samb 3.2.x HOWTO and Reference Guide 总结
- 一.概念
nmbd:该守护进程处理所有的名称注册和解析请求。它是在网络浏览的主要部件。它处理所有基于UDP的协议。 nmbd进程应该是Samba的启动过程的第一个启动命令。
smbd:该守护进程处理所有基于TCP /IP连接服务的文件与打印操作。它还负责管理本地认证。它
应在nmbd后开始启动。
winbindd:当Samba是Windows NT4或ADS域的一个成员,这个守护进程应该启动。
当Samba与其他域有信任关系时也需要。 winbindd会检查smb.conf文件中是否存在idmap uid和idmap gid 参数。如果有,winbindd将用来设定UID和GID分配。如果没有设置,winbindd启动后将无法分配的UID或GID。
配置文件语法:
[ section ]
parameter = value
......
二:基础操作
确定配置文件目录与文件名
#smbd -b | grep CONFIGFILE
CONFIGFILE: /usr/local/samba/etc/smb.conf
确定tdb文件存放目录,由编译时决定
#smbd -b | grep PRIVATE_DIR
PRIVATE_DIR: /etc/samba/private //保密数据tdb
#smbd -b | grep LOCKDIR
LOCKDIR: /var/lib/samba //普通控制文件
永久的tdb 文件备份 (机器迁移,samba更新时)
tdbbackup工具 tdbbackup *.tdb / tdbbackup -s '新的扩展名' *.bak
表1.1
account_policy: SAMBA/ NT帐户策略设置,包括密码过期设置。
group_mapping: Windows组/ SID UNIX组映射表。
ntdrivers: 每个打印机安装驱动信息。
ntforms: 每个打印机安装表格信息。
ntprinters: 每个打印机的设备模式配置设置。
passdb : tdbsam 后端数据库 ,存储SAM 帐号信息(要求系统中有帐号信息,/etc/passwd)
registry :只读的Windows注册表数据库,支持通过WinReg项的RPC导出各种数据库。
secrets : 存储工作组/域/机器SID,LDAP目录更新密码,各种关键的环境数据,包含非常敏感的信息,PRIVATE_DIR目录。
share_info: 每个共享的ACL信息
winbindd_idmap: winbindd的本地ID映射数据库
临时的tdb文件 不用备份
表1.2
brlock: Byte-range locking information
connections: 当前连接信息的缓存。
eventlog/*tdb: 事情日志记录(系统日志缓存)。
gencache: 对死亡WINS服务和受信任的域数据的通用缓存数据库。
login_cache: 登录信息缓存,包括坏密码登录次数。
messages: 临时存放被SMBD处理的消息
netsamlogon_cache: 从net_samlogon 请求中缓存用户net_info_3结构数据
perfmon/*.tdb : 性能计数器信息
printing/*.tdb : 打印机相关
schannel_store : 包含加密的连接信息,临时断开后重连不用重新协商。
sessionid: 临时会的临时缓存
unexpected: 存放没有进程积级监听的接收到的包。
winbindd_cache:从域接收的用户身份缓存信息。
testparm 测试配置
testparm -s smb.conf.master > smb.conf 产生最小化的配置文件
SWAT:基于WEB的SAMBA管理工具
http://ipaddr:901
列出共享:
smbclient -L localhost
smbclient -L localhost -U root
smbclient -L localhost -N //强制无密码显示
连接共享 :
UNIX: smbclient //hostname/service-Uuser%passwd
smbclient //hostname/name //进入homes目录
windows:
net use m: \\hostname\service
例如:
a),在linux下系统查看192.168.0.6这台主机(linux或windows)系统共享文件夹
[root@localhost ~]# smbclient -L 192.168.0.6 -U rong(192.168.0.6此机的用户名)
Password: (输入rong帐户的密码)
b),linux下进入(windows或linux)192.168.0.6这台主机【软件】共享这个文件夹
[root@localhost ~]# smbclient //192.168.0.6/软件 -U rong
Password: (输入rong帐户的密码)
c),linux下挂载192.168.1.180这台主机(linux 或windows)的共享到本地目录
cifs共享
mount -t cifs -o username=administrator,password=passwd //192.168.1.180/sharename/ /tmp
d),windows下挂载192.168.187.148这台主机(linux)的共享目录到本地
cmd:
net use m: \\192.168.187.148\caiwu
xxxxxxx输入用户名:
xxxxxxx密码:
(断开此连接:net usr m: /del)
打印:
net use lpt1: \\hostname\printername
print filename
不同后端数据库之间可以相互转换:
pdbedit -i smbpasswd -e tdbsam (当passwd backent 从一种后端转向另一种后端时)
从smbpasswd 导出到tdbsam
三:服务器配置基础
服务器类型:
域控制器:
--Primary Domain Controller (PDC) //主域控制器
--Backup Domain Controller (BDC) //备份域控制器
--ADS Domain Controller //ADS域控制器
域成员服务器:
--Active Directory Domain Server
--NT4 Style Domain Domain Server
独立服务器:Standalone Server
安全模式:
share-level:share
user-level:需要用户名与密码(username/passwd)
user(security = user)
domain( workgroup= MIDEARTH, secutiry = domain 做为域成员服务器)
net rpc join -U administratro%passwd
ADS(realm=your.kerberos.REALM,security=ADS,encrypt passwords=Yes,password server= )
net rpc join -Uadministrator%passwd
/etc/krb5.conf
server(encrypt passwords=Yes, security =server, password server=)
四:服务器类型配置
4.1:作为独立服务器:
佚名只读共享:不需用户名和密码[global]
workgroup = MYGROUP
netbios name = HOBBIT
security = user //(security =share 不能用,只能有这两行替代)
map to guest =Bad User
[data]
comment = Data
path = /export
read only = Yes
guest ok = Yes
佚名读写共享:
[global]
workgroup = MYGROUP
netbios name = HOBBIT
security = user //(security =share 不能用,只能有这两行替代)
map to guest =Bad User
[data]
comment = Data
path = /export
read only = No
guest ok = Yes
安全的访问:权限参数
valid user =
write list =
read list =
create mask = 0744
directory mask = 0755
hosts allow= 192.168.1.0/255.255.255.0
hosts deny = 192.168.2.
