一.SMB 文件共享
用Internet文件系统(CIFS)也称为服务器是适用于MicrosoftWindows服务器和客户端的标准文件和打印机共享
系统模块(SMA)
Samba 服务可用于将Linux文件系统作为CIFS/SMB网络文件共享,将linux打印机作为CIFS/SMB打印机共享进行共享
Samba服务的组成部分
软件包:
Samba-common Samba的支持文件
Samba-client 客户端应用程序
Samba 服务器应用程序
服务名称:smb nmb
服务端口:通常使用TCP/445进行所有连接。还使用UCP137.UDP138和TCP/139进行向后兼容
主配置文件:/etc/samba/smb.conf
二.smb服务
实验环境:
selinux开关设置为警告
[root@localhost ~]# setenforce 0
[root@localhost ~]# getenforce
Permissive
1.安装:yum install samba-common samba samba-client -y
2.[root@localhost ~]# systemctl start smb #重启服务
3.查看端口信息:netstat -antlupe | grep smb
4.[root@localhost ~]# smbclient -L //172.25.254.100 #以匿名用户访问smb
Enter root's password:
session setup failed: NT_STATUS_LOGON_FAILURE
[root@localhost ~]# id student
uid=1000(student) gid=1000(student) groups=1000(student),10(wheel)
5.smb用户
smbpasswd
如果没有samba密码服务器,则必须在本地计算机上创建身分验证数据。使用smbpasswd创建samba账户和密码。smb用户必须是本地存在的用户
[root@localhost ~]# smbpasswd -a student #添加smb用户,该用户 必须是系统存在用户,设置一个登录smb的密码
6.[root@localhost ~]# smbclient //172.25.254.130/student -U student #student用户登陆smb
Enter student's password:
session setup failed: NT_STATUS_LOGON_FAILURE #登陆失败
[root@localhost ~]# smbclient //172.25.254.130/student -U student #student用户访问smb
Enter student's password:
session setup failed: NT_STATUS_LOGON_FAILURE
查看功能开关:[root@localhost ~]# getsebool -a | grep samba
[root@localhost ~]# setsebool -P samba_enable_home_dirs on #smb共享家目录功能永久打开
[root@localhost ~]# smbclient //172.25.254.130/student -U student #student用户访问smb可以看到共享的家目录
ls
在客户端主机上
安装:yum install samba-client -y
[root@localhost ~]# smbclient //172.25.254.130/student -U student #student用户登录smb
[root@localhost ~]# mount -o username=student,password=123 //172.25.254.160/student /mnt/ #挂载
[root@localhost ~]# df
二.smb配置
1.在服务端
[root@localhost ~]# vim /etc/samba/smb.conf #修改配置文件内容
workgroup = HAHA #公司名字
[root@localhost ~]# systemctl restart smb.service #修改配置文件后重启服务
在客户端匿名用户登录查看 smbclient -L //172.25.254.160 Domain改为HAHA
2.[root@localhost ~]# vim /etc/samba/smb.conf #允许172.25.254.1登陆
95 hosts allow = 172.25.254.1 #允许共享网段
[root@localhost ~]# systemctl restart smb.service
允许172.25.254.1访问
拒绝其他IP登录
3.[root@localhost ~]# vim /etc/samba/smb.conf
96 hosts deny = 172.25.254.1 #拒绝共享网段
[root@localhost ~]# smbclient -L //172.25.254.160
Enter root's password:
Anonymous login successful
Domain=[HAHA] OS=[Windows 6.1] Server=[Samba 4.2.3]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Server Version 4.2.3)
Anonymous login successful
Domain=[HAHA] OS=[Windows 6.1] Server=[Samba 4.2.3]
Server Comment
--------- -------
Workgroup Master
--------- -------
拒绝172.25.254.1访问,所以172.25.254.1访问smb失败
3.[root@localhost ~]# vim /etc/samba/smb.conf
322 [DATA]
323 comment = weixin data #描述
324 path = /haha #目录
[root@localhost ~]# systemctl restart smb.service
[root@localhost ~]# mkdir /haha
[root@localhost ~]# touch /haha/haha{1..3}
