Linux_Service——Samba

Samba服务

Samba简介

SMB（Server Messages Block,信息服务块）是一种在局域网上共享文件和打印机的一种通信协议,它为局域网内的不同计算机之间提供文件及打印机等资源的共享服务。由于SMB无法注册,就取名为Samba。Samba基于NetBIOS协议开发,所以可以和Windows通信，但是只能在局域网通信。

Samba安装与端口

Samba的包介绍：

Samba /*主服务包*/

Samba-client /*客户端*/

Samba-common /*通用工具*/

Samba4-libs /*库*/

Samba-winbind /*Windows域映射*/

Samba-winbind-clients/*域映射客户端*/

(查询系统中已安装的samba服务包，发现除了samba主服务包以外，其他包都已安装好了)

[root@TestServer Packages]# rpm -ivh samba-3.6.9-164.el6.x86_64.rpm warning: samba-3.6.9-164.el6.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEYPreparing...                ########################################### [100%]   1:samba                  ########################################### [100%]

/*安装samba主服务*/

Samba的守护进程：

smbd：提供对服务器中的文件、打印资源的共享访问139 445

nmbd：提供基于NetBIOS主机名称的解析137 138

启动Samba服务：

[root@TestServer /]# service smb start启动 SMB 服务：                                            [确定][root@TestServer /]# service nmb start启动 NMB 服务：                                            [确定]

Samba相关文件

/etc/samba/smb.conf/*配置文件*/

/etc/samba/lmhosts/*对应NetBIOS名与主机IP的文件，一般Samba会自动搜索(只对本地生效)*/

/etc/samba/smbpasswd/*samba密码保存文件(默认不存在)*/

/etc/samba/smbusers/*用户别名，用于使用不同操作系统中用户名习惯。需要配置文件中"username map"选项支持*/

(小技巧：testparm#检测配置文件是否正确)

