关于Samba

–SMB/CIFS协议

   – Server Message Block ,服务消息块

   – Common Internet File System , 通用网际文件系统

Samba服务基础

主要软件包

[root@localhost Server]# rpm -qa | grep samba

samba-common-3.0.33-3.39.el5_8           //公共程序

samba-3.0.33-3.39.el5_8                  //服务端程序

samba-client-3.0.33-3.39.el5_8           //客户端程序

samba-swat-3.0.33-3.39.el5_8             //Web管理后台


主要程序

–smbd : 提供对文件、打印资源的共享访问

         监听端口 TCP 139 、 TCP445

–nmbd : 提供基于NetBios协议的主机名解析

         监听端口 UDP137 、UDP138

系统服务脚本

 –    /etc/init.d/smb

配置目录及主要配置文件

–   /etc/samba/

–   /etc/samba/smb.conf

配置文件检查工具

– testparm


实验拓扑

        Linux Client

—–RHEL5.9(vmnet1)———-(vmnet1)

        Win7 Client

实验一:Samba匿名共享

将目录 /usr/src 共享给所有人

共享名设为 tools

允许所有人访问、无需密码验证

访问权限为只读

1、[root@localhost ~]# rpm -q samba-client samba samba-common

samba-client-3.0.33-3.39.el5_8

samba-3.0.33-3.39.el5_8

samba-common-3.0.33-3.39.el5_8

2、修改主配置文件

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

        workgroup = pengpeng      //工作组名称

        server string = Samba Server Version %v   //服务器描述

...

       log file /var/log/samba/%m.log  //日志路径,%m 对应客户机地址

...

        max log size = 50      //最大日志容量

...

       security = share        //默认使用的安全级别(user、share、server、domain)

...

         load printers = no    //屏蔽共享时看到的打印图标

[tools]                        //共享名称

       comment = tools public  //共享描述

       path = /usr/src       //共享目录的实际位置

       public= yes          //是否所有人可用

       browseable=yes       //是否隐藏

       read only = yes      //只读

3、启动服务

首先检查配置

[root@localhost ~]# testparm   //检查配置命令

Load smb config files from /etc/samba/smb.conf

Processing section "[homes]"

Processing section "[printers]"

Processing section "[tools]"

Loaded services file OK.

Server role: ROLE_STANDALONE

Press enter to see a dump of your service definitions  //按回车查看配置信息

[global]                                 //全局配置

        workgroup = PENGPENG

        server string = Samba Server Version %v

        security = SHARE

        passdb backend = tdbsam

        load printers = No

        cups options = raw


[homes]

        comment = Home Directories

        read only = No

        browseable = No


[printers]

        comment = All Printers

        path = /var/spool/samba

        printable = Yes

        browseable = No

[tools]                                 //自定义配置共享

        comment = tools public

        path = /usr/src

        guest ok = Yes

启动服务

[root@localhost ~]# service smb restart

关闭 SMB 服务:                                            [失败]

关闭 NMB 服务:                                            [失败]

启动 SMB 服务:                                            [确定]

启动 NMB 服务:                                            [确定]

确保服务开机启动

[root@localhost ~]# chkconfig smb on

[root@localhost ~]# chkconfig smb –list

smb             0:关闭  1:关闭  2:启用  3:启用  4:启用  5:启用  6:关闭

[root@localhost ~]# 

监听端口

[root@localhost ~]# netstat -anptu | grep mbd

tcp        0      0 0.0.0.0:139                 0.0.0.0:*                   LISTEN      5798/smbd           

tcp        0      0 0.0.0.0:445                 0.0.0.0:*                   LISTEN      5798/smbd           

udp        0      0 0.0.0.0:137                 0.0.0.0:*                               5801/nmbd           

udp        0      0 0.0.0.0:138                 0.0.0.0:*                               5801/nmbd      

4、客户端测试

windows:

  UNC路径 \192.168.8.10

 如图:

linux:

安装samba-client

[root@localhost Server]# rpm -ivh samba-client-3.0.33-3.39.el5_8.x86_64.rpm 

warning: samba-client-3.0.33-3.39.el5_8.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 37017186

Preparing…                ########################################### [100%]

        package samba-client-3.0.33-3.39.el5_8.x86_64 is already installed

[root@localhost Server]# rpm -q samba-client

samba-client-3.0.33-3.39.el5_8

[root@localhost ~]# smbclient -L 192.168.8.10       //查看共享

Password: 

Domain=[PENGPENG] OS=[Unix] Server=[Samba 3.0.33-3.39.el5_8]