[root@localhost ~]# semanage fcontext -a -t samba_share_t '/haha(/.*)?' #添加haha目录内核上的安全上下文
[root@localhost ~]# restorecon -FRvv /haha #刷新
smbclient //172.25.254.160/DATA -U student
Enter student's password:
Domain=[HAHA] OS=[Windows 6.1] Server=[Samba 4.2.3]
smb: \> ls
. D 0 Tue Dec 5 02:38:07 2017
.. D 0 Tue Dec 5 02:09:50 2017
haha1 N 0 Tue Dec 5 02:38:07 2017
haha2 N 0 Tue Dec 5 02:38:07 2017
haha3 N 0 Tue Dec 5 02:38:07 2017
root@localhost ~]# smbclient -L //172.25.254.160 #用户可以看到共享的目录DATA
Enter root's password:
Anonymous login successful
Domain=[HAHA] OS=[Windows 6.1] Server=[Samba 4.2.3]
Sharename Type Comment
--------- ---- -------
DATA Disk weixin data
[root@foundation30 ~]# mount //172.25.254.130/DATA /mnt/ -o username=student,password=123 #挂载DATA
df
vim /etc/fstab #挂载信息写入文件
//172.25.254.160/DATA /mnt cifs defaults,username=student,password=123 0 0
[root@localhost ~]# mount -a
[root@localhost ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/vda1 10473900 3180736 7293164 31% /
devtmpfs 481120 0 481120 0% /dev
tmpfs 496708 140 496568 1% /dev/shm
tmpfs 496708 13132 483576 3% /run
tmpfs 496708 0 496708 0% /sys/fs/cgroup
/dev/mapper/vg0-vo 483670 2339 451840 1% /home
//172.25.254.160/DATA 10473900 3161188 7312712 31% /mnt
4.[root@localhost ~]# vim /etc/samba/smb.conf
126 map to guest = bad user #把匿名用户映射成guest,未知的人名字都是guest
325 guest ok = yes #匿名用户可以登陆
[root@localhost ~]# systemcl restart smb.service
[root@localhost ~]# vim /etc/fstab #挂载信息写入文件
/172.25.254.160/DATA /mnt cifs defaults,username=guest,password="" 0 0
[root@localhost ~]# mount -a
[root@localhost ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/vda1 10473900 3180772 7293128 31% /
devtmpfs 481120 0 481120 0% /dev
tmpfs 496708 140 496568 1% /dev/shm
tmpfs 496708 13104 483604 3% /run
tmpfs 496708 0 496708 0% /sys/fs/cgroup
/dev/mapper/vg0-vo 483670 2339 451840 1% /home
//172.25.254.160/DATA 10473900 3161820 7312080 31% /mnt
4.[root@localhost ~]# vim /etc/samba/smb.conf
326 writable = yes #所有smb用户都可写
[root@localhost ~]# systemctl restart smb.service
[root@localhost ~]# cd /mnt/
[root@localhost mnt]# ls
haha1 haha2 haha3
[root@localhost mnt]# touch haha4
touch: cannot touch ‘haha4’: Permission denied
[root@localhost mnt]# rm -fr haha1
rm: cannot remove ‘haha1’: Permission denied #服务允许,服务上的设备不允许
[root@localhost ~]# ls -ld /haha/
drwxr-xr-x. 2 root root 42 Dec 5 02:38 /haha/
[root@localhost ~]# setfacl -m u:student:rwx /haha/ #student用户加写权限
[root@localhost ~]# mount -o username=student,password=123 //172.25.254.160/DATA /mnt/
[root@localhost mnt]# touch haha4 #建立文件
[root@localhost mnt]# ls
haha1 haha2 haha3 haha4
[root@localhost mnt]# rm -rf haha4 #删除
[root@localhost mnt]# ls
haha1 haha2 haha3
[root@localhost ~]# useradd westos #建立用户westos
[root@localhost ~]# smbpasswd -a westos #添加smb并设置密码
New SMB password:
Retype new SMB password:
Added user westos.
