samba配置

1、服务器端samba

[root@rong ~]# yum -y install samba    （安装samba）
[root@rong ~]# vi /etc/samba/smb.conf   （编辑配置文件）

1．Global (全局)参数
[public]
        comment = Public Stuff ZR
        path = /sambclient
        public = yes
        writable = yes
        printable = no
        write list = +staff
        valid users = smbuser 
该部分设置整个系统的规则，定义了一些公共变量。
netbios name=web
定义Windows系统“网上邻居”中所见的机器名。
workgroup=SambaServer
定义服务器的工作组名。
server string=Samba Server
对主机的说明信息。
hosts allow=127. 
guest account=smbuser
定义smb用户名称。
security=user
定义访问权限。访问权限由低到高有三种：share、user和server。其中share安全级别最低，user模式要求连接时输入用户名和口令，可由以下命令建立smb网络用户：
#adduser smbuser 添加该用户为Linux用户。
#smbpasswd -a smbuser 添加该用户为smb用户。
server模式要求用户的认证由Samba服务器或NT服务器来完成。

考虑到用本机的用户名不太安全，所以做smb帐号映射
在配置文件里添加：username map = /etc/samba/smbusers
smbusers文件的意思是右边为映射出来的帐号，可以用来访问samba，设置samba密码可以和系统帐号的密码不同，以提高安全性。

====================== Global Settings =====================================[global] //设置samba服务整体环境workgroup = workgroup //设置工作组名server string = rong server //服务器的名说明; hosts allow = 192.168.0.  127. //限制可访问此服务的IP范围,默认是全部允许的,要是想设设置去掉前面的";"printcap name = /etc/printcap //打印机配置文件load printers = yes //是否共享打印机# bsd, sysv, plp, lprng, aix, hpux, qnx, cupsprinting = cups //打印机的类型.标准打印机类型包括以上几种.; guest account = pcguest //pcguest为用户名.可改去掉前边的";"让用户以pcguest身份匿名登录,但保证/etc/passwd中有此人.log file = /var/log/samba/%m.log //为登录服务器的用户建立不同的日志文件.max log size = 0 //日志文件的大小,"0"代表无限制//以下是smb.conf文件对服务器安全级别的设置security = SHARE //安全性的级别共四种.share、user、server、domain; password server = 密码验证服务器.; password level = 8 //密码级别; username level = 8encrypt passwords = yes //用户密码加密,当然也可以不加密smb passwd file = /etc/samba/smbpasswd //将密码服务器设置为samba server.需要这个东东来指定验证文件.这个是文件的路径,如果samba server是指定的winserver这个不须要; ssl CA certFile = /usr/share/ssl/certs/ca-bundle.crtunix password sync = Yespasswd program = /usr/bin/passwd %upasswd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*pam password change = yes; username map = /etc/samba/smbusers //如果每个windows用户在samba服务器中有帐户这个可以不设; include = /etc/samba/smb.conf.%mobey pam restrictions = yes; interfaces = 192.168.12.2/24 192.168.13.2/24 如果多网段要在这里列出; remote announce = 192.168.1.255 192.168.2.44; local master = no; os level = 33; domain master = yes; preferred master = yes; domain logons = yes; logon script = %m.bat; logon script = %U.bat; logon path = \\%L\Profiles\%U; wins support = yes //wins server支持; wins server = w.x.y.z; wins proxy = yes //wins 代理设置dns proxy = no //dns代理设置; preserve case = no; short preserve case = no; default case = lower; case sensitive = no#============================ Share Definitions ==============================[homes] //用户访问自已目录的设置comment = Home Directories //说明(以下同理)browseable = no//设定目录可不可以别人浏览writeable = yes//用户写入自己的权限valid users = %Screate mode = 0664directory mode = 0775; [netlogon] //此段域用户登录目录设置; comment = Network Logon Service; path = /usr/local/samba/lib/netlogon; guest ok = yes; writable = no; share modes = no;[Profiles]; path = /usr/local/samba/profiles; browseable = no; guest ok = yes[printers] //打印机设置comment = All Printerspath = /var/spool/sambabrowseable = noprintable = yes;[tmp] //用户共享资源设置; comment = Temporary file space; path = /tmp //可以自定义目录,去掉前边的";"就OK了; read only = no //是否只读或可写; public = yes;[public] //用户共享资源设置; comment = Public Stuff; path = /home/samba; public = yes; writable = yes; printable = no; write list = @staff;[fredsprn]; comment = Fred's Printer; valid users = fred; path = /home/fred; printer = freds_printer; public = no; writable = no; printable = yes;[fredsdir]; comment = Fred's Service; path = /usr/somewhere/private; valid users = fred; public = no; writable = yes; printable = no;[pchome]; comment = PC Directories; path = /usr/local/pc/%m; public = no; writable = yes;[public]; path = /usr/somewhere/else/public; public = yes; only guest = yes; writable = yes; printable = no;[myshare]; comment = Mary's and Fred's stuff; path = /usr/somewhere/shared; valid users = mary fred; public = no; writable = yes; printable = no; create mask = 0765[my work] comment = is me workpath = /root/my workvalid users angelpublic = yeswriteable = yes