4.2:作为域成员服务器:
配置NSS,通过winbind来解析用户与组
passwd: files winbind
group: files winbind
hosts: files dns winbind
(不管是domain 还是ads 都要设置NSS)
4.2.1:domain模式 (ads比domain有更高的安全性)
[global]
workgroup = CHENGMDEMO//域名
netbios name = fc18-test
security = domain//domain 安全模式
(encrypted passwords = Yes, password server=)
idmap uid = 15000-20000
idmap gid = 15000-20000 (可以用来替代这两行:idmap config * : range=100000-5000000)
winbind use default domain = false
winbind separator = + //默认为\ ,但是\又是转义符,所以输入用户是为domain\\username
winbind offline logon = false
template shell = /bin/false
[ homes ]
comment = Home Directories
valid users= %S
read only = No
browseable = No
[ public ]
comment = Data
path = /export/public
read only = No
guest ok =Yes
[ printers ]
comment = All Printers
path = /var/spool/samba
printer admin = root , maryo
create mask = 0600
guest ok = Yes
printable = Yes
use client driver = Yes
browseable = No
net rpc join -Uroot%passwd
Joined domain MIDEARTH
4.2.2:ads模式:kerberos 认证
[global]workgroup = CHENGMDEMO
netbios name = fc18-test-ads
security = ads //
realm = CHENGMDEMO.COM
encrypt passwords = yes
password server = 192.168.61.1
idmap config * : range = 100000-500000
idmap config * : backend = tdb
winbind use default domain = false
winbind offline logon = false
winbind separator = +
[demo]
comment = Data
path = /export
valid users =@"CHENGMDEMO+wincaiwu",@"CHENGMDEMO+domain users"
write list = +"CHENGMDEMO+wincaiwu" //域用户与组用要用引号“ ”
guest ok = No
force create mode = 0777
force directory mode = 0777
# create mask = 0766
# directory mask = 0766
配置krb5.conf
[libdefaults]
default_realm = YOUR.KERBEROS.REALM
[realms]
YOUR.KERBEROS.REALM={
kdc = you.kerberos.server
}
[domain_realms]
.kerberos.server = YOUR.KERBEROS.REALM
查看用户:wbinfo -u; wbinfo -g;getent passwd
4.3:作为主域控制服务器:passdb backend = smbpasswd,tdbsam,ldapsam
[global]
workgroup = MIDEARTH
netbios name = FRODO
passdb backend = tdbsam
(域控制器参数)
os level = 35 (32以上)
security = user
encrypt password = Yes
preferred master = Yes
domain master = Yes
domain logons = Yes
idmap uid = 15000-20000
idmap gid = 15000-20000
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/groupmod -A %u %g
delete user from group script = /usr/sbin/groupmod -R %u %g
add machine script = /usr/sbin/useradd -s /bin/ false -d /var/lib/nobody %u
# Note : The following specifies the default logon script.
# Per user logon scripts can be specified in the user account using pdbedit
logon script = scripts\logon.bat
# This sets the default profile path . Set per user paths with pdbedit
logon path = \\%L\Profiles\%U
logon drive = H:
logon home = \\%L\%U
printcap name = cups
printing = cups
[ homes ]
comment = Home Directories
valid users = %S
read only = No
browseable = No
# Printing auto-share (makes printers available thru CUPS)
[printers]
comment = All Printers
path = /var/spool/samba
printer admin = root , maryo
create mask = 0600
guest ok = Yes
printable = Yes
browseable = No
[ print$]
comment = Printer Drivers Share
path = /var/lib/samba/drivers
writelist = maryo , root
printer admin = maryo , root
#Needed to support domain logons
[ netlogon ]
comment = Network Logon Service
path = /var/lib/samba/netlogon
admin users = root , maryo
guest ok = Yes
browseable = No
# For profiles to work , createa user directory under the path
# shown i . e , mkdir -p /var/lib/samba/profiles/maryo
[ Profiles ]
comment = Roaming Profile Share
path = /var/lib/samba/profiles
read only = No
profile acls = Yes
# Other resource ( share/printer )definitions would follow below .
为每一个NT组分配一个UNIX组:initGroups.sh 放到/var/lib/samba/netlogon/scripts目录
#!/bin/bash
###keep this as a shell script for future re-use
#First assign well known groups
net groupmap add ntgroup="Domain Admins" unixgroup=ntadmins rid=512 type=d
net groupmap add ntgroup="Domain Users" unixgroup=users rid=513 type=
net groupmap add ntgroup="Domain Guests" unixgroup=nobody rid=514 type=d
#Now for our add Domain Groups
net groupmap add ntgroup="Designers" unixgroup=designers type=d
net groupmap add ntgroup="Engineers" unixgroup=engineers typed=d
net groupmap add ntgroup="QA Team" unixgroup=qateam type=d