配置文件详解

/etc/samba/smb.conf

# This is the main Samba configuration file. You should read the# smb.conf(5) manual page in order to understand the options listed# here. Samba has a huge number of configurable options (perhaps too# many!) most of which are not shown in this example## For a step to step guide on installing, configuring and using samba,# read the Samba-HOWTO-Collection. This may be obtained from:#  http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf## Many working examples of smb.conf files can be found in the# Samba-Guide which is generated daily and can be downloaded from:#  http://www.samba.org/samba/docs/Samba-Guide.pdf## Any line which starts with a ; (semi-colon) or a # (hash)# is a comment and is ignored. In this example we will use a ## for commentry and a ; for parts of the config file that you# may wish to enable## NOTE: Whenever you modify this file you should run the command "testparm"# to check that you have not made any basic syntactic errors.##---------------# SELINUX NOTES:## If you want to use the useradd/groupadd family of binaries please run:# setsebool -P samba_domain_controller on## If you want to share home directories via samba please run:# setsebool -P samba_enable_home_dirs on## If you create a new directory you want to share you should mark it as# "samba_share_t" so that selinux will let you write into it.# Make sure not to do that on system directories as they may already have# been marked with othe SELinux labels.## Use ls -ldZ /path to see which context a directory has## Set labels only on directories you created!# To set a label use the following: chcon -t samba_share_t /path## If you need to share a system created directory you can use one of the# following (read-only/read-write):# setsebool -P samba_export_all_ro on# or# setsebool -P samba_export_all_rw on## If you want to run scripts (preexec/root prexec/print command/...) please# put them into the /var/lib/samba/scripts directory so that smbd will be# allowed to run them.# Make sure you COPY them and not MOVE them so that the right SELinux context# is applied, to check all is ok use restorecon -R -v /var/lib/samba/scripts##--------------##======================= Global Settings =====================================[global]# ----------------------- Network Related Options -------------------------## workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH## server string is the equivalent of the NT Description field## netbios name can be used to specify a server name not tied to the hostname## Interfaces lets you configure Samba to use multiple interfaces# If you have multiple network interfaces then you can list the ones# you want to listen on (never omit localhost)## Hosts Allow/Hosts Deny lets you restrict who can connect, and you can# specifiy it as a per share option as well#        workgroup = MYGROUP        server string = Samba Server Version %v;       netbios name = MYSERVER;       interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24;       hosts allow = 127. 192.168.12. 192.168.13.# --------------------------- Logging Options -----------------------------## Log File let you specify where to put logs and how to split them up.## Max Log Size let you specify the max size log files should reach        # logs split per machine        log file = /var/log/samba/log.%m        # max 50KB per log file, then rotate        max log size = 50# ----------------------- Standalone Server Options ------------------------## Scurity can be set to user, share(deprecated) or server(deprecated)## Backend to store user information in. New installations should# use either tdbsam or ldapsam. smbpasswd is available for backwards# compatibility. tdbsam requires no further configuration.        security = user        passdb backend = tdbsam# ----------------------- Domain Members Options ------------------------## Security must be set to domain or ads## Use the realm option only with security = ads# Specifies the Active Directory realm the host is part of## Backend to store user information in. New installations should# use either tdbsam or ldapsam. smbpasswd is available for backwards# compatibility. tdbsam requires no further configuration.## Use password server option only with security = server or if you can't# use the DNS to locate Domain Controllers# The argument list may include:#   password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]# or to auto-locate the domain controller/s#   password server = *;       security = domain;       passdb backend = tdbsam;       realm = MY_REALM;       password server = <NT-Server-Name># ----------------------- Domain Controller Options ------------------------## Security must be set to user for domain controllers## Backend to store user information in. New installations should# use either tdbsam or ldapsam. smbpasswd is available for backwards# compatibility. tdbsam requires no further configuration.## Domain Master specifies Samba to be the Domain Master Browser. This# allows Samba to collate browse lists between subnets. Don't use this# if you already have a Windows NT domain controller doing this job## Domain Logons let Samba be a domain logon server for Windows workstations.# You need to provide it in a share called NETLOGON## Logon Path let you specify where user profiles are stored (UNC path)## Various scripts can be used on a domain controller or stand-alone# machine to add or delete corresponding unix accounts#;       security = user;       passdb backend = tdbsam;       domain master = yes;       domain logons = yes        # the login script name depends on the machine name;       logon script = %m.bat        # the login script name depends on the unix user used;       logon script = %u.bat;       logon path = \\%L\Profiles\%u        # disables profiles support by specifing an empty path;       logon path =;       add user script = /usr/sbin/useradd "%u" -n -g users;       add group script = /usr/sbin/groupadd "%g";       delete user script = /usr/sbin/userdel "%u";       delete user from group script = /usr/sbin/userdel "%u" "%g";       delete group script = /usr/sbin/groupdel "%g"# ----------------------- Browser Control Options ----------------------------## set local master to no if you don't want Samba to become a master# browser on your network. Otherwise the normal election rules apply## OS Level determines the precedence of this server in master browser# elections. The default value should be reasonable## Preferred Master causes Samba to force a local browser election on startup# and gives it a slightly higher chance of winning the election;       local master = no;       os level = 33;       preferred master = yes#----------------------------- Name Resolution -------------------------------# Windows Internet Name Serving Support Section:# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both## - WINS Support: Tells the NMBD component of Samba to enable it's WINS Server## - WINS Server: Tells the NMBD components of Samba to be a WINS Client## - WINS Proxy: Tells Samba to answer name resolution queries on#   behalf of a non WINS capable client, for this to work there must be#   at least one        WINS Server on the network. The default is NO.## DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names# via DNS nslookups.;       wins support = yes;       wins server = w.x.y.z;       wins proxy = yes;       dns proxy = yes# --------------------------- Printing Options -----------------------------## Load Printers let you load automatically the list of printers rather# than setting them up individually## Cups Options let you pass the cups libs custom options, setting it to raw# for example will let you use drivers on your Windows clients## Printcap Name let you specify an alternative printcap file## You can choose a non default printing system using the Printing option        load printers = yes        cups options = raw;       printcap name = /etc/printcap        #obtain list of printers automatically on SystemV;       printcap name = lpstat;       printing = cups# --------------------------- Filesystem Options ---------------------------## The following options can be uncommented if the filesystem supports# Extended Attributes and they are enabled (usually by the mount option# user_xattr). Thess options will let the admin store the DOS attributes# in an EA and make samba not mess with the permission bits.## Note: these options can also be set just per share, setting them in global# makes them the default for all shares;       map archive = no;       map hidden = no;       map read only = no;       map system = no;       store dos attributes = yes#============================ Share Definitions ==============================[homes]        comment = Home Directories        browseable = no        writable = yes;       valid users = %S;       valid users = MYDOMAIN\%S[printers]        comment = All Printers        path = /var/spool/samba        browseable = no        guest ok = no        writable = no        printable = yes# Un-comment the following and create the netlogon directory for Domain Logons;       [netlogon];       comment = Network Logon Service;       path = /var/lib/samba/netlogon;       guest ok = yes;       writable = no;       share modes = no# Un-comment the following to provide a specific roving profile share# the default is to use the user's home directory;       [Profiles];       path = /var/lib/samba/profiles;       browseable = no;       guest ok = yes# A publicly accessible directory, but read only, except for people in# the "staff" group;       [public];       comment = Public Stuff;       path = /home/samba;       public = yes;       writable = yes;       printable = no;       write list = +staff

