Samba Advanced Configuration

Original article address:Http://hi.baidu.com/xfenoo/blog/item/85e51a3c9b6ef708baa167ba.html

[Rhel5 enterprise-level Linux service Introduction] -- 2nd Second volume

4 Samba Advanced Server Configuration
I have mentioned the conventional configuration of Samba, which can be used to manage shared directories through network sharing and assigning the appropriate permission to share data in the enterprise, however, this is not enough for many large enterprises or high security requirements, so let's take a look at the samba Advanced Server Configuration below to make it more powerful for us to build the Samba server, make management more flexible, and make our data more secure ~
4.1 user account ing
As mentioned above, Samba's user account information is saved in the smbpasswd file, and the account that can access the Samba server must also correspond to a system account with the same name. Based on this, for some hackers, as long as they know that the Samba server drops the samba account, they know the Linux system account, as long as crack uses its Samba account and password to attack the Samba server. So we need to use the user account ing function to solve this problem ~~~
User Account ing requires an account ing table, which records the correspondence between the samba account and the virtual account. When the client accesses the Samba server, it uses virtual login.
1) edit the main configuration file/etc/samba/smb. conf.
Add a field in global Username map =/etc/samba/smbusers Enable User Account ing.


2) edit/etc/samba/smbusers
The smbusers file stores the account ing relationship, which has a fixed drop format:
Samba account = virtual account (ing account)


Account redking is the samba account we created above (also a Linux system account), 51cto and 51blog are ing account names (virtual accounts ), the redking account can be accessed by entering 51cto or 51blog when accessing the shared directory. However, we still drop the redking account number when accessing the Samba server, this solves the security problem ~ Let's continue.
3) restart the samba service: Service SMB restart


4) Verify the effect ~
Enter our defined 51ing account 51cto. Note that we have not entered the account redking ~, The 51cto password of the ing account is the same as that of the redking account ~


Now you can use the ing account to browse the shared directory ~


Note: we strongly recommend that you do not set the password of the samba user to the same as that of the local system user. This prevents unauthorized users from using the samba account to log on to the system ~~~
4.2 Client Access Control
For the security of the Samba server, we have already said that the valid users field can be used to implement user access control. However, if a large number of users exist in the enterprise, this method may be difficult to perform ~ For example, the Samba server shares a directory access question, but disables a client of an IP subnet or a domain from accessing this resource. In this case, the valid users field cannot be used to control access to the client.
The following describes how to use the hosts allow and hosts deny fields to implement this function. The key to making good use of these two fields is to familiarize yourself with and understand their usage methods and scopes.
How to use hosts allow and hosts deny
1) Use of the hosts allow and hosts deny Fields
Hosts allow Field defines the client that can be accessed
Hosts deny Field defines the client that is not allowed to access
2) use IP addresses for restrictions
For example, the Samba server in the company shares a sales Directory, which is a shared directory of the Sales Department. The company stipulates that the IP address of the network segment 192.168.0.0/24 is prohibited from accessing the sales shared directory, however, the IP address 192.168.0.24 is accessible.
Change the security level mode from user to share


Here we add the hosts deny and hosts allow Fields
Hosts deny = 192.168.0. All IP addresses from the 192.168.0.0/24 CIDR block are prohibited.
Hosts allow = 192.168.0.24 Allow access from the IP address 192.168.0.24
When the host deny and hosts allow fields appear at the same time and conflict with each other is defined, hosts allow takes precedence. Currently, this parameter is used to prohibit access from hosts in the CIDR Block 192.168.0.0/24 of the class C address, but allow access from hosts of 192.168.0.24.


Test the effect. If it is 192.168.0.24, the client can access it normally.


For other clients, this is the result.


