samba概念
Server Message Block 服务器消息块,IBM发布,最早是DOS网络文件共享协议。
SAMBA的功能:
实现登录SAMBA用户的身份认证
可以进行NetBIOS名称解析
外围设备共享
samba客户端
Samba-client
smbclient 工具属于 samba 套件,它提供一种命令行使用交互式方式访问samba服务器的共享资源。
语法:smbclient [选项] [主机]
[root@CentOS74 ~]# smbclient -L 192.168.30.1 -U linxu
Enter SAMBA\linxu's password:
Domain=[MIRIAM] OS=[Windows 10 Pro 17134] Server=[Windows 10 Pro 6.3]
Sharename Type Comment
--------- ---- -------
IPC$ IPC 远程 IPC
share Disk
Connection to 192.168.30.1 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
NetBIOS over TCP disabled -- no workgroup available选项:
-I<IP地址>:指定服务器的IP地址;
-l<记录文件>:指定记录文件的名称;
-L:显示服务器端所分享出来的所有资源;
-n<NetBIOS名称>:指定用户端所要使用的NetBIOS名称;
-p<TCP连接端口>:指定服务器端TCP连接端口编号;
-T<tar选项>:备份服务器端分享的全部文件,并打包成tar格式的文件;
-U<用户名称>:指定用户名称;
-w<工作群组>:指定工作群组名称。
cifs-utils
安装 cifs-utils 能够使 linux 主机挂载 cifs 类型的文件系统
[root@CentOS74 ~]# mount
mount mount.cifs mount.fuse mountpoint [root@CentOS74 ~]# cat /etc/fstab | grep cifs #指定用户密码存放路径
//192.168.30.1/share /mnt/cifs cifs credentials=/etc/cifs 0 0
[root@CentOS74 ~]# cat /etc/cifs
username=linxu
password=123456
[root@CentOS74 ~]# mount -a
[root@CentOS74 ~]# df | grep cifs
//192.168.30.1/share 209715200 97389960 112325240 47% /mnt/cifs
samba搭建
smb 服务监听在 tcp139、445 端口上
[root@CentOS74 ~]# ss -ntulp | grep smbd
tcp LISTEN 0 50 *:139 *:* users:(("smbd",pid=11317,fd=38))
tcp LISTEN 0 50 *:445 *:* users:(("smbd",pid=11317,fd=37))
tcp LISTEN 0 50 :::139 :::* users:(("smbd",pid=11317,fd=36))
tcp LISTEN 0 50 :::445 :::* users:(("smbd",pid=11317,fd=35))
创建 samba 用户
[root@CentOS74 ~]# useradd -s /sbin/nologin smbuser
[root@CentOS74 ~]# smbpasswd -a smbuser #添加新的samba账号
New SMB password:
Retype new SMB password:
Added user smbuser.
[root@CentOS74 ~]# pdbedit -L #输出samba用户列表
smbuser:1001:
此时启动 smb 服务,就可以访问 samba 服务器了
修改 smb 的主配置文件 /etc/samba/smb.conf
[root@CentOS74 ~]# cat /etc/samba/smb.conf
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.
[global] #全局配置
workgroup = SAMBA #工作组名
security = user #认证方式,无需修改
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No #隐藏共享,只能通过路径直接查找
read only = No
inherit acls = Yes
[printers] #打印机配置
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = root
create mask = 0664
directory mask = 0775添加新设置,具体查看 /etc/samba/smb.conf.example
限制客户端主机来源
[root@CentOS74 ~]# cat /etc/samba/smb.conf | grep host
host allow = 192.168.30. #192.168.30.表示该网段的所有主机
设置日志记录
[root@CentOS74 ~]# cat /etc/samba/smb.conf | grep log
log file = /var/log/samba/%I.log #定义日志记录路径及文件名模板
log level = 2 #不设置记录级别,日志文件只会生成,并不记录日志
[root@CentOS74 ~]# cat /var/log/samba/192.168.30.1.log
[2018/06/30 05:41:02.678600, 2] ../source3/param/loadparm.c:2769(lp_do_section)
Processing section "[homes]"
[2018/06/30 05:41:02.678712, 2] ../source3/param/loadparm.c:2769(lp_do_section)
Processing section "[printers]"
[2018/06/30 05:41:02.678740, 2] ../source3/param/loadparm.c:2769(lp_do_section)
Processing section "[print$]"
[2018/06/30 05:41:02.679222, 2] ../source3/auth/auth.c:305(auth_check_ntlm_password)
check_ntlm_password: authentication for user [smbuser] -> [smbuser] -> [smbuser] succeeded
[2018/06/30 05:41:02.856624, 1] ../source3/printing/printer_list.c:234(printer_list_get_last_refresh)
Failed to fetch record!
