一.SMB 文件共享

用Internet文件系统(CIFS)也称为服务器是适用于MicrosoftWindows服务器和客户端的标准文件和打印机共享 系统模块(SMA) Samba 服务可用于将Linux文件系统作为CIFS/SMB网络文件共享,将linux打印机作为CIFS/SMB打印机共享进行共享 Samba服务的组成部分 软件包: Samba-common Samba的支持文件 Samba-client 客户端应用程序 Samba 服务器应用程序 服务名称:smb nmb 服务端口:通常使用TCP/445进行所有连接。还使用UCP137.UDP138和TCP/139进行向后兼容 主配置文件:/etc/samba/smb.conf 二.smb服务 实验环境: selinux开关设置为警告 [root@localhost ~]# setenforce 0 [root@localhost ~]# getenforce Permissive 1.安装:yum install samba-common samba samba-client -y 2.[root@localhost ~]# systemctl start smb #重启服务 3.查看端口信息:netstat -antlupe | grep smb 4.[root@localhost ~]# smbclient -L //172.25.254.100 #以匿名用户访问smb Enter root's password: session setup failed: NT_STATUS_LOGON_FAILURE [root@localhost ~]# id student uid=1000(student) gid=1000(student) groups=1000(student),10(wheel) 5.smb用户

smbpasswd 如果没有samba密码服务器,则必须在本地计算机上创建身分验证数据。使用smbpasswd创建samba账户和密码。smb用户必须是本地存在的用户 [root@localhost ~]# smbpasswd -a student #添加smb用户,该用户 必须是系统存在用户,设置一个登录smb的密码 6.[root@localhost ~]# smbclient //172.25.254.130/student -U student #student用户登陆smb Enter student's password: session setup failed: NT_STATUS_LOGON_FAILURE #登陆失败 [root@localhost ~]# smbclient //172.25.254.130/student -U student #student用户访问smb Enter student's password: session setup failed: NT_STATUS_LOGON_FAILURE

查看功能开关:[root@localhost ~]# getsebool -a | grep samba [root@localhost ~]# setsebool -P samba_enable_home_dirs on #smb共享家目录功能永久打开 [root@localhost ~]# smbclient //172.25.254.130/student -U student #student用户访问smb可以看到共享的家目录 ls

在客户端主机上 安装:yum install samba-client -y [root@localhost ~]# smbclient //172.25.254.130/student -U student #student用户登录smb

[root@localhost ~]# mount -o username=student,password=123 //172.25.254.160/student /mnt/ #挂载 [root@localhost ~]# df 二.smb配置 1.在服务端 [root@localhost ~]# vim /etc/samba/smb.conf #修改配置文件内容 workgroup = HAHA #公司名字 [root@localhost ~]# systemctl restart smb.service #修改配置文件后重启服务 在客户端匿名用户登录查看 smbclient -L //172.25.254.160 Domain改为HAHA 2.[root@localhost ~]# vim /etc/samba/smb.conf #允许172.25.254.1登陆 95 hosts allow = 172.25.254.1 #允许共享网段 [root@localhost ~]# systemctl restart smb.service 允许172.25.254.1访问 拒绝其他IP登录 3.[root@localhost ~]# vim /etc/samba/smb.conf 96 hosts deny = 172.25.254.1 #拒绝共享网段 [root@localhost ~]# smbclient -L //172.25.254.160 Enter root's password: Anonymous login successful Domain=[HAHA] OS=[Windows 6.1] Server=[Samba 4.2.3]

Sharename       Type      Comment
---------       ----      -------
IPC$            IPC       IPC Service (Samba Server Version 4.2.3)

Anonymous login successful Domain=[HAHA] OS=[Windows 6.1] Server=[Samba 4.2.3]

