介紹一下linux下的samba服務

介紹一下linux下的samba服務

實驗環境 VMware 6.5.2 +redhat Enterprise 5 AS

我的核心版本

上面兩個是windows server 2003 共享檔案時的畫面，我們可以很友善的在裡面實作檔案夾的共享，友善區域網路使用者或域内使用者通路浏覽，也可以很友善的設定權限，讀寫完全控制等等，通常情況下我們認為，區域網路内部應該有台檔案伺服器，鑒于windows系統在區域網路環境下對病毒的防範能力，今天簡單的介紹一下，linux實作檔案共享的方法，用這種方法也可以友善的實作windows和linux之間的互相通訊，友善快捷

部署完samba服務後我們就可以從網路上的芳鄰裡找到我們共享的檔案了

所涉及的端口 137 138 139

安裝檔案：

[root@localhost ~]# cd /mnt

[root@localhost mnt]# ls

hgfs

[root@localhost mnt]# mkdir cdrom

[root@localhost mnt]# mount /dev/cdrom /mnt/cdrom

mount: block device /dev/cdrom is write-protected, mounting read-only

[root@localhost mnt]# cd cdrom/Server

[root@localhost Server]#

挂上鏡像，進入目錄

[root@localhost Server]# rpm -ivh samba-

samba-3.0.25b-0.el5.4.i386.rpm samba-common-3.0.25b-0.el5.4.i386.rpm

samba-client-3.0.25b-0.el5.4.i386.rpm samba-swat-3.0.25b-0.el5.4.i386.rpm

[root@localhost Server]#

這裡我們隻需要安裝其中的三個包即可，不出意外的話這幾個包我們裝系統的時候應該是預設裝好的

[root@localhost Server]# rpm -ivh samba-3.0.25b-0.el5.4.i386.rpm

warning: samba-3.0.25b-0.el5.4.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186

Preparing... ########################################### [100%]

package samba-3.0.25b-0.el5.4 is already installed

檔案已安裝

[root@localhost Server]# rpm -ivh samba-common-3.0.25b-0.el5.4.i386.rpm

warning: samba-common-3.0.25b-0.el5.4.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186

package samba-common-3.0.25b-0.el5.4 is already installed

[root@localhost Server]# rpm -ivh samba-client-3.0.25b-0.el5.4.i386.rpm

warning: samba-client-3.0.25b-0.el5.4.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186

package samba-client-3.0.25b-0.el5.4 is already installed

我們能接觸的相關檔案

/etc/samba/smb.conf

[root@localhost Server]# vi /etc/smaba/smb.conf

[root@localhost samba]# ls

lmhosts smb.conf smbusers

[root@localhost samba]# pwd

/etc/samba

[root@localhost samba]#

裡面的檔案很長 可要注意喽

samba内的注釋除了用#之外，也用分号，這點是有差別的

----------------------------—————————————————————————————————————————————————————————————————————————————————————————————————————————————————————

