Samba combat
Intro to Samba
Samba is a SMB file-sharing protocol between a realization of different operating systems (Windows, Linux, UNIX) free software and printer sharing. The SMB protocol is a client / server protocol, the client can access shared files and printers on the server to share resources through the protocol. It is mainly used on the LAN, you can also set the "NetBIOS over TCP / IP" Internet sharing resources with computers.
SMB protocols: TCP 139 port
CIFS protocols: TCP 445 port
Samba Service Configuration
1, install the samba package
| yum install -y samba samba-client samba-common |
2, Samba important configuration file description
| /etc/samba/smb.conf: SAMBA's main configuration file, there are a wealth of description, it can also be viewed in detail by man smb.conf. Internal document is set in two parts, namely, [Global] Global Settings setting parameters and file sharing parameters;
security = share // set user authentication essay samba server, a total of four authentication methods:
share: user access samba server does not require user names and passwords, less secure; user: samba server shared user directory can only be authorized access to the samba server is responsible for checking the correctness of the account and password, account number and password to be established in the samba server in; server: relying on other windows NT / 2000 or samba server to verify the user's account and password, and a proxy authentication. In this safe mode, the system administrator can put all the windows user and password to focus on an NT system, using windows NT conduct samba authentication, remote server can automatically authenticate all users and password, if authentication fails, samba will use the user-level security as an alternative mode of embodiment; domain: domain security level, and by using the primary domain controller (PDC) to perform authentication.
passdb backend = tdbsam // User defined background type smbpasswd: smbpasswd command using SMB services to SMB users to set the system password tdbsam: Create a database file and use pdbedit establish an independent SMB users, smbpasswd -a username and password to establish samba user, but you need to create a system user, you can also use the command to create a samba user pdbedit pdbedit -a username: New samba account pdbedit -x username: delete the samba account pdbedit -L: lists the samba account list, read passdb.tdb database file pdbedit -c "[D]" -u username: samba suspend the user's account pdbedit -c "[]" -u username: samba restore the user's account ldapsam: perform account verification service based on LDAP username map = / etc / samba / smbusers // with the / etc / samba / smbusers file set the virtual account number
/etc/samba/lmhosts: The main object of the NetBIOS name corresponding to the host name of IP, somewhat similar to the / etc / hosts function;
/etc/samba/smbpasswd: Default does not exist, it is SAMBA default user password correspondence table, the file itself may be set inside the smb.conf file name and the corresponding position. But note that access to the file (owned by root, permissions 600);
/ Var / log / samba: samba service log file |
Profiles
vim /etc/samba/smb.conf
[global]
# Samba server needs to set up a workgroup or domain join
workgroup = MyGroup
# Access to share authentication
security = share
# Comment information, the macro% v displays the version information of samba
server string = Samba Server Version %v
# Set the type of file sharing accounts, default tdbsam (TDB database files)
passdb backend = tdbsam
#设置Samba共享打印机的类型。现在支持的打印系统有:bsd, sysv, plp, lprng, aix, hpux, qnx
printing = cups
#设置共享打印机的配置文件
printcap name = cups
#设置是否在启动Samba时就共享打印机
load printers = yes
cups options = raw
#自定义共享名称
[share]
#共享描述
comment=this is share directory!