Server               Comment
---------            -------

Workgroup            Master
---------            -------

拒绝172.25.254.1访问,所以172.25.254.1访问smb失败 3.[root@localhost ~]# vim /etc/samba/smb.conf 322 [DATA] 323 comment = weixin data #描述 324 path = /haha #目录 [root@localhost ~]# systemctl restart smb.service [root@localhost ~]# mkdir /haha [root@localhost ~]# touch /haha/haha{1..3} [root@localhost ~]# semanage fcontext -a -t samba_share_t '/haha(/.*)?' #添加haha目录内核上的安全上下文 [root@localhost ~]# restorecon -FRvv /haha #刷新 smbclient //172.25.254.160/DATA -U student Enter student's password: Domain=[HAHA] OS=[Windows 6.1] Server=[Samba 4.2.3] smb: > ls . D 0 Tue Dec 5 02:38:07 2017 .. D 0 Tue Dec 5 02:09:50 2017 haha1 N 0 Tue Dec 5 02:38:07 2017 haha2 N 0 Tue Dec 5 02:38:07 2017 haha3 N 0 Tue Dec 5 02:38:07 2017 root@localhost ~]# smbclient -L //172.25.254.160 #用户可以看到共享的目录DATA Enter root's password: Anonymous login successful Domain=[HAHA] OS=[Windows 6.1] Server=[Samba 4.2.3]

Sharename       Type      Comment
---------       ----      -------
DATA            Disk      weixin data

[root@foundation30 ~]# mount //172.25.254.130/DATA /mnt/ -o username=student,password=123 #挂载DATA df vim /etc/fstab #挂载信息写入文件 //172.25.254.160/DATA /mnt cifs defaults,username=student,password=123 0 0 [root@localhost ~]# mount -a [root@localhost ~]# df Filesystem 1K-blocks Used Available Use% Mounted on /dev/vda1 10473900 3180736 7293164 31% / devtmpfs 481120 0 481120 0% /dev tmpfs 496708 140 496568 1% /dev/shm tmpfs 496708 13132 483576 3% /run tmpfs 496708 0 496708 0% /sys/fs/cgroup /dev/mapper/vg0-vo 483670 2339 451840 1% /home //172.25.254.160/DATA 10473900 3161188 7312712 31% /mnt 4.[root@localhost ~]# vim /etc/samba/smb.conf

126 map to guest = bad user #把匿名用户映射成guest,未知的人名字都是guest 325 guest ok = yes #匿名用户可以登陆 [root@localhost ~]# systemcl restart smb.service

[root@localhost ~]# vim /etc/fstab #挂载信息写入文件 /172.25.254.160/DATA /mnt cifs defaults,username=guest,password="" 0 0

[root@localhost ~]# mount -a [root@localhost ~]# df Filesystem 1K-blocks Used Available Use% Mounted on /dev/vda1 10473900 3180772 7293128 31% / devtmpfs 481120 0 481120 0% /dev tmpfs 496708 140 496568 1% /dev/shm tmpfs 496708 13104 483604 3% /run tmpfs 496708 0 496708 0% /sys/fs/cgroup /dev/mapper/vg0-vo 483670 2339 451840 1% /home //172.25.254.160/DATA 10473900 3161820 7312080 31% /mnt 4.[root@localhost ~]# vim /etc/samba/smb.conf

326 writable = yes #所有smb用户都可写 [root@localhost ~]# systemctl restart smb.service [root@localhost ~]# cd /mnt/

[root@localhost mnt]# ls haha1 haha2 haha3 [root@localhost mnt]# touch haha4 touch: cannot touch ‘haha4’: Permission denied [root@localhost mnt]# rm -fr haha1 rm: cannot remove ‘haha1’: Permission denied #服务允许,服务上的设备不允许

[root@localhost ~]# ls -ld /haha/ drwxr-xr-x. 2 root root 42 Dec 5 02:38 /haha/ [root@localhost ~]# setfacl -m u:student:rwx /haha/ #student用户加写权限 [root@localhost ~]# mount -o username=student,password=123 //172.25.254.160/DATA /mnt/ [root@localhost mnt]# touch haha4 #建立文件 [root@localhost mnt]# ls haha1 haha2 haha3 haha4 [root@localhost mnt]# rm -rf haha4 #删除 [root@localhost mnt]# ls haha1 haha2 haha3

[root@localhost ~]# useradd westos #建立用户westos [root@localhost ~]# smbpasswd -a westos #添加smb并设置密码 New SMB password: Retype new SMB password: Added user westos.

