I. Mastering the configuration principle of samba services
Ii. Configuring Samba Shared services under Linux (anonymous sharing, authentication, account mapping, access control)
About Samba:
Samba is the software that runs on Linux and Unix for free, is a typical server/client mode, it has two processes, one is SMBD, is mainly used to manage the process of sharing files, and the other is NMBD, which is used to convert host name to IP address ( Equivalent to the functionality of NetBIOS under Windows), SMBD runs on TCP 139, 445 ports, NMBD is running on UDP 137, 138 ports (after running the Samba service can be used as: NETSTAT-ANP | grep smbd, netstat -ANP |grep NMBD to see its open port number), the client can only access the Samba server via IP address if the NMBD process is not running!
configuration file:
Samba's configuration file is stored under/etc/samba/, called smb.conf. It has a lot of comments, but no Chinese:), it specifies the file directory to be shared, directory sharing permissions (remember: It is also restricted by local permissions), access log names and paths, and so on. It is divided into two major parts, one is global Settings, used to refer to variables such as the security level, Takes effect for the entire server, and the other is shared Definitinos, which describes the share-related definition, which begins with "#" as a comment line, and also with ";" The initial configuration example line, default is not effective, if you want to set the line to take effect, you can put the ";" Get rid of it!
Common configuration options are described:
[global]? config file must start with [global] (Don't Forget "["???] " AH), which illustrates the beginning of the global configuration;
Workgroup = Workgroup indicates the workgroup to which the share resides, which can be NT domain name, workgroup name
The server string =samba Server client sees the description information
NetBIOS name = Share file of samba windows see the NetBIOS information, default is not given, to enable the use of this description, you must manually add.
Hosts allow = 192.168.2. 192.168.1. EXCEPT 192.168.1.10?? Allow 192.168.2.0 paragraphs and 192.168.1.0 segment access, except for 192.168.1.10 hosts (note: Multiple network segments are separated by a space)
Hosts deny = 192.168.2.10 deny 192.168.2.10 access (Note: Deny takes precedence when used in conjunction with the previous)
interfaces = 192.168.2.10 When the server has more than one network interface, you can specify the samba listening port, which listens to all ports ' access by default
SMB passwd file =/etc/samba/smbpasswd Specifies where Samba's password files are located
Username Map =/etc/samba/smbusers Specifies the location of the account mapping file, which is a way to improve security and prevent the system users from exposing directly
Log file =/var/log/samba/%m.log The default log files,%m is logged separately by host name
Max log size = 50 The default log is 50K
Include =/etc/samba/smb.conf.%u Adding a user-controlled configuration file
Include =/etc/samba/smb.conf.%g Add a configuration file with group as the control unit
Security = Share | user | Server | Domain | Security level of the ads Samba system
Share security level mode to access shared resources without entering users and passwords
User security level mode, client login to Samba server, need to mention the XXX method account number and password, after the server authentication to access the shared resources
Server security level mode, the client needs to submit the user name and password to the specified Samba server for verification, and if the validation error occurs, the client will be accessed at the user level
Domain security level mode, if the Samba server joins a Windows domain environment, verify that the overalls will be owned by the Windows domain controller, and that the domain-level Samba server is only a member client of the domains and does not have the characteristics of the server. Early versions of Samba are using this level to log on to a Windows domain
Ads security level mode, when the Samba server is added to the Windows domain environment using the ads security level, it has all the features in the domain security level mode and can have the capabilities of the DCs
Guest account=aaaa? To have user AAAA log on as anonymous, make sure that/etc/passwd has this user
Socket options = Tcp_nodelay so_rcvbuf=8192 so_sndbuf=8192? Set the socket option for the session between the server and the client, which will optimize the transfer speed.
Admin user = Wuzh? The Wuzh is the manager of the Samba service (as if sometimes it's an invalid parameter)
---------Share Definitions--------
[public]?? The shared file name is in brackets.
Commont = Share Director of Admin shared description information
Path =/pub?? Shared file path
public = Yes|no?? Whether you can access anonymous
browseable = Yes|no? Whether a shared file name appears
Read Only = Yes|no?
writable = Yes|no?? Whether it can be written
Write list = user name, user, @ group name? Users who set readable permissions
Valid users = user name or @ Group name? Set up a valid user
Invalid users = user name or @ Group name? Invalid user set
Create mask = 0744??????????????? Set permissions when creating a file
Directory mask = 0755???????????? Set permissions when creating a directory
Add Samba users because the samba user is based on the system user, so the system user must be established before they can be added as a samba user
Useradd-s/sbin/nologin Smbtest
Smbpasswd-a smbtest?