(#表示注释，;表示例子)

配置文件结构

[global] /*全局设置*/

[homes] /*用户目录共享设置*/

[printers] /*打印机共享设置*/

--------------------------------------------------------------------------------------------------------------------------------------------------

workgroup = MYGROUP /*所在工作组名称*/
server string = Samba Server Version %v /*服务端返回的描述信息(默认回显的是服务端的Samba版本号)*/

; netbios name = MYSERVER /*Samba服务器的Netbios名称*/

; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24/*f服务端监听的网络接口地址*/
; hosts allow = 127. 192.168.12. 192.168.13. /*允许连接到Samba服务端的客户端网络地址*/

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

# logs split per machine
log file = /var/log/samba/log.%m /*日志文件的存放位置*/
# max 50KB per log file, then rotate
max log size = 50 /*日志文件的最大容量(默认大小为50KB，如果超过，则覆盖前面的内容)*/

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

security = user

/*security：安全级别，可用值如下：

Share: 不需要密码可以访问

user: 使用系统用户，samba密码登陆

server: 由其他服务器提供认证

domain: 由域控制器提供认证*/

passdb backend = tdbsam

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

comment = Home Directories /*服务端的描述信息,相当于共享文件目录的备注信息*/

path = /var/spool/samba /*共享目录的物理位置*/

guest ok = no /*允许所有人访问，等同于public*/

read only: /*所有人只读*/

writable = no /*是否允许所有人可写*/

write list = +staff /*允许指定用户拥有写权限*/

browseable = no /*如果为no，那么就算可以登录到共享的计算机，却看不到共享的文件目录；默认情况建议开启，否则共享文件目录将会被隐藏*/

valid users = %S /*允许指定用户访问*/

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

常见变量:

%v /*Samba的版本号*/

%S /*任意用户可以登录*/

%m /*Client的NetBIOS主机名*/

%L /*Server的NetBIOS主机名*/

%u /*当前登录的用户名*/

%g /*当前登录的用户组名*/

Samba基本使用

Share权限访问

1.根据需要更改工作组和服务端描述信息(工作组的名称不影响文件的共享；服务端的描述信息不建议采用默认信息，可能会降低服务器的安全性)

        workgroup = MYGROUP#       server string = Samba Server Version %v        server string = JinDaoer Samba Server

2.更改安全级别为share(share级别不需要用户名和密码便可访问相当于匿名访问权限)

#       security = user        security = share        passdb backend = tdbsam
(注意:以#开头的为注释，以;为例子(例子可以直接使用))
3.编辑共享信息(共享名、共享目录、访问权限等)
#============================ Share Definitions ==============================;[homes];       comment = Home Directories;       browseable = no;       writable = yes;       valid users = %S;       valid users = MYDOMAIN\%S[JinDaoerShare]        comment = FileShare        path = /share        browseable = yes        guest ok = yes        writable = yes;[printers];       comment = All Printers;       path = /var/spool/samba;       browseable = no;       guest ok = no;       writable = no;       printable = yes
4.建立共享目录(目录名必须与path中的目录名一致，[]括号内的只是共享名)
[root@TestServer ~]# mkdir /share
5.赋予系统用户相应权限
[root@TestServer ~]# chown nobody /share/*将/share的所有者修改为nobody(否则就算smb.conf中赋予相应的权限，系统权限没有赋予的话，是无法进行文件操作的。也就是说smb.conf的中的权限和系统的文件权限都必须同时满足，客户端才可以进行文件操作)*/
6.testparm(测试配置文件)
[root@TestServer ~]# testparm Load smb config files from /etc/samba/smb.confrlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)Processing section "[JinDaoerShare]"WARNING: The security=share option is deprecatedLoaded services file OK.WARNING: You have some share names that are longer than 12 characters.These may not be accessible to some older clients.(Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)Server role: ROLE_STANDALONEPress enter to see a dump of your service definitions[global]workgroup = MYGROUPserver string = JinDaoer Samba Serversecurity = SHARElog file = /var/log/samba/log.%mmax log size = 50idmap config * : backend = tdbcups options = raw[JinDaoerShare]comment = FileSharepath = /shareread only = Noguest ok = Yes[root@TestServer ~]# reset                                                                                [root@TestServer ~]# testparm Load smb config files from /etc/samba/smb.confrlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)Processing section "[JinDaoerShare]"WARNING: The security=share option is deprecatedLoaded services file OK.WARNING: You have some share names that are longer than 12 characters.These may not be accessible to some older clients.(Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)Server role: ROLE_STANDALONEPress enter to see a dump of your service definitions   [global]workgroup = MYGROUPserver string = JinDaoer Samba Serversecurity = SHARElog file = /var/log/samba/log.%mmax log size = 50idmap config * : backend = tdbcups options = raw[JinDaoerShare]comment = FileSharepath = /shareread only = Noguest ok = Yes[root@TestServer ~]# 