[root@localhost ~]# setfacl -m g:student:rwx /haha/ #student组读写执行权限
[root@localhost ~]# usermod -G student westos #添加westos到student附加组
[root@localhost ~]# getfacl /haha/
getfacl: Removing leading '/' from absolute path names
file: haha/
owner: root
group: root
user::rwx
user:student:rwx
group::r-x
group:student:rwx
mask::rwx
[root@localhost ~]# mount -o username=westos,password=123 //172.25.254.160/DATA /mnt/ #挂载
[root@localhost ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/vda1 10473900 3180776 7293124 31% /
devtmpfs 481120 0 481120 0% /dev
tmpfs 496708 140 496568 1% /dev/shm
tmpfs 496708 13104 483604 3% /run
tmpfs 496708 0 496708 0% /sys/fs/cgroup
/dev/mapper/vg0-vo 483670 2339 451840 1% /home
//172.25.254.160/DATA 10473900 3162044 7311856 31% /mnt
[root@localhost ~]# cd /mnt/
[root@localhost mnt]# ls
haha1 haha2 haha3
[root@localhost mnt]# touch haha5 #westos用户建立文件
[root@localhost mnt]# ls
haha1 haha2 haha3 haha5
[root@localhost mnt]# rm -fr haha5 #westos用户删除文件
[root@localhost mnt]# ls
haha1 haha2 haha3
5.[root@localhost ~]# vim /etc/samba/smb.conf
322 [DATA]
323 comment = weixin data
324 path = /haha
325 guest ok = yes
326 ; writable = yes # ;注释不生效
327 write list = student #student用户可写
[root@localhost ~]# mount -o username=westos,password=123 //172.25.254.160/DATA /mnt/ #挂载
[root@localhost ~]# cd /mnt/
[root@localhost mnt]# touch haha6 #westos用户建立文件被禁止
touch: cannot touch ‘haha6’: Permission denied
[root@localhost ~]# mount -o username=student,password=123 //172.25.254.160/DATA /mnt/ #挂载
[root@localhost ~]# cd /mnt/
[root@localhost mnt]# touch haha6 #student用户建立文件
[root@localhost mnt]# ls
haha1 haha2 haha3 haha6
[root@localhost mnt]# rm -fr haha6 #student用户删除文件
[root@localhost mnt]# ls
haha1 haha2 haha3
6.[root@localhost ~]# vim /etc/samba/smb.conf
[DATA]
comment = weixin data
path = /haha
guest ok = yes
; writable = yes
write list = @student #student用户组对DATA可写
[root@localhost ~]# systemctl restart smb.service
[root@localhost ~]# mount -o username=westos,password=123 //172.25.254.160/DATA /mnt/
[root@localhost ~]# cd /mnt/
[root@localhost mnt]# touch haha7 #此时westos用户可建立删除文件
[root@localhost mnt]# ls
haha1 haha2 haha3 haha7
[root@localhost mnt]# rm -fr haha7
[root@localhost mnt]# ls
haha1 haha2 haha3
7.[root@localhost ~]# vim /etc/samba/smb.conf
[DATA]
comment = weixin data
path = /haha
guest ok = yes
writable = yes #所有smb用户可读
; write list = @student
[root@localhost ~]# systemctl restart smb.service
[root@localhost ~]# useradd admin
[root@localhost ~]# vim /etc/samba/smb.conf
[DATA]
comment = weixin data
path = /haha
guest ok = yes
writable = yes
; write list = @student
admin users = admin #设定admin用户对文件管理是超级用户
[root@localhost ~]# systemctl restart smb.service
[root@localhost ~]# smbpasswd -a admin
New SMB password:
Retype new SMB password:
Added user admin.