# This is the main Samba configuration file. You should read the

# smb.conf(5) manual page in order to understand the options listed

# here. Samba has a huge number of configurable options (perhaps too

# many!) most of which are not shown in this example

#

這句大概是說samba有大量的配置檔案其中大多數都沒有顯示出在這個例子中

（是以，既然沒有寫好的範本，很多功能隻有我們手動添加了）

# For a step to step guide on installing, configuring and using samba,

對于一個步驟，一步一步的指導安裝，配置和使用samba

# read the Samba-HOWTO-Collection. This may be obtained from:

# [url]http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf[/url]

# Many working examples of smb.conf files can be found in the

許多工作的例子smb.conf檔案中可以找到

# Samba-Guide which is generated daily and can be downloaded from:

# [url]http://www.samba.org/samba/docs/Samba-Guide.pdf[/url]

# Any line which starts with a ; (semi-colon) or a # (hash)

# is a comment and is ignored. In this example we will use a #

# for commentry and a ; for parts of the config file that you

# may wish to enable

# NOTE: Whenever you modify this file you should run the command "testparm"

當你修改這個檔案你應該運作指令“ testparm

# to check that you have not made any basic syntactic errors.

檢查你有沒有作出任何基本文法錯誤

#---------------

# SELINUX NOTES:

一些注意事項

# If you want to use the useradd/groupadd family of binaries please run:

# setsebool -P samba_domain_controller on

# If you want to share home directories via samba please run:

# setsebool -P samba_enable_home_dirs on

# If you create a new directory you want to share you should mark it as

# "samba-share_t" so that selinux will let you write into it.

# Make sure not to do that on system directories as they may already have

# been marked with othe SELinux labels.

# Use ls -ldZ /path to see which context a directory has

# Set labels only on directories you created!

# To set a label use the following: chcon -t samba_share_t /path

# If you need to share a system created directory you can use one of the

# following (read-only/read-write):

# setsebool -P samba_export_all_ro on

# or

# setsebool -P samba_export_all_rw on

# If you want to run scripts (preexec/root prexec/print command/...) please

# put them into the /var/lib/samba/scripts directory so that smbd will be

# allowed to run them.

# Make sure you COPY them and not MOVE them so that the right SELinux context

# is applied, to check all is ok use restorecon -R -v /var/lib/samba/scripts

#--------------

#======================= Global Settings =====================================

全局設定

[global]

# ----------------------- Netwrok Related Options -------------------------

# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH

# server string is the equivalent of the NT Description field

# netbios name can be used to specify a server name not tied to the hostname

# Interfaces lets you configure Samba to use multiple interfaces

# If you have multiple network interfaces then you can list the ones

# you want to listen on (never omit localhost)

# Hosts Allow/Hosts Deny lets you restrict who can connect, and you can

# specifiy it as a per share option as well

workgroup = MYGROUP

server string = Samba Server Version %v

; netbios name = MYSERVER

; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24

; hosts allow = 127. 192.168.12. 192.168.13.

# --------------------------- Logging Options -----------------------------

# Log File let you specify where to put logs and how to split them up.

# Max Log Size let you specify the max size log files should reach

# logs split per machine

; log file = /var/log/samba/%m.log

# max 50KB per log file, then rotate

; max log size = 50

# ----------------------- Standalone Server Options ------------------------

# Scurity can be set to user, share(deprecated) or server(deprecated)

# Backend to store user information in. New installations should

# use either tdbsam or ldapsam. smbpasswd is available for backwards

# compatibility. tdbsam requires no further configuration.

security = user

passdb backend = tdbsam

這個登入的時候應該是可以看到的

# ----------------------- Domain Members Options ------------------------

我們可以定義域成員，linux是支援域的

# Security must be set to domain or ads

# Use the realm option only with security = ads

# Specifies the Active Directory realm the host is part of

# Use password server option only with security = server or if you can't

# use the DNS to locate Domain Controllers

# The argument list may include:

# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]

# or to auto-locate the domain controller/s

# password server = *

; security = domain

; passdb backend = tdbsam

; realm = MY_REALM

; password server = <NT-Server-Name>

# ----------------------- Domain Controller Options ------------------------

域控制器選項 ，linux是不能作為主域控制器的，（支援域已經很不錯了）

# Security must be set to user for domain controllers

# Domain Master specifies Samba to be the Domain Master Browser. This

# allows Samba to collate browse lists between subnets. Don't use this

# if you already have a Windows NT domain controller doing this job

# Domain Logons let Samba be a domain logon server for Windows workstations.

# Logon Scrpit let yuou specify a script to be run at login time on the client

# You need to provide it in a share called NETLOGON

# Logon Path let you specify where user profiles are stored (UNC path)

# Various scripts can be used on a domain controller or stand-alone

# machine to add or delete corresponding unix accounts

; security = user

; domain master = yes

; domain logons = yes

# the login script name depends on the machine name

; logon script = %m.bat

# the login script name depends on the unix user used

; logon script = %u.bat

; logon path = \\%L\Profiles\%u

# disables profiles support by specifing an empty path

; logon path =

; add user script = /usr/sbin/useradd "%u" -n -g users

; add group script = /usr/sbin/groupadd "%g"

; add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"

; delete user script = /usr/sbin/userdel "%u"

; delete user from group script = /usr/sbin/userdel "%u" "%g"

; delete group script = /usr/sbin/groupdel "%g"