7.重启samba服务

[root@TestServer ~]# service smb restart && service nmb restart关闭 SMB 服务：                                            [确定]启动 SMB 服务：                                            [确定]关闭 NMB 服务：                                            [确定]启动 NMB 服务：                                            [确定]

user级别访问

1.把安全级别调整为user(默认安全级别为user)

security = user
passdb backend = tdbsam

2.编辑共享信息(共享名称、共享路径、访问权限等)

[UserShare]        comment = UserShare        path = /UserShare        broseable = yes        writable = yes

[UserShare]/*指定共享目录的名称*/
comment = UserShare /*指定返回给客户端共享目录的描述信息*/
path = /UserShare /*指定共享目录的物理路径*/
broseable = yes /*共享共享是否在网络中可见*/
writable = yes /*允许所有用户上传*/

3.建立共享目录，并赋予权限(目录名必须与path的目录名称对应)

[root@TestServer /]# mkdir /UserShare[root@TestServer /]# chown test /UserShare/[root@TestServer /]# ll -d /UserShare/drwxr-xr-x 2 test root 4096 2月  20 00:57 /UserShare/

4.给系统用户添加samba密码(Samba的用户登陆采用的是系统用户名+Samba密码登陆，这样一来就算系统的用户名和samba密码泄露也不会对系统的安全性造成威胁)

4.1先建立一个系统的测试用户，用于Samba的服务测试(如果已有用户，可以略过此项)

[root@TestServer /]# useradd test[root@TestServer /]# echo -e "test" | passwd --stdin test更改用户 test 的密码 。passwd： 所有的身份验证令牌已经成功更新。

4.2给系统用户赋予Samba密码(如果给一个不存在系统用户赋予samba密码，那么在设置这个用户Samba密码时会报错)

[root@TestServer /]# smbpasswd -a testNew SMB password:Retype new SMB password:

4.3testparm测试一下配置文件是否正确

[root@TestServer /]# testparm Load smb config files from /etc/samba/smb.confrlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)Processing section "[UserShare]"Loaded services file OK.Server role: ROLE_STANDALONEPress enter to see a dump of your service definitions[global]workgroup = MYGROUPserver string = JinDaoer Samba Serverlog file = /var/log/samba/log.%mmax log size = 50idmap config * : backend = tdbcups options = raw[UserShare]comment = UserSharepath = /UserShareread only = No

4.4重启smb服务

[root@TestServer /]# service smb restart && service nmb restart关闭 SMB 服务：                                            [确定]启动 SMB 服务：                                            [确定]关闭 NMB 服务：                                            [确定]启动 NMB 服务：                                            [确定]

权限设定：

如果要想访问与上传

Linux系统权限需要允许

Samba服务权限也需要允许

添加、删除、查看用户

添加Samba用户

用户必须已经是系统用户，才能添加为Samba用户

pdbedit -a -u [已建立的系统用户名]或 smbpasswd -a [已建立的系统用户名]

查看Samba用户

[root@TestServer /]# pdbedit -L/*使用pdbedit -L来查看Samba用户*/
test:500:

删除Samba用户

pdbedit -x -u [系统用户名] 或smbpasswd -x [系统用户]

例：[root@TestServer /]# pdbedit -x test

Samba权限

Samba共享目录权限

系统权限要对共享目录生效

Samba服务器权限也会对共享目录生效

在实际的工作和生成环境中，可能共享的目录众多，用户众多，权限交叉复杂。此时建议使用系统权限控制共享目录的权限，而不是使用Samba的服务权限。

Samba其他使用

1.客户端挂载到本地使用

mount -t cifs -o username=[用户名] //[网络位置]/[共享路径] [本地的挂载位置]

