Cetnos File Server samba configuration case

Source: Internet
Author: User
Tags ssl certificate

1. Samba protocol Basics
Since the advent of the NetBIOS protocol, Microsoft has used it to implement the network file/print service, which is a well-known printing and sharing service. It is based on the SMB (Server Message Block) protocol, allows different computers to share printers, serial ports, and abstract communication (such as Named Pipes and mail slots ).
With the popularity of the Internet, Microsoft wants to extend this Protocol to the Internet, which is a standard for computers on the Internet to share data with each other. Therefore, he reorganized the existing SMB protocol with almost no technical files, renamed it CIFS (Common Internet File System), and planned to disassociate him from NetBIOS, try to make him a standard protocol on the Internet.
To share resources between windows and UNIX hosts, you can install software that supports the SMB/CIFS protocol on UNIX computers, so that you do not have to change the settings, similar to Windows host, Windows Host resources can be used on UNIX computers. Samba is a software used to implement SMB. its working principle is to run the NetBIOS (Network Basic Input/Output System) and SMB protocols on the TCP/IP protocol, in addition, the NetBEUI (Net BIOS Enhanced User Interface) Protocol of the Windows system is used to enable UNIX-like hosts to be seen by Windows system hosts on network neighbors. Its functions include:
N file sharing between Linux Hosts and Windows Hosts
N implement printer sharing between Linux Hosts and Windows Hosts
2. Samba settings
(1) install Samba
Check whether Samba is installed:
# Rpm-qa | grep samba
Samba-swat-3.0.7-1.3E.1-Samba web administration tool, port 901
Samba-3.0.7-1.3E.1-Samba core files
Redhat-config-samba-1.0.16-2-Samba's visual setup Tool
Samba-common-3.0.7-1.3E.1 -- Samba common files
Samba-client-3.0.7-1.3E.1-Samba client tools
If no installation is available, you can use the optical disc or NFS (explained later. For more information about the location of the installation file, see RedHat/RPMS. The installation method is as follows:
You can use yum-y install samba or # rpm-ivh * samba *. rpm to complete all installation tasks at a time.