[2018/06/30 05:41:02.856700, 1] ../source3/smbd/server_reload.c:69(delete_and_reload_printers)
pcap cache not loaded
[2018/06/30 05:41:04.689411, 2] ../source3/smbd/service.c:822(make_connection_snum)
miriam (ipv4:192.168.30.1:5107) connect to service smbuser initially as user smbuser (uid=1001, gid=1001) (pid 11570)
[2018/06/30 05:41:44.209186, 2] ../source3/smbd/open.c:1315(open_file)
smbuser opened file 新建文本文档.txt read=Yes write=Yes (numopen=4)
[2018/06/30 05:41:47.121478, 2] ../source3/smbd/close.c:788(close_normal_file)
smbuser closed file 新建文本文档.txt (numopen=1) NT_STATUS_OK
[2018/06/30 05:41:47.122152, 2] ../source3/smbd/open.c:1315(open_file)
smbuser opened file 新建文本文档.txt read=No write=No (numopen=2)
[2018/06/30 05:41:47.144249, 2] ../source3/smbd/close.c:788(close_normal_file)
smbuser closed file new.txt (numopen=1) NT_STATUS_OK
[2018/06/30 05:41:47.264194, 2] ../source3/smbd/open.c:1315(open_file)
smbuser opened file new.txt read=No write=No (numopen=4)
[2018/06/30 05:41:47.269800, 2] ../source3/smbd/close.c:788(close_normal_file)
smbuser closed file new.txt (numopen=3) NT_STATUS_OK
[2018/06/30 05:41:47.292656, 2] ../source3/smbd/open.c:1315(open_file)
smbuser opened file new.txt read=No write=No (numopen=4)
[2018/06/30 05:41:47.297232, 2] ../source3/smbd/close.c:788(close_normal_file)
smbuser closed file new.txt (numopen=3) NT_STATUS_OK
[2018/06/30 05:41:47.304791, 2] ../source3/smbd/open.c:1315(open_file)
smbuser opened file new.txt read=No write=No (numopen=4)
[2018/06/30 05:41:47.308818, 2] ../source3/smbd/close.c:788(close_normal_file)
smbuser closed file new.txt (numopen=3) NT_STATUS_OK
配置共享目录
在主配置文件中添加共享目录的设置
[root@CentOS74 ~]# grep -A 4 "\[share\]" /etc/samba/smb.conf
[share] #共享名称
comment = samba share dir
path = /data/samba_share #共享目录路径
writable = yes #是否可写
public = yes #能否被虚拟用户访问(支持匿名)[root@CentOS74 ~]# smbclient //192.168.30.74/share
Enter SAMBA\root's password:
Anonymous login successful #匿名用户登陆成功
用户登陆控制
[root@CentOS74 ~]# grep -A 5 "\[share\]" /etc/samba/smb.conf
[share]
comment = samba share dir
path = /data/samba_share
writable = yes
valid users = smbadmin,smbuser #只允许valid users中的用户或者组登陆
[root@CentOS74 ~]# smbclient //192.168.30.74/share -U smbvisit%123456 #不在valid users中,拒绝登陆
Domain=[CENTOS74] OS=[Windows 6.1] Server=[Samba 4.6.2]
tree connect failed: NT_STATUS_ACCESS_DENIED
[root@CentOS74 ~]# smbclient //192.168.30.74/share -U smbadmin%123456 #在valid users中允许登陆
Domain=[CENTOS74] OS=[Windows 6.1] Server=[Samba 4.6.2]
smb: \> quit读写权限控制
[root@CentOS74 ~]# grep -A 6 "\[share\]" /etc/samba/smb.conf
[share]
comment = samba share dir
path = /data/samba_share
writable = no #禁用写权限
valid users = smbadmin,smbuser,smbvisit
write list = smbadmin,+smbuser #拥有写权限的列表,可以是"用户名",也可以是"+组名"
[root@CentOS74 ~]# smbclient //192.168.30.74/share -U smbuser%123456 #使用指定组中的用户登陆