[root@localhost ~]# setfacl -m g:student:rwx /haha/ #student组读写执行权限 [root@localhost ~]# usermod -G student westos #添加westos到student附加组 [root@localhost ~]# getfacl /haha/

getfacl: Removing leading '/' from absolute path names

file: haha/

owner: root

group: root

user::rwx user:student:rwx group::r-x group:student:rwx mask::rwx

[root@localhost ~]# mount -o username=westos,password=123 //172.25.254.160/DATA /mnt/ #挂载 [root@localhost ~]# df Filesystem 1K-blocks Used Available Use% Mounted on /dev/vda1 10473900 3180776 7293124 31% / devtmpfs 481120 0 481120 0% /dev tmpfs 496708 140 496568 1% /dev/shm tmpfs 496708 13104 483604 3% /run tmpfs 496708 0 496708 0% /sys/fs/cgroup /dev/mapper/vg0-vo 483670 2339 451840 1% /home //172.25.254.160/DATA 10473900 3162044 7311856 31% /mnt [root@localhost ~]# cd /mnt/ [root@localhost mnt]# ls haha1 haha2 haha3 [root@localhost mnt]# touch haha5 #westos用户建立文件 [root@localhost mnt]# ls haha1 haha2 haha3 haha5 [root@localhost mnt]# rm -fr haha5 #westos用户删除文件 [root@localhost mnt]# ls haha1 haha2 haha3

5.[root@localhost ~]# vim /etc/samba/smb.conf

322 [DATA] 323 comment = weixin data 324 path = /haha 325 guest ok = yes 326 ; writable = yes # ;注释不生效 327 write list = student #student用户可写 [root@localhost ~]# mount -o username=westos,password=123 //172.25.254.160/DATA /mnt/ #挂载 [root@localhost ~]# cd /mnt/ [root@localhost mnt]# touch haha6 #westos用户建立文件被禁止 touch: cannot touch ‘haha6’: Permission denied [root@localhost ~]# mount -o username=student,password=123 //172.25.254.160/DATA /mnt/ #挂载 [root@localhost ~]# cd /mnt/ [root@localhost mnt]# touch haha6 #student用户建立文件 [root@localhost mnt]# ls haha1 haha2 haha3 haha6 [root@localhost mnt]# rm -fr haha6 #student用户删除文件 [root@localhost mnt]# ls haha1 haha2 haha3 6.[root@localhost ~]# vim /etc/samba/smb.conf [DATA] comment = weixin data path = /haha guest ok = yes ; writable = yes write list = @student #student用户组对DATA可写 [root@localhost ~]# systemctl restart smb.service

[root@localhost ~]# mount -o username=westos,password=123 //172.25.254.160/DATA /mnt/ [root@localhost ~]# cd /mnt/ [root@localhost mnt]# touch haha7 #此时westos用户可建立删除文件 [root@localhost mnt]# ls haha1 haha2 haha3 haha7 [root@localhost mnt]# rm -fr haha7 [root@localhost mnt]# ls haha1 haha2 haha3 7.[root@localhost ~]# vim /etc/samba/smb.conf [DATA] comment = weixin data path = /haha guest ok = yes writable = yes #所有smb用户可读 ; write list = @student [root@localhost ~]# systemctl restart smb.service [root@localhost ~]# useradd admin [root@localhost ~]# vim /etc/samba/smb.conf [DATA] comment = weixin data path = /haha guest ok = yes writable = yes ; write list = @student admin users = admin #设定admin用户对文件管理是超级用户

[root@localhost ~]# systemctl restart smb.service [root@localhost ~]# smbpasswd -a admin New SMB password: Retype new SMB password: Added user admin. [root@localhost ~]# pdbedit -L #查看有哪些smb用户 student:1000:Student User admin:1002: westos:1001: [root@localhost ~]# mount -o username=admin,password=123 //172.25.254.160/DATA /mnt/ #挂载 [root@localhost ~]# cd /mnt/ [root@localhost mnt]# touch haha #admin用户可建立文件 [root@localhost mnt]# ls haha haha1 haha2 haha3 [root@localhost mnt]# rm -fr haha #admin用户可删除文件 [root@localhost mnt]# ls haha1 haha2 haha3 8.[root@localhost ~]# vim /etc/samba/smb.conf

    [DATA]
    comment = weixin data
    path = /haha
    guest ok = yes
    writable = yes

; write list = @student admin users = admin browseable = no #隐藏目录 [root@localhost ~]# systemctl restart smb.service [root@localhost ~]# smbclient -L //172.25.254.160 Enter root's password: Domain=[HAHA] OS=[Windows 6.1] Server=[Samba 4.2.3]