例:

[root@JinDaoer /]# mount -t cifs -o usernaem=test //192.168.1.103/UserShare /fileshare/Password: [root@JinDaoer /]# ls /fileshare/Test[root@JinDaoer /]# 

(/fileshare挂载点必须是已存在的目录)

1.1查看挂载信息

[root@JinDaoer /]# mount/dev/sda2 on / type ext4 (rw)proc on /proc type proc (rw)sysfs on /sys type sysfs (rw)devpts on /dev/pts type devpts (rw,gid=5,mode=620)tmpfs on /dev/shm type tmpfs (rw)/dev/sda1 on /boot type ext4 (rw)none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)//192.168.1.103/UserShare/ on /fileshare type cifs (rw)

1.2自动挂载

[root@JinDaoer fileshare]# vi /etc/fstab ## /etc/fstab# Created by anaconda on Mon Feb 13 21:14:45 2017## Accessible filesystems, by reference, are maintained under '/dev/disk'# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info#UUID=b6ea8758-dff3-41fb-bf05-050e3e2f930a /                       ext4    defaults        1 1UUID=06877cfa-8fb6-40ca-a9f9-94e160f57995 /boot                   ext4    defaults        1 2tmpfs                   /dev/shm                tmpfs   defaults        0 0devpts                  /dev/pts                devpts  gid=5,mode=620  0 0sysfs                   /sys                    sysfs   defaults        0 0proc                    /proc                   proc    defaults        0 0//192.168.1.103/UserShare       /fileshare      cifs    defaults,username=test,password=samba   1 2

1.3测试自动挂载

1.3.1先将所有的/fileshare挂载点卸载

[root@JinDaoer ~]# mount/dev/sda2 on / type ext4 (rw)proc on /proc type proc (rw)sysfs on /sys type sysfs (rw)devpts on /dev/pts type devpts (rw,gid=5,mode=620)tmpfs on /dev/shm type tmpfs (rw)/dev/sda1 on /boot type ext4 (rw)none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)//192.168.1.103/UserShare on /fileshare type cifs (rw)[root@JinDaoer ~]# umount /fileshare/[root@JinDaoer ~]# mount/dev/sda2 on / type ext4 (rw)proc on /proc type proc (rw)sysfs on /sys type sysfs (rw)devpts on /dev/pts type devpts (rw,gid=5,mode=620)tmpfs on /dev/shm type tmpfs (rw)/dev/sda1 on /boot type ext4 (rw)none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)[root@JinDaoer ~]# 

1.3.2使用mount -a重新读取/etc/fstab中的设备信息并挂载

[root@JinDaoer ~]# mount -a[root@JinDaoer ~]# mount/dev/sda2 on / type ext4 (rw)proc on /proc type proc (rw)sysfs on /sys type sysfs (rw)devpts on /dev/pts type devpts (rw,gid=5,mode=620)tmpfs on /dev/shm type tmpfs (rw)/dev/sda1 on /boot type ext4 (rw)none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)//192.168.1.103/UserShare on /fileshare type cifs (rw)

(此时说明/etc/fstab文件写入正确)

2.Samba别名

Linux的用户如root、nobody在Windows中可能对应的用户是Administrator、Guest用户；

Samba是跨平台的，所以使用Samba别名让他们之间可以通用；

Samba的别名文件是/etc/samba/smbusers

[root@TestServer /]# cat /etc/samba/smbusers # Unix_name = SMB_name1 SMB_name2 ...root = administrator adminnobody = guest pcguest smbguest

(格式：原名 = 别名 (多个别名用空格隔开))

2.1配置文件中开启Samba别名

2.1.1[root@TestServer samba]# vi smb.conf/*修改/etc/samba/smb.conf配置文件*/

2.1.2添加username map = /etc/samba/smbusers/*添加配置文件*/

        workgroup = MYGROUP;       server string = Samba Server Version %v        server string = JinDaoer Samba Server;       netbios name = MYSERVER;       interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24 ;       hosts allow = 127. 192.168.12. 192.168.13.                username map = /etc/samba/smbusers

2.1.3重启smb服务

[root@TestServer ~]# service smb restart && service nmb restart关闭 SMB 服务：                                            [确定]启动 SMB 服务：                                            [确定]关闭 NMB 服务：                                            [确定]启动 NMB 服务：                                            [确定]