Or follow the centOS yum installation configuration samba Tutorial: http://www.centoscn.com/image-text/install/2013/0804/989.html
(2) Start the Samba server and web Management Service
# Chkconfig smb on -- add the service to the Service Manager
# Service smb start -- start the shared service, but it still needs to be restarted after modification
# Chkconfig swat on -- remove the no-start restriction of swat in the xinetd service
# Service xinetd restart -- start the swat service by restarting the xinetd service
(3) set Samba
The Samba setting file is/etc/samba/smb. conf, the initial content of this file is very large, in fact, many are comments, but these comments are often very helpful for our subsequent settings, it is recommended that you read carefully.
Samba settings can be divided into three parts: the global part (identified by [global]) and the printer part (identified by [printers) and the shared part (identified by [homes] and other identified items ). The global setting affects all other parts. The printer is used to set the share of the printer, while the rest is the general share. Therefore, the general method for setting Samba is very clear. set global, set global parameters, and set printer part to achieve printer sharing, other shared items are set to provide special shared services. Setting [homes] allows local user directories to be shared.
A) global settings
Workgroup = syd168Group
Set the Working Group or domain where the Samba server is located (security = domain below ).
Server string = syd168's Samba Server % v
Set the display name of the Samba server. It can also contain specific variables. Common causes include:
Variable meaning
% S current service name (if any)
% P root directory of the current service (if any)
% U User Name of the current service (if any)
% U User Name of the current Dialog
% H Home directory of the current service user
% V Samba service version
% H Host Name of the machine that runs the Samba Service
% M client NETBIOS Name
% L server NETBIOS Name
% M client host name
% I Client IP
% T current date and time
Table 2-1
Hosts allow = 172.12.0 2.16t 172.12.0.8 123.0.0.1 .syd164.com
You can set the network and Host IP addresses that can be accessed. For example, if you allow access from 192.164.1.0/24 and 192.164.2.1/32, you can use hosts allow = 192.164.1. 192.164.2.1 123.0.0.1 Add ". ", each project is separated by a space. Note that you must add the local machine. Otherwise, the local machine cannot be tested.
Printcap name =/etc/printcap
The file that stores the printer description, usually/etc/printcap.
Load printers = yes | no
Set whether to automatically share the printer without setting the [printers] Section
Printing = lprng
Defines the printing system type. The default value is lprng. The options include bsd, sysv, plp, lprng, aix, hpux, and qnx.
Guest account = guest
Define a visitor account, and the account must already exist in/etc/passwd. Otherwise, it will use the default nobody
Log file =/var/log/samba/% m. log
Define the location of the record file LogFileName (usually/var/log/samba/% m. log)
Max log size = 100
Defines the size of the record file (unit: KB. If it is 0, the size is not limited)
Security = security_level
Defines the security level of Samba, from low to high: share, user, server, domain. Their corresponding verification methods:
& Oslash; share: All users can access resources on the server without a user name or password.
User: the default setting of samba. It must be verified by a local user before accessing shared resources. & Oslash;
& Oslash; Server: the verification is performed by another Server. If it fails, it is returned to the user level.
& Oslash; domain: Verify that the domain controller of the Windows system on the network is used.
All three security levels require "users" to have an account on the shared Linux host.
Password server =
Set the server name of the verification server. It is only necessary when security is set to server or domain.
Encrypt passwords = yes | no
Set whether to encrypt the password. samba itself has a password file/etc/samba/smbpasswd. If the password is not encrypted, the plaintext password is transmitted between the client and the server during the verification session, samba directly verifies the password with the/etc/samba/smbpasswd password file in Linux. However, no plaintext password is transmitted by default for Windows 95 OS/2 and later versions of Windows NT SP3, to enable these systems to transmit plaintext passwords, they must be changed in the registry. A good way is to set this switch to yes.
Smb passwd file =/etc/samba/smbpasswd
Set the smbPasswordFile that stores the samba User Password (usually/etc/samba/smbpasswd ).
Ssl CA certFile = sslFile
When samba is compiled to support SSL, You need to specify the SSL Certificate location (typically at/usr/share/ssl/certs/ca-bundle.crt ).
UNIX password sync = yes | no
Passwd program =/usr/bin/passwd % u
Passwd chat = * New * UNIX * password * % n \ n * ReType * new * UNIX * password * % n \ n * passwd: * all * authentication * tokens * updated * successfully *
Can these three settings modify the password of a UNIX system from a Windows system application?
Username map =/etc/samba/smbusers
Specify the user ing file (usually/etc/samba/smbusers). When we specify a line of root = administrator admin, when the client connects to the admin or administrator, it is treated as the root user.
Include = MachineConfFile
Specify the MachineConfFile file for different machine connections (generally set to/etc/samba/smb for flexible management. conf. % m. Because samba variables are used to associate the setting file with the NETBIOS name of the client, it is easy to control the permissions and settings of these clients ).