        Sharename       Type      Comment

        ———       —-      ——-

        tools           Disk      tools public

        IPC$            IPC       IPC Service (Samba Server Version 3.0.33-3.39.el5_8)

Domain=[PENGPENG] OS=[Unix] Server=[Samba 3.0.33-3.39.el5_8]


        Server               Comment

        ———            ——-

        LOCALHOST            Samba Server Version 3.0.33-3.39.el5_8


        Workgroup            Master

        ———            ——-

        PENGPENG             LOCALHOST

        WORKGROUP            PENGPENG-PC

[root@localhost ~]# smbclient //192.168.8.10/tools     //访问共享

Password:                                              //匿名共享,任意密码

Domain=[PENGPENG] OS=[Unix] Server=[Samba 3.0.33-3.39.el5_8]

Server not using user level security and no password supplied.

smb: > ls

  .                                   D        0  Wed Aug 20 11:49:58 2014

  ..                                  D        0  Wed Aug 20 11:38:11 2014

  debug                               D        0  Thu Oct  1 22:58:39 2009

  kernels                             D        0  Wed Aug 20 11:41:30 2014

  redhat                              D        0  Wed Aug 20 11:49:58 2014


                38751 blocks of size 524288. 29666 blocks available

smb: > 

[root@localhost ~]# mkdir -p /data/smb                    //建立挂在文件夹

[root@localhost ~]# mount -t cifs //192.168.8.10/tools /data/smb/  //挂载

Password: 

[root@localhost ~]# mount | tail -1

//192.168.8.10/tools on /data/smb type cifs (rw,mand)  //查看挂载情况

配置自动挂载:

[root@localhost ~]# vim /etc/fstab

/192.168.8.10/tools    /data/smb         cifs   passwd=defaults        0 0      //添加自动挂载,定义密码为空

[root@localhost ~]# grep smb /etc/fstab

//192.168.8.10/tools    /data/smb         cifs   passwd=defaults        0 0

[root@localhost ~]# cd /data/smb          //进入挂载目录

[root@localhost smb]# ls

debug  kernels  redhat                    //浏览成功

实验二:Samba用户验证

修改原有的 [tools] 匿名共享设置

不再允许所有人访问

只允许jack读取、tom写入

拒绝其他用户或匿名访问

上传目录的权限为755

上传文件的权限为644

1、新建相应账户与samba密码

[root@localhost ~]# useradd jack

[root@localhost ~]# useradd tom

[root@localhost ~]# echo "123456" | passwd –stdin jack

Changing password for user jack.

passwd: all authentication tokens updated successfully.

[root@localhost ~]# echo "123456" | passwd –stdin tom

Changing password for user tom.

passwd: all authentication tokens updated successfully.

[root@localhost ~]# pdbedit -a jack   //添加共享账号,必须有相对应的系统账号

new password:

retype new password:

Unix username:        jack

NT username:          

Account Flags:        [U          ]

User SID:             S-1-5-21-3977168788-1325546648-3669002591-1000

Primary Group SID:    S-1-5-21-3977168788-1325546648-3669002591-513

Full Name:            

Home Directory:       \localhostjack

HomeDir Drive:        

Logon Script:         

Profile Path:         \localhostjackprofile

Domain:               LOCALHOST

Account desc:         

Workstations:         

Munged dial:          

Logon time:           0

Logoff time:          never

Kickoff time:         never

Password last set:    三, 03 9月 2014 15:36:26 CST

Password can change:  三, 03 9月 2014 15:36:26 CST

Password must change: never

Last bad password   : 0

Bad password count  : 0

Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

[root@localhost ~]# pdbedit -a tom //添加共享账号,必须有相对应的系统账号

new password:

retype new password:

Unix username:        tom

NT username:          

Account Flags:        [U          ]

User SID:             S-1-5-21-3977168788-1325546648-3669002591-1001

Primary Group SID:    S-1-5-21-3977168788-1325546648-3669002591-513

Full Name:            

Home Directory:       \localhosttom

HomeDir Drive:        

Logon Script:         

Profile Path:         \localhosttomprofile

Domain:               LOCALHOST

Account desc:         

Workstations:         

Munged dial:          

Logon time:           0

Logoff time:          never

Kickoff time:         never

Password last set:    三, 03 9月 2014 15:36:41 CST

Password can change:  三, 03 9月 2014 15:36:41 CST

Password must change: never

Last bad password   : 0

Bad password count  : 0

Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

[root@localhost ~]# 

2、修改主配置文件

[root@localhost ~]# vim /etc/samba/smb.conf

1

2

3

4

5

6

7

8

9

10

11

12

13

14

...

    security = user             //启用用户认证

...