#####################################################################

了解smb.conf的文件就好办了.我们开始对samba server的四个安全级别分别讲解.1、share级配置这个在四个等级中是最低的,方法也是最简单.我们只要对smb.conf文件修改一下就可以了.workgroup = hackaseserver string = angel serverhosts allow = 192.168.1. //限制192.168.1的IP网段可以防问printcap name = /etc/printcapload printers = yes //共享打印机printing = cups //打印机用linux标准的guest account = angellog file = /var/log/samba/%m.logmax log size = 20security = share===================================================================其他的设置默认就可以了,也可以像我把所有的注释删除.[tmp]这个字段的";"去掉.路径可以更改. 重启一下服务 /etc/samba/smb restart //service smb restart 也可用testparm测试我们配置的文件是否正确:===================================================================[root@localhost root]# testparm //测试时[printers]注释掉了所以这里没有.Load smb config files from /etc/samba/smb.confProcessing section "[homes]"Processing section "[tmp]"Processing section "[my]"Loaded services file OK. //如有错误,会在这列出错误的地方.Press enter to see a dump of your service definitions==================================================================用smbclient命令查看网络共享情况===================================================================[root@localhost etc]# smbclient -L localhost //本机名为localhostPassword:Domain=[HACKBASE] OS=[Unix] Server=[Samba 2.2.7a]Sharename Type Comment--------- ---- -------tmp Disk Temporary file spacemy Disk is meIPC$ IPC IPC Service (angel server)ADMIN$ Disk IPC Service (angel server)root Printer Home DirectoriesServer Comment--------- -------Workgroup Master--------- -------=======================================================================2、user级配置user比share级安全级别高一点点,很简单的,可以在share基础上改一下就可以了.改一下security = share字段为:security = user.在加上如下字段:guest account = angel //机器上有这个用户名,如果你没有那就建一个吧!encrypt passwords=yessmb passwd file=/etc/samba/smbpasswd(1)生成口令文件.#cat/etc/passwd | mksmbpasswd.sh>/etc/samba/smbpasswd本命令将生成口令文件"/etc/samba/smbpasswd" 这个就是我们刚加上的"smb passwd file=/etc/samba/smbpasswd"(2)我们知道建账户是建在etc/passwd文件里,我们须要用smbpasswd命令为刚才建立的账名设置samba server口令. 格式为:smbpasswd angel(3)重启samba server服务user级的也OK了,你可以用testparm and smbclient命测试.windows用户想访问就要输入angel and passwd.这个就不是谁都可以访问你的共享资源了.3、server 级配置server级比user级也高那么一点,只需要user级配置上修改一下就OK了.(1)security = user字段为:security = server(2)加上password server = ****** //密码服务器,这个可以是你的windows主域控制器,也可以是别一个samba server服务器(名子无意思)(3)注释smb passwd file=/etc/samba/smbpasswd(4)重启samba server服务,你可以用testparm and smbclient命测试.好了,又完事一个现在如果一台windows机器登录******(password server = ******设置的)域服务器的时候,也就同登录上了samba server,如果你以是*****主控域的计算机,那你就可以输入你自己的账号密码打开samba server的文件了,但是你要保证*****和sambs server的账号和密码相同.4、domain级的配置domain级的配置是samba server中级别最高的他主要就是把samba加入到域中去,用域服务器作samba server的密码服务器.其实domain级的配置也很简单,只需要在user级的基础上修改:(1)加入字段:NETBLOS = main //起一个NETBLOS名,放在smb.conf文件的最上边password server = ** //用主域控制器**来做密码服务器(2)security = user字段为:security = domainworkgroup = ***** //*****是主域控制器的域名


#################################################################
Windows客户端用UNC路径访问。
Linux客户端访问：
smbclient //192.168.0.2/public -U share%sharetest
或者mount -t cifs //192.168.0.2/public /mnt/ -o username=share%sharetest

本文出自 “Mr_Z” 博客，请务必保留此出处http://zhangrong.blog.51cto.com/2196532/933453