Socket options = TCP_NODELAY SO_RCVBUF = 8192 SO_SNDBUF = 8192
This is a number of network socket parameters that can achieve the best file transmission performance. Related options include SO_KEEPALIVE, SO_REUSEADDR, SO_BROADCAST, IPTOS_LOWDELAY, IPTOS_THROUGHPUT, SO_SNDLOWAT (*), SO_RCVLOWAT (*), and so on. For a local network, only IPTOS_LOWDELAY is used. For a wide-area network, try IPTOS_THROUGHPUT.
Interfaces = interface1 interface2
If you have multiple network interfaces, you must specify them here. For example, interface = 192.164.12.2/24 192.164.13.2/24
Remote browse sync = host (subnet)
This specifies where to obtain the synchronization information of the browsing list, such as host (for example, 192.164.3.25) or the entire subnet (192.164.1.255 ).
Remote announce = 192.164.2.255/SERVERS 192.164.4.255/STAFF
Specify these machines to advertise themselves to the network so that they can be seen in "Network neighbors.
Local master = yes | no
This parameter specifies whether nmbd tries to become the local host browser. The default value is yes. If it is set to no, the samba server will never become the local host browser. However, even if yes is set, the samba server becomes the main browser. Only the parameter and the local host browser are selected.
OS level = n
The value of n is an integer, which determines whether nmbd has the opportunity to become the local master browser in the Working Group of the local broadcast area. The default value is zero, and zero means that nmbd has no browsing choice. If nmbd is more likely to become the local host browser, it can be set to 65.
Domain master = yes | no
This parameter makes nmbd a domain browser, obtains the browsing list of each local host browser, and submits the browsing list of the entire domain to each local host browser.
Preferred master = yes | no
This parameter specifies whether nmbd is the main browser in the working group. If yes is specified, nmbd forces a browser selection at startup.
Preserve case = yes | no
Short preserve case = yes | no
Specifies the case sensitivity when copying DOS Files. The default value is no.
Default case = lower | upper
The default value of all DOS Files is uppercase or lowercase.
Case sensitive = yes | no
It is case sensitive and generally no. Otherwise, some problems may occur.
B) Sharing settings:
Each SMB server can provide external file or print services, and each shared resource needs to be assigned a sharing name, which will be displayed in the server's resource list. The shared name must be placed in [], for example, [homes]. If the last letter of a resource name is $, this share is hidden and cannot be directly displayed in the current browsing list. Instead, you can only access this name directly.
The [homes] section is a strange section in samba sharing. It is used to provide user directory sharing. Generally, you do not need to set the path to share resources. In fact, the path is the main directory of each user. When the client sends a service request, it first looks for smb. if the shared service is not found and the homes segment is set in other settings of the conf file, you can search for/etc/passwd to get the home directory of the user. Using the homes segment, Samba can obtain and share the user's home directory. The following are the basic settings for this section.
[Homes]
Comment = Home Directory
Browseable = no
Writable = yes
Other shared segments. Other shared segments provide special shared segments. Each shared segment inherits the settings in [global], but if the parameter is set again in this segment, it overwrites the setting parameters in [global. The following is a sharing setting shown as share1:
= ============================
[Share1] -- share name
Comment = comment -- shared description
Path =/home/grind -- shared file location
Allow hosts = host (subnet) -- allows shared access settings, the same as the setting method in [global]
Deny hosts = host (subnet) -- access sharing restrictions are not allowed. The method is the same as above.
Writable = yes | no -- whether the shared data can be written
Valid users = user (@ group) -- users and groups that are allowed to access
Invalid users = user (@ group) -- users and groups that cannot be accessed
Read list = user (@ group) -- only users and groups that can be read
Write list = user (@ group) -- users and groups that are always allowed to read and write
Admin list = user (@ group) -- users and groups that can manage the sharing (read/write and permission modification)
Guest OK = yes | no -- whether to allow access by visitors, that is, no password is required.
Guest account = nobody -- visitor access account, which must exist in/etc/passwd
Hide dot files = yes | no -- whether hidden files are not displayed
Create mode = 0755 -- attributes of the newly created file, usually 0755
Directory mode = 0755 -- the attribute of the newly created directory, which is generally 0755
Sync always = yes | no -- whether to perform synchronization after writing the shared resource
Case sensitive = yes | no -- case sensitive. Generally, no is selected. Otherwise, an error may occur.
Force user = grind
If a directory can be written by guest, guest can be deleted. If force user = grind is used to forcibly create a file, the owner is grind, and the create mask is limited to 0755, in this way, the guest cannot be deleted.
Wide links = yes | no
The above settings determine whether to allow connections with shared external symbols. For example, a connection in a shared resource directs to a file or directory in a non-shared resource. If you set wide links = no, the connection will become unavailable.