  [tools]

       comment = tools public

       path = /usr/src            //指定共享路径

       public= no                 //不对所有人开放

       valid users = jack,tom     //指定合法用户

       write list =tom            //用户tom可读可写

       browseable=yes

       read only = yes

       directory mask = 0755      //上传的目录权限

       create mask = 0644         //上传的文件权限

...

[root@localhost ~]# setfacl -m u:tom:rwx /usr/src/ 

//ACL控制,单独给tom读写执行权限 (本地与共享权限交集才是最终访问权限)

[root@localhost ~]# getfacl /usr/src/        //查看目录权限

getfacl: Removing leading '/' from absolute path names

# file: usr/src

# owner: root

# group: root

user::rwx

user:tom:rwx

group::r-x

mask::rwx

other::r-x

3、启动服务

[root@localhost ~]# service smb restart

关闭 SMB 服务:                                            [确定]

关闭 NMB 服务:                                            [确定]

启动 SMB 服务:                                            [确定]

启动 NMB 服务:                                            [确定]

4、客户端测试

[root@localhost ~]# smbclient -U jack //192.168.8.10/tools   //加用户访问

Password:                                             //之前定义共享密码

Domain=[LOCALHOST] OS=[Unix] Server=[Samba 3.0.33-3.39.el5_8]

smb: > ls

  .                                   D        0  Wed Aug 20 11:49:58 2014

  ..                                  D        0  Wed Aug 20 11:38:11 2014

  debug                               D        0  Thu Oct  1 22:58:39 2009

  kernels                             D        0  Wed Aug 20 11:41:30 2014

  redhat                              D        0  Wed Aug 20 11:49:58 2014


                38751 blocks of size 524288. 29665 blocks available

smb: > 

[root@localhost ~]# umount /data/smb         //卸载掉之前挂载

[root@localhost ~]# mount -o username=jack //192.168.8.10/tools /data/smb

Password: 

[root@localhost ~]# mount | grep smb           

//192.168.8.10/tools on /data/smb type cifs (rw,mand)

[root@localhost ~]# 

实验三: samba账户别名与访问地址控制

         把普通用户jack设置为kaka

         设置只允许192.168.8.5地址访问

1、修改samba用户别名文件

[root@localhost ~]# vim /etc/samba/smbusers

1

2

3

4

# Unix_name = SMB_name1 SMB_name2 ...

root = administrator admin

nobody = guest pcguest smbguest

jack = kaka                    //定义jack的用户别名kaka

2、修改主配置文件

1

2

3

4

5

6

7

8

9

10

11

12

13

14

...

  username map = /etc/samba/smbusers  //开启用户账号映射,虚拟用户名

 ...

[tools]

       comment = tools public

       path = /usr/src

       public= no

       valid users = jack,tom

       write list =tom

       browseable=yes

       read only = yes

       directory mask = 0755

       create mask = 0644

       hosts allow = 192.168.10.5      //添加此条语句,只允许10.5客户机访问

重启服务:

[root@localhost ~]# service smb restart

关闭 SMB 服务:                                            [确定]

关闭 NMB 服务:                                            [确定]

启动 SMB 服务:                                            [确定]

启动 NMB 服务:                                            [确定]

3、客户端测试

验证用户别名:

   [root@localhost ~]# 

[root@localhost ~]# smbclient -U kaka //192.168.8.10/tools 

//使用jack别名kaka

Password:       //使用jack密码

Domain=[LOCALHOST] OS=[Unix] Server=[Samba 3.0.33-3.39.el5_8]

smb: > ls

  .                                   D        0  Wed Aug 20 11:49:58 2014

  ..                                  D        0  Wed Aug 20 11:38:11 2014

  debug                               D        0  Thu Oct  1 22:58:39 2009

  kernels                             D        0  Wed Aug 20 11:41:30 2014

  redhat                              D        0  Wed Aug 20 11:49:58 2014


                38751 blocks of size 524288. 29665 blocks available

smb: > 

 验证IP地址限制:

        [root@localhost ~]# ifconfig eth0 192.168.8.6/24    

//地址修改为192.168.8.6

[root@localhost ~]# ifconfig eth0 | grep "inet addr:"

          inet addr:192.168.8.6  Bcast:192.168.8.255  Mask:255.255.255.0

[root@localhost ~]# smbclient -U jack //192.168.8.10/tools

Password: 

Domain=[LOCALHOST] OS=[Unix] Server=[Samba 3.0.33-3.39.el5_8]

tree connect failed: NT_STATUS_ACCESS_DENIED

  // 无法访问