samba概念
Server Message Block 服務器消息塊,IBM發佈,最早是DOS網絡文件共享協議。
SAMBA的功能:
共享文件和打印,實現在線編輯實現登錄SAMBA用戶的身份認證
可以進行NetBIOS名稱解析
外圍設備共享
samba客戶端
Samba-client
smbclient 工具屬於 samba 套件,它提供一種命令行使用交互式方式訪問samba服務器的共享資源。
語法:smbclient [選項] [主機]
[root@CentOS74 ~]# smbclient -L 192.168.30.1 -U linxu
Enter SAMBA\linxu's password:
Domain=[MIRIAM] OS=[Windows 10 Pro 17134] Server=[Windows 10 Pro 6.3]
Sharename Type Comment
--------- ---- -------
IPC$ IPC 遠程 IPC
share Disk
Connection to 192.168.30.1 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
NetBIOS over TCP disabled -- no workgroup available
選項:
-I<IP地址>:指定服務器的IP地址;
-l<記錄文件>:指定記錄文件的名稱;
-L:顯示服務器端所分享出來的所有資源;
-n<NetBIOS名稱>:指定用戶端所要使用的NetBIOS名稱;
-p<TCP連接端口>:指定服務器端TCP連接端口編號;
-T<tar選項>:備份服務器端分享的全部文件,並打包成tar格式的文件;
-U<用戶名稱>:指定用戶名稱;
-w<工作羣組>:指定工作羣組名稱。
cifs-utils
安裝 cifs-utils 能夠使 linux 主機掛載 cifs 類型的文件系統
[root@CentOS74 ~]# mount
mount mount.cifs mount.fuse mountpoint
[root@CentOS74 ~]# cat /etc/fstab | grep cifs #指定用戶密碼存放路徑
//192.168.30.1/share /mnt/cifs cifs credentials=/etc/cifs 0 0
[root@CentOS74 ~]# cat /etc/cifs
username=linxu
password=123456
[root@CentOS74 ~]# mount -a
[root@CentOS74 ~]# df | grep cifs
//192.168.30.1/share 209715200 97389960 112325240 47% /mnt/cifs
samba搭建
smb 服務監聽在 tcp139、445 端口上
[root@CentOS74 ~]# ss -ntulp | grep smbd
tcp LISTEN 0 50 *:139 *:* users:(("smbd",pid=11317,fd=38))
tcp LISTEN 0 50 *:445 *:* users:(("smbd",pid=11317,fd=37))
tcp LISTEN 0 50 :::139 :::* users:(("smbd",pid=11317,fd=36))
tcp LISTEN 0 50 :::445 :::* users:(("smbd",pid=11317,fd=35))
創建 samba 用戶
[root@CentOS74 ~]# useradd -s /sbin/nologin smbuser
[root@CentOS74 ~]# smbpasswd -a smbuser #添加新的samba賬號
New SMB password:
Retype new SMB password:
Added user smbuser.
[root@CentOS74 ~]# pdbedit -L #輸出samba用戶列表
smbuser:1001:
此時啓動 smb 服務,就可以訪問 samba 服務器了
修改 smb 的主配置文件 /etc/samba/smb.conf
[root@CentOS74 ~]# cat /etc/samba/smb.conf
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.
[global] #全局配置
workgroup = SAMBA #工作組名
security = user #認證方式,無需修改
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No #隱藏共享,只能通過路徑直接查找
read only = No
inherit acls = Yes
[printers] #打印機配置
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = root
create mask = 0664
directory mask = 0775
添加新設置,具體查看 /etc/samba/smb.conf.example
限制客戶端主機來源
[root@CentOS74 ~]# cat /etc/samba/smb.conf | grep host
host allow = 192.168.30. #192.168.30.表示該網段的所有主機
設置日誌記錄
[root@CentOS74 ~]# cat /etc/samba/smb.conf | grep log
log file = /var/log/samba/%I.log #定義日誌記錄路徑及文件名模板
log level = 2 #不設置記錄級別,日誌文件只會生成,並不記錄日誌
[root@CentOS74 ~]# cat /var/log/samba/192.168.30.1.log
[2018/06/30 05:41:02.678600, 2] ../source3/param/loadparm.c:2769(lp_do_section)
Processing section "[homes]"
[2018/06/30 05:41:02.678712, 2] ../source3/param/loadparm.c:2769(lp_do_section)
Processing section "[printers]"
[2018/06/30 05:41:02.678740, 2] ../source3/param/loadparm.c:2769(lp_do_section)
Processing section "[print$]"
[2018/06/30 05:41:02.679222, 2] ../source3/auth/auth.c:305(auth_check_ntlm_password)
check_ntlm_password: authentication for user [smbuser] -> [smbuser] -> [smbuser] succeeded
[2018/06/30 05:41:02.856624, 1] ../source3/printing/printer_list.c:234(printer_list_get_last_refresh)
Failed to fetch record!