Enter your samba password two times to
Smbpass Common options:
SMBPASSWD-H Listing Help information
Smbpasswd-a adding users
Smbpasswd-x Delete an existing samba user
Smbpasswd-n Delete the existing Samba user password
smbpasswd-d Disabling existing Samba users
SMBPASSWD-E enable a disabled samba user
Convert system users into SMBPASSWD password files in bulk:
CAT/ETC/PASSWD |mksmbpasswd.sh >/ETC/SAMBA/SMBPASSWD
The smbpasswd password file is stored in the/ETC/SAMBA/SMBPASSWD format as follows:
WUZH:500:561B1EBD1E1C9095AAD3B435B51404EE:5573EACDA2E72CD8CE6E8C433286B800:[U]:LCT-4325DFBD:
To improve security, you can typically set the following parameters:
Socket address = 192.168.2.126 Specifies the listening addresses
Username map =/etc/samba/smbusers Set Map account file
Hosts allow specifies the address to be accessed (the network segment is ".") End
Hosts deny explicitly indicates a denied address
SMB passwd file indicates the location of the password files
Security Setting Safety level
Encrypt passwords accessing the Samba server in an encrypted manner
The Smbusers file format is as follows:
System User Name = mapped virtual account 1, mapped virtual account 2, ...
Testparm is a good tool to test whether smb.conf has errors, and it is easy to display relevant information directly testparm.
Client testing:
Smbclient//server/share name-u user name% password
Mount: Mount-t CIFS//target/share name/local mount directory-o username= username% password
Next pilot operation: 1.Samba service anonymous sharing
2.Samba service authentication sharing
3.Samba service account Mappings
4.Samba Service access control
Test environment: start a Linux system on a VMware virtual machine (I'm Redhat6.5 here) and open a Windows7.
Test Purpose: 1. Allow Windows7 to share files in Linux anonymously as a client
2. Share files from Linux in Windows7, but require authentication. (Identity, password)
3. Configure an alias for the account, establish a mapping relationship, and then sign in to share with an alias.
4. Prohibits access to one or more of the specified network segments.
test procedure:
1. First we mount the image file and install the Samba service package.
Execute the command separately: mount/dev/sr0/mnt
rpm-ivh/mnt/packages/samba-3.6.9-164.el6.x86_64.rpm Install the package. As shown in the following:
2. Rename the
configuration file by using the command Mv/etc/samba/smb.conf/etc/samba/smb.conf.bak. by Grep-v "#" Smb.conf.bak > smb.conf filter out the contents of the configuration file starting with #, so you can also do a backup of the configuration file, and easy to find. As shown in:
3. Next, the Samba service anonymously accesses the shared task. The
Executes the command vi/etc/samba/smb.conf first to modify the configuration file as shown in:
4. Next, continue to manually create an anonymous shared group in the master profile and set the appropriate permissions for the created group. As shown in:
5. The above has already created the anonymous shared file, then we choose to create an empty directory ABC under/OPT. You then put the ABC's permissions to the maximum (777) so that you have write permissions. As shown in:
6. After the configuration file is changed, we must turn off the firewall, turn off the enhanced XXX, and restart the service.
Execute command: Service iptables stop firewall
Setenforce 0 shut down enhanced XXX
Service SMB Restart Restart service as shown in:
7. Next, you can verify the anonymous shared file on the window7. As shown in:
8. Next we do an authentication share, so we still want to modify the master configuration file (vim/etc/samba/smb.conf). Modify as shown in:
9. Continue to modify the configuration file, and then write a group again, implementing the share requires authentication, as shown in:
10. Next, first restart the service, then create a Jet Li, Wu Ching two users, and set the password for the SMB access, Create catalog test under OPT. and give the test directory maximum permissions. As shown in:
11. Restart the service
12. Next, empty the cache in Windows7 for user authentication. As shown in:
If only allow user Wu Ching write permission, in the configuration file will be Writable=yes comment out.
13. Next we use the account mapping configuration to create two mapping aliases for shared access.
First we modify the configuration file and add the account mapping. As shown in the following:
Vim/etc/samba/smbuser
14. You can disable access for a network segment or multiple network segments, modify the configuration file
Vim/etc/samba/smb.conf adds a blocked network segment to the test group. As shown in the following:
15. Deny 192.168.10 network segment Client Access
To this test success!
First, master the configuration principle of samba service; Ii. Configuring Samba Shared services under Linux