[root@localhost ~]# pdbedit -L #查看有哪些smb用户
student:1000:Student User
admin:1002:
westos:1001:
[root@localhost ~]# mount -o username=admin,password=123 //172.25.254.160/DATA /mnt/ #挂载
[root@localhost ~]# cd /mnt/
[root@localhost mnt]# touch haha #admin用户可建立文件
[root@localhost mnt]# ls
haha haha1 haha2 haha3
[root@localhost mnt]# rm -fr haha #admin用户可删除文件
[root@localhost mnt]# ls
haha1 haha2 haha3
8.[root@localhost ~]# vim /etc/samba/smb.conf
[DATA]
comment = weixin data
path = /haha
guest ok = yes
writable = yes
; write list = @student
admin users = admin
browseable = no #隐藏目录
[root@localhost ~]# systemctl restart smb.service
[root@localhost ~]# smbclient -L //172.25.254.160
Enter root's password:
Domain=[HAHA] OS=[Windows 6.1] Server=[Samba 4.2.3]
Sharename Type Comment
--------- ---- ------- #DATA目录被隐藏
IPC$ IPC IPC Service (Samba Server Version 4.2.3)
Domain=[HAHA] OS=[Windows 6.1] Server=[Samba 4.2.3]
Server Comment
--------- -------
Workgroup Master
--------- -------
9.[root@localhost ~]# vim /etc/samba/smb.conf
[DATA]
comment = weixin data
path = /haha
guest ok = yes
writable = yes
; write list = @student
admin users = admin
browseable = no
valid users = student #只有student用户可使用DATA
[root@localhost ~]# systemctl restart smb.service
[root@localhost ~]# mount -o username=westos,password=123 //172.25.254.160/DATA /mnt/
mount: //172.25.254.160/DATA is write-protected, mounting read-only
mount: cannot mount //172.25.254.160/DATA read-only
[root@localhost ~]# mount -o username=student,password=123 //172.25.254.160/DATA /mnt/
[root@localhost ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/vda1 10473900 3180800 7293100 31% /
devtmpfs 481120 0 481120 0% /dev
tmpfs 496708 140 496568 1% /dev/shm
tmpfs 496708 13104 483604 3% /run
tmpfs 496708 0 496708 0% /sys/fs/cgroup
/dev/mapper/vg0-vo 483670 2339 451840 1% /home
//172.25.254.160/DATA 10473900 3162708 7311192 31% /mnt
10.[root@localhost ~]# vim /etc/samba/smb.conf
[DATA]
comment = weixin data
path = /haha
guest ok = yes
writable = yes
; write list =@student
admin users =admin #admin用户以root用户身份
browseable = no #隐藏
valid users = +student #允许student用户组访问smb
[root@localhost ~]# systemctl restart smb.service
[root@localhost ~]# mount -o username=westos,password=123 //172.25.254.160/DATA /mnt/ #westos可以使用DATA
[root@localhost ~]# cd /mnt/
[root@localhost mnt]# ls
haha1 haha2 haha3
[root@localhost mnt]# touch haha8
[root@localhost mnt]# ls
haha1 haha2 haha3 haha8
[root@localhost mnt]# rm -rf haha8
[root@localhost mnt]# cd
[root@localhost ~]# umount /mnt/
11.在客户端做:
[root@localhost ~]# yum install cifs-utils
[root@localhost ~]# vim /root/subfile #挂载时用这个文件里的用户认证
username=student
password=123
root用户充当smb的student用户
[root@localhost ~]# chmod 600 /root/subfile
[root@localhost ~]# mount -o credentials=/root/subfile,multiuser,sec=ntlmssp //172.25.254.130/DATA /mnt/ #以/root/subfile里用户身份访问DATA目录,多用户认证
[root@localhost ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/vda1 10473900 3181104 7292796 31% /
devtmpfs 481120 0 481120 0% /dev
tmpfs 496708 140 496568 1% /dev/shm
[root@localhost ~]# cd /mnt/
[root@localhost mnt]# touch file #root用户建立文件用的/root/subfile该文件里写的用户身份建立的
[root@localhost mnt]# ls
file haha1 haha2 haha3
[root@localhost ~]# su - student
Last login: Tue Dec 5 06:23:29 EST 2017 on pts/1
[student@localhost ~]$ cifscreds add -u westos 172.25.254.160 #srudent用户得到的smb用户身份为westos
Password:
[student@localhost ~]$ cd /mnt/
[student@localhost mnt]$ ls
file haha1 haha2 haha3
[student@localhost mnt]$ touch file1 #student用户建立文件是用的smb用户身份westos
服务端:
[root@localhost ~]# cd /haha/
[root@localhost haha]# ls
file file1 haha1 haha2 haha3
[root@localhost haha]# ll
total 0
-rw-r--r--. 1 student student 0 Dec 5 06:21 file #该文件是student用户建立
-rw-r--r--. 1 westos westos 0 Dec 5 06:25 file1 #该文件是westos用户建立
-rw-r--r--. 1 root root 0 Dec 5 02:38 haha1
-rw-r--r--. 1 root root 0 Dec 5 02:38 haha2
-rw-r--r--. 1 root root 0 Dec 5 02:38 haha3
Samba 企业应用案例需求:
- 所有员工都能够在公司内流动办公,但不管在哪电脑上工作,都要把自己文件存在 Samba 文件服器上.