#共享目录路径
path=/opt/share
#设置共享是否允许guest账户访问
public=yes
#yes/no,设置共享是否可浏览,如果no则表示隐藏,需要通过“//ip/共享目录"进行访问
browseable=yes
#设置共享是否具有可写权限
writable=yes
#创建的文件权限为644
create mask=0644
#创建的文件目录为755
directory mask=0755
| vim /etc/samba/smb.conf [global] #设置samba server需要加入的工作组或者域 workgroup = MYGROUP #以share验证方式访问 #security = share改命令现在被删除,用以下替代 security = user map to guest = Bad User #注释信息,宏%v显示samba的版本信息 server string = Samba Server Version %v #设置共享账户文件的类型,默认使用tdbsam(TDB数据库文件) passdb backend = tdbsam #自定义共享名称 #共享描述 #共享目录路径 #设置共享是否允许guest账户访问 #yes/no,设置共享是否可浏览,如果no则表示隐藏,需要通过“//ip/共享目录"进行访问 #设置共享是否具有可写权限 writable=yes #创建的文件权限为644 #创建的文件目录为755
|
配置匿名用户访问
| vim /etc/samba/smb.conf [global] #设置samba server需要加入的工作组或者域 workgroup = MYGROUP #以share验证方式访问 #security = share改命令现在被删除,用以下替代 security = user map to guest = Bad User #注释信息,宏%v显示samba的版本信息 server string = Samba Server Version %v #设置共享账户文件的类型,默认使用tdbsam(TDB数据库文件) passdb backend = tdbsam #自定义共享名称 #共享描述 #共享目录路径 #设置共享是否允许guest账户访问 #yes/no,设置共享是否可浏览,如果no则表示隐藏,需要通过“//ip/共享目录"进行访问 #设置共享是否具有可写权限 writable=yes #创建的文件权限为644 #创建的文件目录为755
|
创建共享目录及设置权限
| mkdir /opt/share |
重启smb
| systemctl start smb |
在windows端测试
本地用户访问
| vim /etc/samba/smb.conf [global] #设置samba server需要加入的工作组或者域 workgroup = MYGROUP #以share验证方式访问 security = user #注释信息,宏%v显示samba的版本信息 server string = Samba Server Version %v #设置共享账户文件的类型,默认使用tdbsam(TDB数据库文件) passdb backend = tdbsam #自定义共享名称 #共享描述 #共享目录路径 #设置共享是否允许guest账户访问 #yes/no,设置共享是否可浏览,如果no则表示隐藏,需要通过“//ip/共享目录"进行访问 #设置共享是否具有可写权限 writable=yes #创建的文件权限为644 #创建的文件目录为755 #设置允许访问共享的用户king1,king2 valid users=king1,king2 #设置该共享具有写入权限的用户, (可以为用户和用户组 @group) write list=king1;
|
创建本地用户
| for i in king1 king2 ;do useradd $i -s /sbin/nologin ; echo 123456 |passwd –stdin $i;done |
将本地用户添加进入samba
| smbpasswd -a king1 smbpasswd -a king2 |
查看samba用户
| [root@yum ~]# pdbedit -L king1:1001: king2:1002: |
重启smba
| systemctl restart smb |
windows访问10.0.0.240账号king1 密码123456
虚拟用户访问
编辑smbusers配置文件
vim #增加如下信息 king1 = ywx1 ywx2 |
在smb.conf配置文件
vim /etc/samba/smb.conf
[global]
#设置samba server需要加入的工作组或者域
workgroup = MYGROUP
#以share验证方式访问
security = user
#虚拟用户文件的映射
username map=/etc/samba/smbusers
#注释信息,宏%v显示samba的版本信息
server string = Samba Server Version %v
#设置共享账户文件的类型,默认使用tdbsam(TDB数据库文件)
passdb backend = tdbsam
#自定义共享名称
[share]
#共享描述
comment=this is share directory!
#共享目录路径
path=/opt/share
#设置共享是否允许guest账户访问
public=yes
#yes/no,设置共享是否可浏览,如果no则表示隐藏,需要通过“//ip/共享目录"进行访问
browseable=yes
#设置共享是否具有可写权限
writable=yes
#创建的文件权限为644
create mask=0644
#创建的文件目录为755
directory mask=0755
#设置允许访问共享的用户king1
valid users=king1
#设置该共享具有写入权限的用户, (可以为用户和用户组 @group)
write list=king1;
创建本地用户king1
| useradd king1 -s /sbin/nologin |
把本地用户king1添加进入samba
| smbpasswd -a king1 |
重启samba
| systemctl restart smb |
windows访问登陆 账号ywx1 密码123456