Domain=[CENTOS74] OS=[Windows 6.1] Server=[Samba 4.6.2]
smb: \> put anaconda-ks.cfg
putting file anaconda-ks.cfg as \anaconda-ks.cfg (32.4 kb/s) (average 32.4 kb/s) #上传成功
smb: \> ls
. D 0 Sat Jun 30 18:21:54 2018
.. D 0 Sat Jun 30 06:18:58 2018
anaconda-ks.cfg A 1626 Sat Jun 30 18:21:54 2018
52403200 blocks of size 1024. 52370232 blocks available
用户访问控制
[root@CentOS74 ~]# grep "conf.d" /etc/samba/smb.conf #在主配置文件的全局配置中添加
config file = /etc/samba/conf.d/%U #指定用户单独的配置文件,文件名为用户名
[root@CentOS74 ~]# cat /etc/samba/conf.d/smbadmin
[share] #当该用户访问share共享时
comment = smbadmin dir
path = /data/smbadmin #指定共享的目录路径
writable = yes #声明该用户可写
[root@CentOS74 ~]# smbclient //192.168.30.74/share -U smbadmin%123456 #使用smbadmin登陆
Domain=[CENTOS74] OS=[Windows 6.1] Server=[Samba 4.6.2]
smb: \> pwd
Current directory is \\192.168.30.74\share\
smb: \> ls
. D 0 Sat Jun 30 18:31:57 2018
.. D 0 Sat Jun 30 18:31:38 2018
admin.mark N 0 Sat Jun 30 18:31:57 2018 #共享文件夹路径为/data/smbadmin
52403200 blocks of size 1024. 52370252 blocks available
smb: \> put anaconda-ks.cfg
putting file anaconda-ks.cfg as \anaconda-ks.cfg (198.5 kb/s) (average 198.5 kb/s) #允许上传文件
smb: \> quit
[root@CentOS74 ~]# smbclient //192.168.30.74/share -U smbuser%123456
Domain=[CENTOS74] OS=[Windows 6.1] Server=[Samba 4.6.2]
smb: \> pwd
Current directory is \\192.168.30.74\share\
smb: \> ls
. D 0 Sat Jun 30 18:21:54 2018
.. D 0 Sat Jun 30 18:31:38 2018
anaconda-ks.cfg A 1626 Sat Jun 30 18:21:54 2018 #共享文件夹路径为默认路径
52403200 blocks of size 1024. 52370228 blocks available
smb: \> mkdir test
NT_STATUS_MEDIA_WRITE_PROTECTED making remote directory \test #无法上传文件
smb: \> quit
[root@CentOS74 ~]# smbclient //192.168.30.74/share -U smbvisit%123456
Domain=[CENTOS74] OS=[Windows 6.1] Server=[Samba 4.6.2]
tree connect failed: NT_STATUS_ACCESS_DENIED #smbvisit用户不在valid users中,拒绝登陆
多用户挂载
普通的 cifs 挂载,对共享目录的所有操作都将映射为挂载用户。多用户挂载将可以解决这个问题,实现每个用户的权限分离。
添加挂载记录
[root@CentOS74 ~]# cat /etc/fstab | grep cifs #指定用户文件按路径,以多用户方式挂载
//192.168.30.74/share /mnt/cifs cifs credentials=/etc/cifs,multiuser 0 0
测试多用户挂载
以 smbadmin 身份访问
[smbadmin@CentOS74 ~]$ cifscreds add 192.168.30.74 #第一次访问需要认证
Password:
[smbadmin@CentOS74 ~]$ touch /mnt/cifs/smbadmin.test
[smbadmin@CentOS74 ~]$ ll /mnt/cifs/smbadmin.test
-rw-r--r-- 1 smbadmin smbadmin 0 Jul 1 03:12 /mnt/cifs/smbadmin.test #文件属性为smbadmin创建以 smbuser 身份访问
[smbuser@CentOS74 ~]$ cifscreds update 192.168.30.74 #updtae选项可以修改密码
Password:
[smbuser@CentOS74 ~]$ touch /mnt/cifs/smbuser.test
[smbuser@CentOS74 ~]$ ll /mnt/cifs/smbuser.test
-rw-r--r-- 1 smbuser smbuser 0 Jul 1 03:17 /mnt/cifs/smbuser.test #文件属性为smbuser创建以匿名用户访问
[root@CentOS74 ~]# touch /mnt/cifs/root.test
[root@CentOS74 ~]# ll /mnt/cifs/root.test
-rw-r--r-- 1 smbadmin smbadmin 0 Jul 1 03:20 /mnt/cifs/root.test #文件属性由挂载用户创建