1. 安装一般选择带gui的服务器即可。
2. yum install samba,和yum install samba-client,然后禁用firewalld,和selinux。一定要禁用。systemctl disble firewalld,vim /etc/selinux/config 改为disabled,也可以getenforce查看,和 systemctl status firewalld查看状态。 将smb ,nmb,加入系统守护进程, systemctl enable smb nmb 。
3.配置账号,一般有两个命令,smbpasswd -a xxx和pdbedit -a xxx,但是都必须提前建立同名的linux系统账号(系统中有tralin这个账号了,然后在用pdbedit -a tralin 设置一下),然后建立用这两个工具建立samba的登录用户,密码可以不一样。之前好像pdbedit可以建立虚拟账号不用提前建立system账号,但是在centos7、8中,测试不通过。可以同testparm smb.conf命令来测试。另外建立用户时,如果提示fail的,也是没有建立成功,可以用pdbedit -Lv来查看账号。
如果提示无权限,检查getenforce ,需要关闭selinux
增加审计,记录,回收站功能。看下面文章:看最下的代码
https://blog.51cto.com/riverxyz/5169482
4.在win7下,ntlmv2,和lanman的访问与之前不一样,网上有说明需要更改安全策略,这里给出一段samba的配置,不用设置win7(重点,关键点)
vim /etc/samba/smb.conf
在golbal节点增加以下配置。
NTLM auth = yes
Lanman auth = no
Client lanman auth = no
5. 建议用以上配置,避免个个客户机的修改,以上配置后,客户机默认不在需要做设置。
6. samba与vsftpd 字符编码一致性问题:
设定samba服务器
# vim /etc/samba/smb.conf
在[global]下面添加
unix charset = cp936
display charset = cp936
dos charset = cp936
cp936就是指系统里第936号编码格式,也就是GBK。指连接samba服务器的客户端采用编码为GB2312
CP936是GBK,GB2312是GBK的真子集。
在WIndows的控制面板,选区域与语言选项->高级,Code Page里面就有936对应GBK。
7 .vsftpd无需改变
8. 隐藏文件;
可以试试看在vsftpd.conf中加入
hide_file=.*
既可隐藏所有隐藏文件
9. 以下为另一种方式,即改客户端的:(非必须)
测试时,如果需要改win7,运行 secpol.msc 在本地策略,安全选项,发送LM和NTLM,改为仅发送NTLMv2相应,不发送LM和NTLM,最后一项。
网络访问,本地账号的共享和安全模型,由经典,改为仅来宾。
10 .删除宿主目录,如果再建立新的共享节点时,如【gtzbs】共享时,出现了默认的宿主文件夹共享,比如【tralin】,可以删除整个【home】节点来解决。也就是说,我建立了一个用户,并且给这个用户设置了共享的文件夹,但是windows显示有两个文件夹被共享,其中一个是宿主默认目录。要想解决此问题,注释掉整个HOME节点。
11. wget -nH -m - ftp://xxxxxxusername:xxxxxpassword@192.168.7.65/alidata/ 获取整个目录,不带ip前缀
参见2个文件,一个smb.conf 一个 rsyslog.conf
审计日志在 /var/log/samba/audit.log,有2个不用混淆,上一个目录也有同名文件。
smb.conf
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.
[global]
workgroup = WORKGROUP
security = user
netbios name = office
passdb backend = tdbsam
log file = /var/log/samba/%m.log
max log size = 10240
log level = 2
full_audit:prefix = %u|%I|%S
full_audit:failure = connect
full_audit:success = mkdir rmdir rename unlink pwrite_send pwrite_recv pread_recv pread_send
full_audit:facility = local2
full_audit:priority = notice
printing = cups
printcap name = cups
load printers = yes
cups options = raw
NTLM auth = yes
Lanman auth = no
Client lanman auth = no
Browsable = yes
[share]
comment = 共享文件夹
path = /home/share/
browseable = yes
writeable = yes
valid users = x,c
write list = x,c
# public = no 如果改为no,则一个用户名,只能登录一次。多用户不允许登录
public = yes
guest ok = no
create mask = 0777
directory mask = 0777
force directory mode = 0777
force create mode = 0777
vfs object = full_audit;recycle
recycle:repository = .recycle
recycle:keeptree = yes
recycle:versions = yes
recycle:touch = no
recycle:maxsize = 0
recycle:exclude = *.tmp ~$*
#[homes]
# comment = Home Directories
# valid users = %S, %D%w%S
# browseable = yes
# read only = No
# inherit acls = Yes
#[printers]
# comment = All Printers
# path = /var/tmp
# printable = Yes
# create mask = 0600
# browseable = No
#[print$]
# comment = Printer Drivers
# path = /var/lib/samba/drivers
# write list = @printadmin root
# force group = @printadmin
# create mask = 0664
# directory mask = 0775
回收站地址,在共享目录下的 隐藏文件夹 .recycle目录下。
rsyslog.conf 文件,仅在最后加一句话
# rsyslog configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on
# File to store the position in the journal
$IMJournalStateFile imjournal.state
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
# 需要加入这一句话,就可以了,增加审计日志
local2.* /var/log/samba/audit.log