Sharename       Type      Comment
---------       ----      -------  #DATA目录被隐藏
IPC$            IPC       IPC Service (Samba Server Version 4.2.3)

Domain=[HAHA] OS=[Windows 6.1] Server=[Samba 4.2.3]

Server               Comment
---------            -------

Workgroup            Master
---------            -------

9.[root@localhost ~]# vim /etc/samba/smb.conf

   [DATA]
    comment = weixin data
    path = /haha
    guest ok = yes
    writable = yes

; write list = @student admin users = admin browseable = no valid users = student #只有student用户可使用DATA [root@localhost ~]# systemctl restart smb.service [root@localhost ~]# mount -o username=westos,password=123 //172.25.254.160/DATA /mnt/ mount: //172.25.254.160/DATA is write-protected, mounting read-only mount: cannot mount //172.25.254.160/DATA read-only [root@localhost ~]# mount -o username=student,password=123 //172.25.254.160/DATA /mnt/
[root@localhost ~]# df Filesystem 1K-blocks Used Available Use% Mounted on /dev/vda1 10473900 3180800 7293100 31% / devtmpfs 481120 0 481120 0% /dev tmpfs 496708 140 496568 1% /dev/shm tmpfs 496708 13104 483604 3% /run tmpfs 496708 0 496708 0% /sys/fs/cgroup /dev/mapper/vg0-vo 483670 2339 451840 1% /home //172.25.254.160/DATA 10473900 3162708 7311192 31% /mnt

10.[root@localhost ~]# vim /etc/samba/smb.conf

[DATA] comment = weixin data path = /haha guest ok = yes writable = yes ; write list =@student admin users =admin #admin用户以root用户身份 browseable = no #隐藏 valid users = +student #允许student用户组访问smb [root@localhost ~]# systemctl restart smb.service [root@localhost ~]# mount -o username=westos,password=123 //172.25.254.160/DATA /mnt/ #westos可以使用DATA [root@localhost ~]# cd /mnt/ [root@localhost mnt]# ls haha1 haha2 haha3 [root@localhost mnt]# touch haha8 [root@localhost mnt]# ls haha1 haha2 haha3 haha8 [root@localhost mnt]# rm -rf haha8 [root@localhost mnt]# cd [root@localhost ~]# umount /mnt/ 11.在客户端做: [root@localhost ~]# yum install cifs-utils [root@localhost ~]# vim /root/subfile #挂载时用这个文件里的用户认证 username=student password=123 root用户充当smb的student用户 [root@localhost ~]# chmod 600 /root/subfile [root@localhost ~]# mount -o credentials=/root/subfile,multiuser,sec=ntlmssp //172.25.254.130/DATA /mnt/ #以/root/subfile里用户身份访问DATA目录,多用户认证 [root@localhost ~]# df Filesystem 1K-blocks Used Available Use% Mounted on /dev/vda1 10473900 3181104 7292796 31% / devtmpfs 481120 0 481120 0% /dev tmpfs 496708 140 496568 1% /dev/shm

[root@localhost ~]# cd /mnt/ [root@localhost mnt]# touch file #root用户建立文件用的/root/subfile该文件里写的用户身份建立的 [root@localhost mnt]# ls file haha1 haha2 haha3 [root@localhost ~]# su - student Last login: Tue Dec 5 06:23:29 EST 2017 on pts/1 [student@localhost ~]$ cifscreds add -u westos 172.25.254.160 #srudent用户得到的smb用户身份为westos Password: [student@localhost ~]$ cd /mnt/ [student@localhost mnt]$ ls file haha1 haha2 haha3 [student@localhost mnt]$ touch file1 #student用户建立文件是用的smb用户身份westos 服务端:

[root@localhost ~]# cd /haha/ [root@localhost haha]# ls file file1 haha1 haha2 haha3 [root@localhost haha]# ll total 0 -rw-r--r--. 1 student student 0 Dec 5 06:21 file #该文件是student用户建立 -rw-r--r--. 1 westos westos 0 Dec 5 06:25 file1 #该文件是westos用户建立 -rw-r--r--. 1 root root 0 Dec 5 02:38 haha1 -rw-r--r--. 1 root root 0 Dec 5 02:38 haha2 -rw-r--r--. 1 root root 0 Dec 5 02:38 haha3

Samba 企业应用案例需求:

