | char(20) | NO | | NULL | |
| password | char(48) | NO | | NULL | |
+----------+----------+------+-----+---------+----------------+
3 rows in set (0.00 sec)
MariaDB [vsftpd]> select * from users;
+----+------+-------------------------------------------+
| id | name | password |
+----+------+-------------------------------------------+
| 1 | adam | *46D8C7BAEFF40601D8F821A601F07CD006FFB2D0 |
| 2 | eve | *1A6EFD23741853F1DD5DF9B944BE40169F3931F1 |
+----+------+-------------------------------------------+
2 rows in set (0.00 sec)
MariaDB [vsftpd]> grant select on vsftpd.* to vsftpd@localhost identified by 'vsftpd';
Query OK, 0 rows affected (0.00 sec)
MariaDB [vsftpd]> grant select on vsftpd.* to [email protected] identified by 'vsftpd';
Query OK, 0 rows affected (0.00 sec)
MariaDB [vsftpd]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
MariaDB [vsftpd]> exit
3、pam_mysql模块编译及配置(192.168.10.11)
1)http://pam-mysql.sourceforge.net/下载pam_mysql-0.7RC1.tar.gz源码包,并放到192.168.10.11的/tmp目录下
2)安装开发环境编译pam_mysql,并编辑配置文件/etc/pam.d/vsftpd.mysql添加vsftpd的pam_mysql模块虚拟用户认证
[root@localhost ~]# yum groupinstall -y "Development Tools" "Server Platform Development" [root@localhost ~]# yum install -y mariadb-devel openssl-devel pam-devel [root@localhost ~]# cd /tmp/ [root@localhost tmp]# tar -xf pam_mysql-0.7RC1.tar.gz [root@localhost tmp]# cd pam_mysql-0.7RC1/ [root@localhost pam_mysql-0.7RC1]# ./configure --with-mysql=/usr --with-openssl=/usr --with-pam=/usr --with-pam-mods-dir=/usr/lib64/security [root@localhost pam_mysql-0.7RC1]# make && make install [root@localhost pam_mysql-0.7RC1]# ls /usr/lib64/security | grep pam_mysql pam_mysql.la pam_mysql.so [root@localhost ~]# vim /etc/pam.d/vsftpd.mysql auth required pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2 account required pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
4、vsftpd服务器安装配置(192.168.10.11)
1)安装vsftpd软件包,启动服务,查看监听21端口
[root@localhost ~]# yum install -y vsftpd
[root@localhost ~]# systemctl start vsftpd.service
[root@localhost ~]# ss -tnlp | grep :21
LISTEN 0 32 :::21 :::* users:(("vsftpd",pid=61302,fd=3))
2)创建共享目录/ftproot,建立映射虚拟用户vuser,赋予其他用户读写权限,去除根目录写权限,创建公用目录及上传目录
[root@localhost ~]# useradd -s /sbin/nologin -d /ftproot vuser
[root@localhost ~]# chmod go+rx /ftproot
[root@localhost ~]# chmod -w /ftproot
mkdir /ftproot/{pub,upload}
[root@localhost ~]# ls -ld /ftproot/
dr-xr-xr-x 5 vuser vuser 97 Sep 4 22:48 /ftproot/
3)编辑/etc/vsftpd/vsftpd.conf主配置文件,修改及添加以下项,完成后重启服务
anonymous_enable=YES local_enable=YES write_enable=YES anon_upload_enable=NO anon_mkdir_write_enable=NO anon_other_write_enable=NO max_clients=200 anon_max_rate=512000 chroot_local_user=YES pam_service_name=vsftpd.mysql guest_enable=YES guest_username=vuser [root@localhost ~]# systemctl restart vsftpd.service
5、vsftpd客户端虚拟用户账号验证(192.168.10.12)
[root@localhost ~]# yum install ftp -y [root@localhost ~]# ftp 192.168.10.11 Connected to 192.168.10.11 (192.168.10.11). 220 (vsFTPd 3.0.2) Name (192.168.10.11:root): adam 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> lcd /etc/ Local directory now /etc ftp> put issue local: issue remote: issue 227 Entering Passive Mode (192,168,10,11,88,20). 550 Permission denied. ftp> ls 227 Entering Passive Mode (192,168,10,11,175,61). 150 Here comes the directory listing. -rw-r--r-- 1 0 0 0 Sep 04 15:22 1.txt drwxr-xr-x 2 0 0 6 Sep 04 14:48 pub -rw-r--r-- 1 0 0 0 Sep 04 15:22 test drwxr-xr-x 2 0 0 6 Sep 04 14:48 upload 226 Directory send OK. ftp> get 1.txt local: 1.txt remote: 1.txt 227 Entering Passive Mode (192,168,10,11,63,59). 150 Opening BINARY mode data connection for 1.txt (0 bytes). 226 Transfer complete. ftp>