# ----------------------- Browser Control Options ----------------------------

浏覽器控制選項

# set local master to no if you don't want Samba to become a master

# browser on your network. Otherwise the normal election rules apply

# OS Level determines the precedence of this server in master browser

# elections. The default value should be reasonable

# Preferred Master causes Samba to force a local browser election on startup

# and gives it a slightly higher chance of winning the election

; local master = no

; os level = 33

; preferred master = yes

#----------------------------- Name Resolution -------------------------------

名稱解析

# Windows Internet Name Serving Support Section:

# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both

# - WINS Support: Tells the NMBD component of Samba to enable it's WINS Server

# - WINS Server: Tells the NMBD components of Samba to be a WINS Client

# - WINS Proxy: Tells Samba to answer name resolution queries on

# behalf of a non WINS capable client, for this to work there must be

# at least one WINS Server on the network. The default is NO.

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names

# via DNS nslookups.

; wins support = yes

; wins server = w.x.y.z

; wins proxy = yes

; dns proxy = yes

# --------------------------- Printing Options -----------------------------

列印選項（linux和windows一樣是支援網路上的芳鄰有列印機共享的，并且預設是開啟的，不需要我們另行配置）

# Load Printers let you load automatically the list of printers rather

# than setting them up individually

# Cups Options let you pass the cups libs custom options, setting it to raw

# for example will let you use drivers on your Windows clients

# Printcap Name let you specify an alternative printcap file

# You can choose a non default printing system using the Printing option

load printers = yes

cups options = raw

; printcap name = /etc/printcap

#obtain list of printers automatically on SystemV

; printcap name = lpstat

; printing = cups

# --------------------------- Filesystem Options ---------------------------

檔案選項

# The following options can be uncommented if the filesystem supports

# Extended Attributes and they are enabled (usually by the mount option

# user_xattr). Thess options will let the admin store the DOS attributes

# in an EA and make samba not mess with the permission bits.

# Note: these options can also be set just per share, setting them in global

# makes them the default for all shares

; map archive = no

; map hidden = no

; map read only = no

; map system = no

; store dos attributes = yes

#============================ Share Definitions ==============================

分享定義 類似于windows下設定的共享權限

[homes]

使用者家目錄

comment = Home Directories

browseable = no

是否可以被浏覽，意思是網路上的芳鄰中有權限的使用者能看見，建議選擇yes

writable = yes

是否可以寫入

; valid users = %S

; valid users = MYDOMAIN\%S

[printers]

comment = All Printers

path = /var/spool/samba

guest ok = no

writable = no

printable = yes

# Un-comment the following and create the netlogon directory for Domain Logons

; [netlogon]

; comment = Network Logon Service

; path = /var/lib/samba/netlogon

; guest ok = yes

; writable = no

; share modes = no

# Un-comment the following to provide a specific roving profile share

# the default is to use the user's home directory

預設的是使用用屬主目錄

; [Profiles]

; path = /var/lib/samba/profiles

; browseable = no

# A publicly accessible directory, but read only, except for people in

# the "staff" group

; [public]

; comment = Public Stuff

; path = /home/samba

; public = yes

; writable = yes

; printable = no

; write list = +staff

————————————————————————————————————————————————————————————————————————————————————————————————————————————————————以上即為配置檔案的全部内容其中帶下劃線部分為我個人的解釋，難免有不當之處，