Max connections = 100 -- maximum number of simultaneous connections
Read only = yes | no -- share as read-only
= ============================
Through the above method, we can implement multiple sharing settings, as long as the display names of each sharing are different. However, if you want to share "dynamic" devices such as optical drives and mobile hard disks, you must note that these devices may not always "online". Therefore, you need to dynamically create a sharing. Next we will take the share of the optical drive as an example to see how to share "dynamic" resources.
= ========================
[Cdrom]
Comment = syd168's DVDROM
Path =/mnt/cdrom
Public = yes
Browseable = yes
Root preexec =/bin/mount-t iso9660-0 iocharset = cp936/dev/cd0/mnt/cdrom
Root postexec =/bin/umount/mnt/cdrom
= ========================
Here, root preexec indicates that the mount command is run as root during connection, while root postexec indicates that umount is run as root During disconnection, which effectively achieves shared Optical Drive.
C) printer sharing settings:
= ======================
[Printers]
Path =/var/spool/samba
Writeable = no
Guest OK = yes
Printable = yes
Printer driver = HP LaserJet 5L
= ======================
Printable indicates that the printer can be printed, guest OK indicates that visitors can also print, path indicates that the printed file queue is temporarily placed in the/var/spool/samba directory. The role of printer driver is to specify the printer type, so that we can directly install the driver automatically when installing the network printer without having to choose.
D) Samba user management:
Note that if Samba security is set to user, the Samba server is responsible for user authentication. All local user accounts to access Samba must be included in the file specified by the smb passwd file parameter. The default value is/etc/samba/smbpasswd. To add system users to smbpasswd, run the smbpaswd command. The command format of smbpasswd is as follows:
Smbpasswd parameter user
The specific parameters are shown in the following table:
Examples of variable meanings
-A: Add a user # smbpasswd-a syd1
-X delete user # smbpasswd-x syd168
-D Disabled Account # smbpasswd-d guest
-E cancel disabling # smbpasswd-e guest
-N clear password # smbpasswd-a syd1
Table 2-2
The above mainly introduces the Samba server settings. Generally, the above settings can be used in applications to meet the requirements, and some uncommonly used settings will be omitted. The detailed information can be used by man smb. conf reference.
E) access the Samba service in Linux
1) list the network resources that can be shared:
Smbclient-l ip address or NETBIOS Name
The function is to display the shared resources on a server that provides the samba service. The command execution result is as follows:
# Smbclient? L 172.12.0.3
The command execution result is as follows:
= ==================
Shared name sharing type description
--------------------
Homes Disk Home Directories
Var Dis var
IPC $ IPC syd168's samba server v3.0.7-1.3E.1
ADMIN $ IPC syd168's samba server v3.0.7-1.3E.1
Sydlinuxp1 Printer Created by redhat-config-printer 0.2.x
================== Below is the information of the Shared Server ======
Server description
----------------
SYDLINUX syd168's samba server v3.0.7-1.3E.1
= ==========
Working group master server
----------------
SYDLINUX SYD168-RHAS3
The first section lists the shared resources on the server 172.12.0.3, and the second section lists all the machines that provide the samba service in the Working Group of the server 172.12.0.3, the third section lists the Master machine information that other working groups provide the Browse service.
2) Use Network Resources:
Smbclient // IP address or NETBIOS name/shared name [-U user name]
The command execution result is as follows:
# Smbclient // 172.12.0.3/syd1
Added interface IP = 172.12.0.3 bcast = 172.12.251.255 nmask = 251.251.0.0
Got a positive name query response from 172.12.0.3 (172.12.0.3)
Password:
Domain = [BLUESUN] OS = [Windows system 1.0] Server = [Windows System 2000 LAN Manager]
Smb:>
The subsequent operations are the same as those of the ftp command. Use get to download files, put to upload files, and help to view help.
Another way to use sharing is to mount the sharing in the file system, like accessing the local directory for the same access. The Mount method is as follows:
Smbmount // IP or NETBIOS name/share name/local mount point [-o option]
Commonly used options include username = User Name>, password = password>, and guest (specify to access with guest without providing a password, but username = guest also requires a password ), ro (sometimes set to read-only mode for system security) and rw to read/write. Multiple options are separated by commas.
You can use the following command to implement the same function:
Mount-t smbfs [-o option] // IP or NETBIOS name/share name/local mount point
Example:
# Smbmount/172.12.0.3/syd1/mnt/test1-o guest
Or
# Mount-t smbfs-o guest iocharset = cp936 // 172.12.0.3/syd1/mnt/test1
Then you can access/test to use resources on the network.
If you no longer need the connection, you can simply run the following command to uninstall the connection:
Smbumount/mnt/test1 or umount/mnt/test1
F) share access to Linux in Windows
To access the sharing provided in Linux in a Windows system, there are multiple ways to share the sharing with a common Windows System:
1) Search for Linux servers in Windows
2) use the network neighbor function provided by the Windows System
3) Enter // samba Server IP Address/sharing name in the address bar.

