Samba 介绍
Samba是在Linux和UNIX系统上实现SMB协议的一个免费软件,由服务器及客户端程序构成。
SMB(Server Messages Block,信息服务块)是一种在局域网上共享文件和打印机的一种通信协议,它为局域网内的不同计算机之间提供文件及打印机等资源的共享服务。
SMB协议是客户机/服务器型协议,客户机通过该协议可以访问服务器上的共享文件系统、打印机及其他资源。
Samba 有两个守护程序:smbd 和 nmbd(对客户端提供NetBIOS名服务),其中smbd运行在 TCP 的 139,445 端口,nmbd运行在 UDP 的 137,138 端口
CentOS7之后的Samba服务器安全模式的级别:share user server domain ads
Samba 服务器主配置文件内容简单说明
Samba服务器目录:/etc/samba
Samba服务器主配置文件:/etc/smaba/smb.conf
[root@localhost ~]# vi /etc/samba/smb.conf
[global]
workgroup = SAMBA
security = user # 安全等级(默认为user)
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[Public] # 共享目录名
comment = Public Directory # 共享目录的说明
path = /share/public # 共享目录的路径
writeable = yes # 共享目录中所有人可写
public = yes # 允许guest用户(匿名用户)访问共享目录
[Private]
comment = Private Directory
path = /share/private
write list = @abc, test # 共享目录中只有abc组内的成员和test用户可写
valid users = test, a # 允许访问该共享目录只有test用户和a用户
browseable = No # 隐藏共享目录,若知道隐藏共享目录名那么仍能访问隐藏共享目录
hosts deny = 192.168.1. except 192.168.1.20 # 除了192.168.1.20以外其余在192.168.1.*网段内的主机都不允许访问共享目录
Samba 用户账号映射和PAM用户访问控制
- 建立共享目录及访问用户
[root@localhost ~]# mkdir -p /share/all/ && chmod 777 /share/all/ [root@localhost ~]# mkdir -p /share/public/ && chmod 777 /share/public/ [root@localhost ~]# mkdir -p /share/private/ && chmod 777 /share/private/ [root@localhost ~]# useradd account1 [root@localhost ~]# useradd account2 [root@localhost ~]# smbpasswd -a account1 New SMB password: Retype new SMB password: Added user account1. [root@localhost ~]# smbpasswd -a account2 New SMB password: Retype new SMB password: Added user account2.
- 设置用户账号映射和用户访问控制
# 创建用户账号映射文件并将account1账号映射成user1和user2 [root@localhost ~]# vi /etc/samba/usersmap account1=user1 user2 # 创建用户访问控制文件(只能限制网段不能限制准确IP) [root@localhost ~]# vi /etc/samba/loginC -:account2:192.168.1. # 192.168.1.* 网段中的主机不可用account2账号登录 +:account1:192.168.1. # 192.168.1.* 网段中的主机可用account1账号登录(由account1映射的账号也能登录) # 修改Samba服务器的PAM认证文件(/etc/pam.d/samba) [root@localhost ~]# vi /etc/pam.d/samba # 修改原先的account控制 %PAM-1.0 auth required pam_nologin.so auth include password-auth account required pam_access.so accessfile=/etc/samba/loginC # account include password-auth session include password-auth password include password-auth
- 配置Samba 主配置文件
[root@localhost ~]# vi /etc/samba/smb.conf [global] workgroup = SAMBA security = user passdb backend = tdbsam printing = cups printcap name = cups load printers = yes cups options = raw obey pam restrictions = yes # 启用PAM认证限制 username map = /etc/samba/usersmap # 启用账号映射并指定映射文件 include = /etc/samba/%U.smb.conf # 包含登录用户的独立配置文件,%U 表示登录时的用户名 ...
- 配置映射用户的独立配置文件
# 映射用户 user1 的配置文件 [root@localhost ~]# vi /etc/samba/user1.smb.conf [public] comment = User1 Public path = /share/public writable = yes browseable = yes # 不隐藏共享目录 # 映射用户 user2 的配置文件 [root@localhost ~]# vi /etc/samba/user2.smb.conf [public] comment = User2 Public path = /share/public writable = yes browseable = yes [private] comment = User2 Private Directory path = /share/private writable = yes browseable = yes hosts deny = all except 192.168.1.20 # 只允许192.168.1.20的主机使用user2来访问private共享目录
- 重启Samba服务器并在防火墙中开放smb服务
# 重启Samba服务器 [root@localhost ~]# systemctl restart smb # 开放smb服务 [root@localhost ~]# firewall-cmd --zone=public --add-service=samba --permanent success [root@localhost ~]# firewall-cmd --reload success
-
登录验证
# ============[ IP:192.168.1.20 ]============ # 映射用户 user1 登录查看共享目录 [root@localhost ~]# smbclient -L //192.168.1.10 -U user1%123 Sharename Type Comment --------- ---- ------- all Disk All Users IPC$ IPC IPC Service (Samba 4.10.16) public Disk User1 Public Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- # 映射用户 user2 登录查看共享目录 [root@localhost ~]# smbclient -L //192.168.1.10 -U user2%123 Sharename Type Comment --------- ---- ------- all Disk All Users IPC$ IPC IPC Service (Samba 4.10.16) public Disk User2 Public private Disk User2 Private Directory Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- # 本地用户 account2 登录查看共享目录 [root@localhost ~]# smbclient -L //192.168.1.10 -U account2%321 session setup failed: NT_STATUS_ACCESS_DENIED # ============[ IP:192.168.1.30 ]============ # 映射用户 user2 在192.168.1.30主机上访问private目录 [root@localhost ~]# smbclient //192.168.1.10/private -U user2%123 tree connect failed: NT_STATUS_ACCESS_DENIED