下面我們修改配置檔案，準備做兩個極限檔案，一個是誰都可以通路，一個則限定隻有特定使用者才可以通路，

假如就在末尾吧添加内容如下

[user] 共享名

path = /tmp/user 目錄位置

browseable = yes 允許浏覽

writable = yes 允許寫入

[pub] 共享名

path = /tmp/pub 目錄位置 /共享路徑

guest ok = yes 任何人都可以登陸不要密碼

儲存退出

建立這兩個目錄，

[root@localhost samba]# vi smb.conf

[root@localhost samba]# cd /tmp

[root@localhost tmp]# mkdir user

[root@localhost tmp]# mkdir pub

[root@localhost tmp]# ll

總計 5064

drwx------ 2 laowu laowu 4096 04-21 13:10 gconfd-laowu

drwx------ 3 root root 4096 04-30 18:34 gconfd-root

drwx------ 2 root root 4096 04-30 18:34 keyring-0RrNkQ

drwxr-xr-x 2 nfsnobody nfsnobody 4096 04-21 13:27 linuxqq_v1.0.2-beta1_i386

-rw-rw-rw- 1 root root 5029235 04-16 15:27 linuxqq_v1.0.2-beta1_i386.tar.gz

srwxrwxr-x 1 laowu laowu 0 04-08 19:15 mapping-laowu

srwxr-xr-x 1 root root 0 04-30 18:34 mapping-root

drwx------ 2 root root 4096 04-30 21:19 orbit-root

drwxr-xr-x 2 root root 4096 04-30 21:27 pub

-rw-r--r-- 1 root root 5 04-30 20:34 scim-bridge-0.3.0.lockfile-0@localhost:0.0

srwxr-xr-x 1 root root 0 04-30 18:34 scim-bridge-0.3.0.socket-0@localhost:0.0

srw------- 1 root root 0 04-30 18:34 scim-helper-manager-socket-root

srw------- 1 laowu laowu 0 04-08 19:16 scim-panel-socket:0-laowu

srw------- 1 root root 0 04-30 18:34 scim-panel-socket:0-root

srw------- 1 root root 0 04-30 18:34 scim-socket-frontend-root

-rw-rw-r-- 1 laowu laowu 0 04-08 19:16 sealert.log

drwx------ 2 root root 4096 04-30 18:34 ssh-zxcJIj2764

drwxr-xr-x 2 root root 4096 04-30 21:27 user

drwx------ 2 root root 4096 04-30 18:34 virtual-root.a39z0R

drwxrwxrwt 5 root root 4096 04-24 14:03 VMwareDnD

drwx------ 2 root root 4096 04-21 13:10 vmware-root

drwxr-xr-x 7 root root 4096 2008-10-29 vmware-tools-distrib

[root@localhost tmp]#

接着我們改變user 和pub的權限

[root@localhost tmp]# chown aa user

[root@localhost tmp]# chmod 700 user

[root@localhost tmp]# chmod 777 pub

drwxrwxrwx 2 root root 4096 04-30 21:27 pub

-rw-r--r-- 1 root root 5 04-30 21:34 scim-bridge-0.3.0.lockfile-0@localhost:0.0

drwx------ 2 aa root 4096 04-30 21:27 user

這裡我們給user的屬組改為aa 給pub最大權限

下一步 設定權限

首先 要明确一點，samba的權限與系統使用者的權限密切結合，也就是說，我們要給samba使用者設權限，那麼系統中首先得有這個使用者，

[root@localhost tmp]# smbpasswd -a pp

New SMB password:

Retype new SMB password:

tdbsam_open: Converting version 0 database to version 3.

Failed to modify password entry for user pp

[root@localhost tmp]#

系統中不存在pp使用者 那麼你設定密碼是不會生效的

[root@localhost tmp]# smbpasswd -a bb

Added user bb.

[root@localhost tmp]# smbpasswd -a aa

重新開機服務

[root@localhost tmp]# service smb restart

關閉 SMB 服務： [失敗]

關閉 NMB 服務： [失敗]

啟動 SMB 服務： [确定]

啟動 NMB 服務： [确定]

[root@localhost tmp]# netstat -an |grep 137

udp 0 0 192.168.0.3:137 0.0.0.0:*

udp 0 0 0.0.0.0:137 0.0.0.0:*

unix 3 [ ] STREAM CONNECTED 12137 @/tmp/dbus-nI1cWz5phd

unix 3 [ ] STREAM CONNECTED 11137 /tmp/.X11-unix/X0

[root@localhost tmp]# netstat -an |grep 138

udp 0 0 192.168.0.3:138 0.0.0.0:*

udp 0 0 0.0.0.0:138 0.0.0.0:*

unix 3 [ ] STREAM CONNECTED 11138

[root@localhost tmp]# ifconfig

eth0 Link encap:Ethernet HWaddr 00:0C:29:61:A4:22

inet addr:192.168.0.3 Bcast:192.168.0.255 Mask:255.255.255.0

inet6 addr: fe80::20c:29ff:fe61:a422/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:282 errors:0 dropped:0 overruns:0 frame:0

TX packets:62 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:46807 (45.7 KiB) TX bytes:10825 (10.5 KiB)

Interrupt:185 Base address:0x1424

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING MTU:16436 Metric:1

RX packets:1220 errors:0 dropped:0 overruns:0 frame:0

TX packets:1220 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:1923475 (1.8 MiB) TX bytes:1923475 (1.8 MiB)

打開windows 的網路上的芳鄰 搜尋 ip位址 192.168.0.3

輸入使用者名，密碼

aa和homes是登陸使用者家目錄下的預設就有

如果這裡你使用預設的配置則不會出現homes目錄 但aa即使用者名目錄還是有的

還記得配置檔案中的這個地方嗎？退出再登陸就會看見的

對于pub和user我們可以進去并建立删除檔案

退出并清除緩存

以bb使用者登陸

通路user試試

ok拒絕 這就對了，user隻能aa通路嘛

而對于pub我們則給了最大權限，讀寫還是可以的

至此實驗基本結束，本文隻是實驗環境下的小配置，對于生産環境中的檔案伺服器則權限那你可要好好算一下了，samba對權限的設定是現對windows來說是麻煩了不少，但又有一個好處，那就是病毒方面，差不多算是個一勞永逸的活吧，是以，究竟是喜歡蘿蔔，還是白菜，就看各位的了