一、CIFS
1.CIFS系统:Internet文件共享系统,也称服务器信;适用于MicrosoftWindows服务器和客户端的标准文件和打印机的共享系统息块(SMB)
2.Samba服务:用于将linux文件系统作为CIFS/SMB网络文件进行共享,并将linux打印机作为CIFS/SMB打印机进行共享
二、Smb服务
1.安装smb服务
samba ##服务端
samba-common
samba-client
2.打开smb,列出共享文件系统信息
[root@server ~]# systemctl start smb
[root@server ~]# smbclient -L //172.25.254.181
Enter root's password:
Anonymous login successful
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
Anonymous login successful
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
vim /etc/vimrc
Vim /etc/samba/smb.conf
Systemctl restat service
3.设置默认域名 [global]
89 workgroup = WESTOS
90 server string = Samba Server Version %v
4.设置黑白名单 [global]
96 ; hosts allow = 172.25.254.77 172.25.254.177
97 ; hosts deny = 172.25.254.77 172.25.254. 177
5.设置用户登陆 ##注意:必须是本地用户
smbpasswd -a tom 添加tom用户
pdbedit -L 列出smb用户
pdbedit -x jerry 删除jerry用户
[root@server ~]# useradd tom
[root@server ~]# useradd jerry
[root@server ~]# smbpasswd -a tom ##添加tom用户
New SMB password:
Retype new SMB password:
Added user tom.
[root@server ~]# smbpasswd -a jerry ##添加jerry用户
New SMB password:
Retype new SMB password:
Added user jerry.
[root@server ~]# pdbedit -L ##列出smb用户
tom:1001:
jerry:1002:
[root@server ~]# pdbedit -x jerry ##删除jerry用户
[root@server ~]# pdbedit -L
tom:1001:
6.使用用户登陆
[root@server ~]# smbclient -L //172.25.254.181 -U tom
Enter tom's password: ##按入Enter键
Anonymous login successful
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
Anonymous login successful
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
三、Smb的Selinx保护
当Selinux=Disable时
1.进入用户家目录编辑
[root@client ~]# smbclient //172.25.254.181/tom -U tom
Enter tom's password:
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
smb: \> ls ##列出远程文件
. D 0 Thu May 3 21:46:28 2018
.. D 0 Thu May 3 21:46:34 2018
.bash_profile H 193 Wed Jan 29 07:45:18 2014
.mozilla DH 0 Thu Jul 10 18:29:32 2014
.config DH 0 Thu Jul 10 19:06:52 2014
.bashrc H 231 Wed Jan 29 07:45:18 2014
.bash_logout H 18 Wed Jan 29 07:45:18 2014
smb: \> !ls ##列出本地主机文件
anaconda-ks.cfg Documents Music Public Videos
Desktop Downloads Pictures Templates
smb: \> put anaconda-ks.cfg ##上传
putting file anaconda-ks.cfg as \anaconda-ks.cfg (8416.2 kb/s) (average 8417.0 kb/s)
smb: \> rm anaconda-ks.cfg ##删除
smb: \> ? ##列出smb可以使用的命令
? allinfo altname archive backup
blocksize cancel case_sensitive cd chmod
chown close del dir du
echo exit get getfacl geteas
2.挂载
[root@server ~]# mount -o username=tom,password=123 //172.25.254.181/tom /mnt
[root@server ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/vda1 10473900 3155608 7318292 31% /
devtmpfs 469344 0 469344 0% /dev
tmpfs 484932 84 484848 1% /dev/shm
tmpfs 484932 12764 472168 3% /run
tmpfs 484932 0 484932 0% /sys/fs/cgroup
//172.25.254.181/tom 10473900 3155608 7318292 31% /mnt
3.设置开机自动挂载
[root@server ~]# vim /etc/fstab
//172.25.254.177/tom /mnt cifs defaults,username=tom,password=123 0 0
当Selinux=Enforing时 ##注意:smb处于开启状态
samba_enable_home_dirs ##允许本地主目录作为CIFS文件共享
use_samba_home_dirs ##允许挂载远程CIFS文件共享并将其用作本地主目录
samba_share_t ##smb共享目录的selinux安全上下文
samba_export_all_ro ##共享目录只读
samba_export_all_rw ##允许共享目录读写
1.进入用户家目录编辑
2.修改sebool值,进入用户家目录编辑
[root@server ~]# smbclient //172.25.254.181/tom -U tom
Enter tom's password:
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
smb: \> ls
. D 0 Thu Jun 7 14:12:57 2018
.. D 0 Thu Jun 7 13:53:41 2018
.bash_logout H 18 Wed Jan 29 20:45:18 2014
.bash_profile H 193 Wed Jan 29 20:45:18 2014
.bashrc H 231 Wed Jan 29 20:45:18 2014
.mozilla DH 0 Fri Jul 11 06:29:32 2014
.config DH 0 Fri Jul 11 07:06:52 2014
40913 blocks of size 262144. 28587 blocks available
3.共享目录
用户建立目录:
修改配置文件,共享tets目录
[root@server ~]# mkdir /test
[root@server ~]# vim /etc/samba/smb.conf
322 [test]
323 comment = test directory
324 path =/test
重启smb,可以看到test目录共享信息
[root@server ~]# systemctl restart smb.service
[root@server ~]# smbclient -L //172.25.254.181/
Enter root's password:
Anonymous login successful
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
test Disk test directory
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
Anonymous login successful
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
但是,tom用户登陆无法编辑
修改test目录的安全上下文,重启后再次登陆编辑
[root@server ~]# semanage fcontext -a -t samba_share_t '/test(/.*)?'
SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.29, searching for an older version.
SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.29: No such file or directory
/sbin/load_policy: Can't load policy: No such file or directory
libsemanage.semanage_reload_policy: load_policy returned error code 2.
SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.29, searching for an older version.
SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.29: No such file or directory
/sbin/load_policy: Can't load policy: No such file or directory
libsemanage.semanage_reload_policy: load_policy returned error code 2.
ValueError: Could not commit semanage transaction
[root@server ~]# restorecon -RvvF /test/
[root@server ~]# systemctl restart smb.service
[root@server ~]# smbclient //172.25.254.181/test -U tom
Enter tom's password:
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
smb: \> ls
. D 0 Thu Jun 7 14:31:50 2018
.. D 0 Thu Jun 7 14:31:50 2018
40913 blocks of size 262144. 28586 blocks available
系统目录:
修改配置文件,共享mnt系统目录
[root@server ~]# vim /etc/samba/smb.conf
[mnt]
comment = mnt test directory
path =/mnt
重启后查看共享目录信息
[root@server ~]# systemctl restart smb.service
[root@server ~]# smbclient -L //172.25.254.181/
Enter root's password:
Anonymous login successful
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
test Disk test directory
mnt Disk mnt test directory
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
Anonymous login successful
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
设定samba的sebool值,打开所有共享目录的读写权限
[root@server ~]# setsebool samba_export_all_rw 1
setsebool: SELinux is disabled.
[root@server ~]# smbclient //172.25.254.181/mnt -U tom
Enter tom's password:
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
smb: \> ls
. D 0 Thu Jun 7 14:12:57 2018
.. D 0 Thu Jun 7 14:31:50 2018
.bash_logout H 18 Wed Jan 29 20:45:18 2014
.bash_profile H 193 Wed Jan 29 20:45:18 2014
.bashrc H 231 Wed Jan 29 20:45:18 2014
.mozilla DH 0 Fri Jul 11 06:29:32 2014
.config DH 0 Fri Jul 11 07:06:52 2014
40913 blocks of size 262144. 28586 blocks available
四、多用户挂载
1.指定用户具备读写权限
[root@server ~]# vim /etc/samba/smb.conf
[test]
comment = test directory
path =/test
write list =tom ##只有tom用户具备权限
##writable = yes ##所有用户具备权限
##write list =@tom ##只有tom组的用户具备权限
2.设定共享目录的读写权限,重启后测试
[root@server ~]# chmod 777 /test/
[root@server ~]# systemctl restart smb.service
只有tom用户具备权限
[root@server ~]# mount //172.25.254.181/test /mnt -o username=tom,password=123
[root@server ~]# touch /mnt/file1
[root@server ~]# rm -rf /mnt/file1
挂载jerry用户,不具备权限
[root@server ~]# umount /mnt
[root@server ~]# mount //172.25.254.181/test /mnt -o username=jerry,password=123
[root@server ~]# touch /mnt/file2
touch: cannot touch ‘/mnt/file2’: Permission denied
3.用户相关权限设置
[root@server ~]# vim /etc/samba/smb.conf
[root@server ~]# systemctl restart smb.service
124 security = user
125 passdb backend = tdbsam
126 map to guest = bad user
map to guest = bad user ##匿名用户映射为guest
browseable = no ##不显示test共享目录,但可以正常使用
admin users =student ##studet用户编辑时以root用户身份
[test]
comment = test directory
path =/test
writeable = yes
browseable = no ##不显示test共享目录
guest ok = yes ##允许匿名用户登陆
admin users =student ##studet用户编辑时以root用户身份
匿名用户登陆
[root@server ~]# mount -o username=guest //172.25.254.181/test /mnt
[root@server ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/vda1 10473900 3155680 7318220 31% /
devtmpfs 469344 0 469344 0% /dev
tmpfs 484932 84 484848 1% /dev/shm
tmpfs 484932 12764 472168 3% /run
tmpfs 484932 0 484932 0% /sys/fs/cgroup
//172.25.254.181/test 10473900 3155680 7318220 31% /mnt
不显示test共享目录,但是不影响使用
[root@server ~]# smbclient -L //172.25.254.181
Enter root's password:
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
mnt Disk mnt test directory
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
以student身份挂载,建立文件
[root@server ~]# mount //172.25.254.181/test /mnt -o username=student,password=123
[root@server ~]# touch /mnt/fire00
[root@server ~]# ll /mnt
total 0
-rw-r--r-- 1 nobody nobody 0 6月 7 15:52 fire00
4.实现多用户挂载
安装 cifs-utils 软件
[root@server ~]# yum install cifs-utils -y
配置用户文件 vim /root/samba
1 username=tom
2 passwird=123
[root@server ~]# man mount.cifs
[root@server ~]# vim /root/samba
[root@server ~]# cat /root/samba
username=tom
passwird=123
查看帮助 man mount.cifs
多用户挂载
[root@server ~]# mount -o credentials=/root/samba,sec=ntlmssp,multiuer //172.25.254.177/test /mnt
此时root用户
[root@server ~]# cd /mnt/
[root@server mnt]# ls
file file123 filetest
[root@foundation8 mnt]# rm -fr file123
rm: cannot remove ‘file123’: Permission denied
[root@foundation8 mnt]# touch test
touch: cannot touch ‘test’: Permission denied
而普通用户
[kiosk@foundation8 yum.repos.d]$ cd /mnt
[kiosk@foundation8 mnt]$ ls
ls: reading directory .: Permission denied
普通用户认证 ##跟/test权限有关
[kiosk@foundation8 mnt]$ cifscreds add -u tom 172.25.254.181
Password:
[kiosk@foundation8 mnt]$ ls
file file123 filetest
[kiosk@foundation8 mnt]$ rm -fr file
rm: cannot remove ‘file’: Permission denied