(Samba) configuration case

I. Environment

1. Enterprise Organizational structure:

Other parts: network segment: 192.168.1.0/24

Design Department: department manager David Xu-employee tomyang network segment: 192.168.2.0/24

Finance Department: department manager mikeliu-employee janeli network segment: 192.168.3.0/24

2. Network Environment

Network Segment: 192.168.32.0/24

File Server: 192.168.32.31

3. Permission requirements:

L all clients of the finance and design departments, except for the public machine (192.168.1.99), can use this file server

L all clients of the design department can use the optical drive of the file server

L a directory for storing internal data is required. All users can only read the content.

L each department must have a public directory that can only be stored. Only employees of this department can be visible, readable, and writable.

L each employee has his/her own directory, which is readable and writable only by the department manager.

L each department manager can store 10 Gb files, each employee in the design department can store 15 GB files, and each employee in the finance department can store 5 GB files

Ii. Case implementation

1. Software Installation

[Root @ station1 ~] # Yum install samba. i386

2. Disk Quota settings

[Root @ station1 ~] # Vi/etc/fstab

/Dev/sda10/Tables ext3defaults, acl, usrquota, or

[Root @ station1 ~] # Mount-o remount/share

[Root @ station1 ~] # Quotacheck-ugv

[Root @ station1 ~] # Quotaon/dev/sda10

3. Create accounts and groups

[Root @ station1 ~] # Groupadd design # create design, finance, and Management Groups

[Root @ station1 ~] # Groupadd finance

[Root @ station1 ~] # Groupadd manager

[Root @ station1 ~] # Useradd-g design tomyang # create an employee account

[Root @ station1 ~] # Useradd-g design David Xu

[Root @ station1 ~] # Useradd-g finance mikeliu

[Root @ station1 ~] # Useradd-g finance janeli

[Root @ station1 ~] # Usermod-G manager David Xu # Add the manager to the manager group

[Root @ station1 ~] # Usermod-G manager mikeliu

4. Create a shared file directory

[Root @ station1 ~] # Mkdir/share/public # public directory

[Root @ station1 ~] # Mkdir-p/share/design/public

[Root @ station1 ~] # Mkdir-p/share/finance/public

[Root @ station1 ~] # Mkdir/share/design/David Xu # private directory

[Root @ station1 ~] # Mkdir/share/design/tomyang

[Root @ station1 ~] # Mkdir/share/finance/mikeliu

[Root @ station1 ~] # Mkdir/share/finance/janeli

[Root @ station1 ~] # Chmod o + t/share/design/public # common users of public directories cannot delete their files.

[Root @ station1 ~] # Chmod o + t/share/finance/public

5. Create a samba account

[Root @ station1 ~] # Smbpasswd-a David Xu

[Root @ station1 ~] # Smbpasswd-a tomgyang

[Root @ station1 ~] # Smbpasswd-a mikeliu

[Root @ station1 ~] # Smbpasswd-a janeli

6. Configure samba (modify the/etc/samba/smb. conf configuration file)

[Root @ station1 ~] # Vi/etc/samba/smb. conf

[Global] # Add the following content to global Configuration:

Hosts allow = lo 192.168.1.0192.168.2.0192.168.3.00000t 192.168.1.99

Include =/etc/samba/% G. smb. conf

Include =/etc/samba/% U. smb. conf

# Include: Specify only the configuration file. % G. smb. conf is the separate configuration file set for the initial group (main group), and % U. smb. conf is the separate configuration file set for the user.

# Config file: You can only access the shared resources defined in the separate configuration file, but cannot access the shared resources defined in the master configuration (/etc/samba/smb. conf ).

# Include: You can access the work resources defined in the separate configuration file and the shared resources defined in the master configuration (/etc/samba/smb. conf) at the same time.

[Public] # public resources

Path =/share/public

[Cdrom] # shared Optical Drive

Path =/mnt/cdrom

Root preexec =/bin/mount-t iso9660/dev/cdrom/mnt/cdrom

Root postexec =/bin/umount/mnt/cdrom

7. Configure the sub-configuration file

[Root @ station1 ~] # Vi/etc/samba/design. smb. conf # design Department configuration file

[Design]

Path =/share/design/public

Write list = @ design

[David Xu]

Path =/share/design/David Xu

Write list = David Xu

[Tongyang]

Path =/share/design/tomyang

Write list = tomyang

[Root @ station1 ~] # Vi/etc/samba/finance. smb. conf # finance Department configuration file

[Finance]

Path =/share/finance/public

Write list = @ finance

[Mikeliu]

Path =/share/finance/mikeliu

Write list = mikeliu

[Janeli]

Path =/share/finance/janeli

Write list = janeli

8. permission settings for each shared directory

[Root @ station1 ~] # Setfacl-R-md: g: design: rwx/share/design # Set the default rwx permission for a group

[Root @ station1 ~] # Setfacl-R-mg: design: rwx/share/sesign # grant the group rwx permission

[Root @ station1 ~] # Setfacl-R-md: g: finance: rwx/share/finance

[Root @ station1 ~] # Setfacl-R-mg: finance: rwx/share/finance

9. Restart the smb server

[Root @ station1 ~] # Service smb restart

[Root @ station1 ~] # Chkconfig smb on

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.