  1. 所有员工都能够在公司内流动办公,但不管在哪电脑上工作,都要把自己文件存在 Samba 文件服器上.
  2. 各部门办公人员拥有各自的主目录,用于存放私有文档(工作相关),其他人禁止访问.
  3. 所有的用户都不允许使用服务器的 SHELL(安全考虑).
  4. 制造部、财务部、管理部,都有各自的文件目录.
  5. 各部门目录下提供“对外”、“公共文档”、“受控文档”三个子目录. 对外: <1>允许公司所有工作人员访问,但不能修改文件. <2>本部门文员负责维护数据 公共文档:<1>本部门员工可以访问,领导层可以访问,但不能修改. <2> 本部门文员负责维护数据 受控文档:<1>本部门主管、公司领导可以访问、其他员工禁止. <2>本部门主管负责维护数据 注:财务部受控文档只允许总经理、财务部总监、主管访问;管理部受控文档只允许总经理、主管访问
  6. 公共区域:<1>所有员工均可访问 <2>网络部负责维护
  7. 交换区域:<1>所有员工均可读可写,禁止删除其它员工文件. 2>网络部负责维护 创建相关的目录: mdkir /home/samba/zhizao caiwu guanli public swap mkdir /home/samba/zhizao/guest public private mkdir /home/samba/caiwu/guest public private mkdir /home/samba/guanli/guest public private 创建相关的用户和组: groupadd zhizao caiwu guanli lingdao network useradd ­s /bin/false wy zg zj jl usermod ­G zhizao,caiwu,guanli wy usermod ­G zhizao,caiwu,guanli zg usermod ­G caiwu zj usermod ­G lingdao jl 设置文件系统权限: chmod 1777 /home/samba/swap chmod 755 /home/samba/zhizao caiwu guanli chmod 775 /home/samba/public chgrp network /home/samba/public chmod 755 /home/samba/zhizao/guest chown wy.zhizao /home/samba/zhizao/guest chmod 750 /home/samba/zhizao/public private chown zg.lingdao /home/samba/zhizao/private setfacl ­m g:lingdao:rx /home/samba/zhizao/public chmod 755 /home/samba/caiwu/guest chown wy.caiwu /home/samba/caiwu/guest/guest chmod 750 /home/samba/caiwu/public chown wy.caiwu /home/samba/caiwu/public setfacl ­m g:lingdao:rx /home/samba/caiwu/public chmod 700 /home/samba/caiwu/private chown zg /home/samba/caiwu/private setfacl ­m u:zj:rx /home/samba/caiwu/private setfacl ­m u:jl:rx /home/samba/caiwu/private chmod 755 /home/samba/guanli/guest chown wy.guanli /home/samba/guanli/guest chmod 750 /home/samba/guanli/public chown wy.guanli /home/samba/guanli/public setfacl ­m g:lingdao:rx /home/samba/guanli/public chmod 700 /home/samba/guanli/private chown zg /home/samba/guanli/private setfacl ­m u:jl:rx /home/samba/guanli/private 配置 samba 服务: [homes] comment = Home Directories browseable = no writable = yes [制造部] path = /home/samba/zhizao writable = yes browseable = yes [对外] path = /home/samba/zhizao/guest admin users = wy browseable = no [公共文档] path = /home/samba/zhizao/public valid users = @zhizao @lingdao admin users = wy browseable = no [受控文档] path = /home/samba/zhizao/private valid users = zg @lingdao admin users = zg browseable = no [财务部] path = /home/samba/caiwu writable = yes browseable = yes [对外] path = /home/samba/caiwu/guest admin users = wy browseable = no [公共文档] path = /home/samba/caiwu/public valid users = @caiwu @lingdao admin users = wy browseable = no [受控文档] path = /home/samba/caiwu/private valid users = zg zj jl admin users = zg browseable = no [管理部] path = /home/samba/guanli writable = yes browseable = yes [对外] path = /home/samba/guanli/guest admin users = wy browseable = no [公共文档] path = /home/samba/guanli/public valid users = @guanli @lingdao admin users = wy browseable = no [受控文档] path = /home/samba/guanli/private valid users = zg jl admin users = zg browseable = no [公共区域] path = /home/samba/public public = yes admin users = @network [交换区域] path = /home/samba/swap writeable = yes public = yes admin users = @network