[2018/06/30 05:41:02.856700, 1] ../source3/smbd/server_reload.c:69(delete_and_reload_printers)
pcap cache not loaded
[2018/06/30 05:41:04.689411, 2] ../source3/smbd/service.c:822(make_connection_snum)
miriam (ipv4:192.168.30.1:5107) connect to service smbuser initially as user smbuser (uid=1001, gid=1001) (pid 11570)
[2018/06/30 05:41:44.209186, 2] ../source3/smbd/open.c:1315(open_file)
smbuser opened file 新建文本文檔.txt read=Yes write=Yes (numopen=4)
[2018/06/30 05:41:47.121478, 2] ../source3/smbd/close.c:788(close_normal_file)
smbuser closed file 新建文本文檔.txt (numopen=1) NT_STATUS_OK
[2018/06/30 05:41:47.122152, 2] ../source3/smbd/open.c:1315(open_file)
smbuser opened file 新建文本文檔.txt read=No write=No (numopen=2)
[2018/06/30 05:41:47.144249, 2] ../source3/smbd/close.c:788(close_normal_file)
smbuser closed file new.txt (numopen=1) NT_STATUS_OK
[2018/06/30 05:41:47.264194, 2] ../source3/smbd/open.c:1315(open_file)
smbuser opened file new.txt read=No write=No (numopen=4)
[2018/06/30 05:41:47.269800, 2] ../source3/smbd/close.c:788(close_normal_file)
smbuser closed file new.txt (numopen=3) NT_STATUS_OK
[2018/06/30 05:41:47.292656, 2] ../source3/smbd/open.c:1315(open_file)
smbuser opened file new.txt read=No write=No (numopen=4)
[2018/06/30 05:41:47.297232, 2] ../source3/smbd/close.c:788(close_normal_file)
smbuser closed file new.txt (numopen=3) NT_STATUS_OK
[2018/06/30 05:41:47.304791, 2] ../source3/smbd/open.c:1315(open_file)
smbuser opened file new.txt read=No write=No (numopen=4)
[2018/06/30 05:41:47.308818, 2] ../source3/smbd/close.c:788(close_normal_file)
smbuser closed file new.txt (numopen=3) NT_STATUS_OK
配置共享目錄
在主配置文件中添加共享目錄的設置
[root@CentOS74 ~]# grep -A 4 "\[share\]" /etc/samba/smb.conf
[share] #共享名稱
comment = samba share dir
path = /data/samba_share #共享目錄路徑
writable = yes #是否可寫
public = yes #能否被虛擬用戶訪問(支持匿名)
[root@CentOS74 ~]# smbclient //192.168.30.74/share
Enter SAMBA\root's password:
Anonymous login successful #匿名用戶登陸成功
用戶登陸控制
[root@CentOS74 ~]# grep -A 5 "\[share\]" /etc/samba/smb.conf
[share]
comment = samba share dir
path = /data/samba_share
writable = yes
valid users = smbadmin,smbuser #只允許valid users中的用戶或者組登陸
[root@CentOS74 ~]# smbclient //192.168.30.74/share -U smbvisit%123456 #不在valid users中,拒絕登陸
Domain=[CENTOS74] OS=[Windows 6.1] Server=[Samba 4.6.2]
tree connect failed: NT_STATUS_ACCESS_DENIED
[root@CentOS74 ~]# smbclient //192.168.30.74/share -U smbadmin%123456 #在valid users中允許登陸
Domain=[CENTOS74] OS=[Windows 6.1] Server=[Samba 4.6.2]
smb: \> quit
讀寫權限控制
[root@CentOS74 ~]# grep -A 6 "\[share\]" /etc/samba/smb.conf
[share]
comment = samba share dir
path = /data/samba_share
writable = no #禁用寫權限
valid users = smbadmin,smbuser,smbvisit
write list = smbadmin,+smbuser #擁有寫權限的列表,可以是"用戶名",也可以是"+組名"
[root@CentOS74 ~]# smbclient //192.168.30.74/share -U smbuser%123456 #使用指定組中的用戶登陸