- 各部门办公人员拥有各自的主目录,用于存放私有文档(工作相关),其他人禁止访问.
- 所有的用户都不允许使用服务器的 SHELL(安全考虑).
- 制造部、财务部、管理部,都有各自的文件目录.
- 各部门目录下提供“对外”、“公共文档”、“受控文档”三个子目录.
对外: <1>允许公司所有工作人员访问,但不能修改文件.
<2>本部门文员负责维护数据
公共文档:<1>本部门员工可以访问,领导层可以访问,但不能修改.
<2> 本部门文员负责维护数据
受控文档:<1>本部门主管、公司领导可以访问、其他员工禁止.
<2>本部门主管负责维护数据
注:财务部受控文档只允许总经理、财务部总监、主管访问;管理部受控文档只允许总经理、主管访问 - 公共区域:<1>所有员工均可访问
<2>网络部负责维护 - 交换区域:<1>所有员工均可读可写,禁止删除其它员工文件.
2>网络部负责维护
创建相关的目录:
mdkir /home/samba/zhizao caiwu guanli public swap
mkdir /home/samba/zhizao/guest public private
mkdir /home/samba/caiwu/guest public private
mkdir /home/samba/guanli/guest public private
创建相关的用户和组:
groupadd zhizao caiwu guanli lingdao network
useradd s /bin/false wy zg zj jl
usermod G zhizao,caiwu,guanli wy
usermod G zhizao,caiwu,guanli zg
usermod G caiwu zj
usermod G lingdao jl
设置文件系统权限:
chmod 1777 /home/samba/swap
chmod 755 /home/samba/zhizao caiwu guanli
chmod 775 /home/samba/public
chgrp network /home/samba/public
chmod 755 /home/samba/zhizao/guest
chown wy.zhizao /home/samba/zhizao/guest
chmod 750 /home/samba/zhizao/public private
chown zg.lingdao /home/samba/zhizao/private
setfacl m g:lingdao:rx /home/samba/zhizao/public
chmod 755 /home/samba/caiwu/guest
chown wy.caiwu /home/samba/caiwu/guest/guest
chmod 750 /home/samba/caiwu/public
chown wy.caiwu /home/samba/caiwu/public
setfacl m g:lingdao:rx /home/samba/caiwu/public
chmod 700 /home/samba/caiwu/private
chown zg /home/samba/caiwu/private
setfacl m u:zj:rx /home/samba/caiwu/private
setfacl m u:jl:rx /home/samba/caiwu/private
chmod 755 /home/samba/guanli/guest
chown wy.guanli /home/samba/guanli/guest
chmod 750 /home/samba/guanli/public
chown wy.guanli /home/samba/guanli/public
setfacl m g:lingdao:rx /home/samba/guanli/public
chmod 700 /home/samba/guanli/private
chown zg /home/samba/guanli/private
setfacl m u:jl:rx /home/samba/guanli/private
配置 samba 服务:
[homes]
comment = Home Directories
browseable = no
writable = yes
[制造部]
path = /home/samba/zhizao
writable = yes
browseable = yes
[对外]
path = /home/samba/zhizao/guest
admin users = wy
browseable = no
[公共文档]
path = /home/samba/zhizao/public
valid users = @zhizao @lingdao
admin users = wy
browseable = no
[受控文档]
path = /home/samba/zhizao/private
valid users = zg @lingdao
admin users = zg
browseable = no
[财务部]
path = /home/samba/caiwu
writable = yes
browseable = yes
[对外]
path = /home/samba/caiwu/guest
admin users = wy
browseable = no
[公共文档]
path = /home/samba/caiwu/public
valid users = @caiwu @lingdao
admin users = wy
browseable = no
[受控文档]
path = /home/samba/caiwu/private
valid users = zg zj jl
admin users = zg
browseable = no
[管理部]
path = /home/samba/guanli
writable = yes
browseable = yes
[对外]
path = /home/samba/guanli/guest
admin users = wy
browseable = no
[公共文档]
path = /home/samba/guanli/public
valid users = @guanli @lingdao
admin users = wy
browseable = no
[受控文档]
path = /home/samba/guanli/private
valid users = zg jl
admin users = zg
browseable = no
[公共区域]
path = /home/samba/public
public = yes
admin users = @network
[交换区域]
path = /home/samba/swap
writeable = yes
public = yes
admin users = @network