Domain=[CENTOS74] OS=[Windows 6.1] Server=[Samba 4.6.2]
smb: \> put anaconda-ks.cfg
putting file anaconda-ks.cfg as \anaconda-ks.cfg (32.4 kb/s) (average 32.4 kb/s) #上傳成功
smb: \> ls
. D 0 Sat Jun 30 18:21:54 2018
.. D 0 Sat Jun 30 06:18:58 2018
anaconda-ks.cfg A 1626 Sat Jun 30 18:21:54 2018
52403200 blocks of size 1024. 52370232 blocks available
用戶訪問控制
[root@CentOS74 ~]# grep "conf.d" /etc/samba/smb.conf #在主配置文件的全局配置中添加
config file = /etc/samba/conf.d/%U #指定用戶單獨的配置文件,文件名爲用戶名
[root@CentOS74 ~]# cat /etc/samba/conf.d/smbadmin
[share] #當該用戶訪問share共享時
comment = smbadmin dir
path = /data/smbadmin #指定共享的目錄路徑
writable = yes #聲明該用戶可寫
[root@CentOS74 ~]# smbclient //192.168.30.74/share -U smbadmin%123456 #使用smbadmin登陸
Domain=[CENTOS74] OS=[Windows 6.1] Server=[Samba 4.6.2]
smb: \> pwd
Current directory is \\192.168.30.74\share\
smb: \> ls
. D 0 Sat Jun 30 18:31:57 2018
.. D 0 Sat Jun 30 18:31:38 2018
admin.mark N 0 Sat Jun 30 18:31:57 2018 #共享文件夾路徑爲/data/smbadmin
52403200 blocks of size 1024. 52370252 blocks available
smb: \> put anaconda-ks.cfg
putting file anaconda-ks.cfg as \anaconda-ks.cfg (198.5 kb/s) (average 198.5 kb/s) #允許上傳文件
smb: \> quit
[root@CentOS74 ~]# smbclient //192.168.30.74/share -U smbuser%123456
Domain=[CENTOS74] OS=[Windows 6.1] Server=[Samba 4.6.2]
smb: \> pwd
Current directory is \\192.168.30.74\share\
smb: \> ls
. D 0 Sat Jun 30 18:21:54 2018
.. D 0 Sat Jun 30 18:31:38 2018
anaconda-ks.cfg A 1626 Sat Jun 30 18:21:54 2018 #共享文件夾路徑爲默認路徑
52403200 blocks of size 1024. 52370228 blocks available
smb: \> mkdir test
NT_STATUS_MEDIA_WRITE_PROTECTED making remote directory \test #無法上傳文件
smb: \> quit
[root@CentOS74 ~]# smbclient //192.168.30.74/share -U smbvisit%123456
Domain=[CENTOS74] OS=[Windows 6.1] Server=[Samba 4.6.2]
tree connect failed: NT_STATUS_ACCESS_DENIED #smbvisit用戶不在valid users中,拒絕登陸
多用戶掛載
普通的 cifs 掛載,對共享目錄的所有操作都將映射爲掛載用戶。多用戶掛載將可以解決這個問題,實現每個用戶的權限分離。
添加掛載記錄
[root@CentOS74 ~]# cat /etc/fstab | grep cifs #指定用戶文件按路徑,以多用戶方式掛載
//192.168.30.74/share /mnt/cifs cifs credentials=/etc/cifs,multiuser 0 0
測試多用戶掛載
以 smbadmin 身份訪問
[smbadmin@CentOS74 ~]$ cifscreds add 192.168.30.74 #第一次訪問需要認證
Password:
[smbadmin@CentOS74 ~]$ touch /mnt/cifs/smbadmin.test
[smbadmin@CentOS74 ~]$ ll /mnt/cifs/smbadmin.test
-rw-r--r-- 1 smbadmin smbadmin 0 Jul 1 03:12 /mnt/cifs/smbadmin.test #文件屬性爲smbadmin創建
以 smbuser 身份訪問
[smbuser@CentOS74 ~]$ cifscreds update 192.168.30.74 #updtae選項可以修改密碼
Password:
[smbuser@CentOS74 ~]$ touch /mnt/cifs/smbuser.test
[smbuser@CentOS74 ~]$ ll /mnt/cifs/smbuser.test
-rw-r--r-- 1 smbuser smbuser 0 Jul 1 03:17 /mnt/cifs/smbuser.test #文件屬性爲smbuser創建
以匿名用戶訪問
[root@CentOS74 ~]# touch /mnt/cifs/root.test
[root@CentOS74 ~]# ll /mnt/cifs/root.test
-rw-r--r-- 1 smbadmin smbadmin 0 Jul 1 03:20 /mnt/cifs/root.test #文件屬性由掛載用戶創建