If you want to prohibit multiple network segment drop IP addresses from accessing this server at the same time, you can set
Hosts deny = 192.168.1. 172.16. Deny all IP addresses of the 192.168.1.0 and 172.16.0.0 network segments to access the sales shared directory.
Hosts allow = 10. Allow IP address range 10.0.0.0 to access the shared directory of sales.
Note: When you need to enter multiple IP addresses of CIDR blocks, use the "space" symbol to separate them.


3) domain name restrictions
Let's look at this example. The Samba server of the company shares a public directory. The company stipulates that clients in the .sale.com domain and. Net domain cannot be accessed, and clients with a free host name cannot be accessed.
Hosts deny = .sale.com. Net free Prohibit clients with the .sale.com domain,. Net domain, and host name free from accessing the public shared directory.
Note: use the "space" symbol to separate the domain name from the domain name or the domain name from the host name.


4) use wildcards for access control
The Samba server shares a directory security rule that no one is allowed to access it. Only clients with the Host Name of boss can access it. For such an instance, we can simplify the configuration by using wildcards.
Hosts deny = all Indicates that all clients are allowed to access the client with the host name all ~~~
Common wildcards include "*", "?", "Local" and so on.


Another interesting situation is that, if we stipulate that everyone cannot access the security directory, only the IP address of the 192.168.0.0 segment can be accessed, but access to the hosts of 192.168.0.100 and 192.168.0.78 is prohibited. We can use hosts deny to prohibit access by all users, and then set hosts allow to allow hosts in the 192.168.0.0 CIDR block. However, when both hosts deny and hosts allow appear and conflict with each other, hosts allow takes effect, in this case, the IP address of the network segment 192.168.0.0 can be accessed, but access from the master machine of 192.168.0.100 and 192.168.0.78 cannot take effect ~ We can use the snapshot t for settings.
Hosts allow = 192.168.0. Failed t 192.168.0.100 192.168.0.78 Allow access from the IP address range of 192.168.0.0, except 192.168.0.100 and 192.168.0.78 ~


Hosts allow and hosts deny
Hosts allow and hosts deny are set at different locations, and their ranges are different. If it is set in [Global], it indicates that it takes effect globally for the Samba server. If it is set under the directory, the table takes effect only for this directory.


This indicates that only 192.168.0.88 can access the Samba server. This setting takes effect globally ~


This setting indicates that only security in a single directory takes effect. Only 192.168.0.88 can access the information in the security directory.
4.3 set Samba Permissions
By now, we can effectively control client access, but for clients that can access, we still cannot flexibly and conveniently control their access to shared resources, for example, an account like boss or GM can have full control permissions on a shared directory, while other accounts only have read-only permissions. In this case, we can use the write list field to implement this ~
For example, the company Samba server has a shared directory tech. The company requires that only the boss account and the tech group account have full control, and others have only read-only permissions. If only the writable field is used, the instance's requirements cannot be met, because when writable = Yes, all users can write data. When writable = No, all users cannot write data. In this case, we need to use the write list field ~


Write list = boss. @ tech indicates that only the boss account and members of the tech group can have the write permission on the tech shared directory (@ tech indicates the tech group ).
Let's take a look at the differences between writable and write list:

Field	Value	Description
Writable	Yes	All accounts are allowed to write data.
Writable	No	Write prohibited for all accounts
Write list	Write Permission account list	Accounts in the list can be written

4.4 hidden sharing of Samba
You can also use the browseable field to hide and share data ~~~
For example, if we want to hide the sharing directory of the technical department on Samba, we can set it like this.
Browseable = No Indicates hiding the directory.


Now we can't see the tech shared directory ~


If we directly enter [url = file: // .. 192.168.0.188.tech/] \ 192.168.0.188 \ Tech [/url], we can access it ~


In some special circumstances, browseable cannot meet the enterprise's needs. For example, the Samba server has a security directory, which only allows the boss users to browse and access questions, no one else can access it. Because there is only one main configuration file for Samba, all accounts must comply with the rules of this configuration file. If this directory is hidden, no one can see this directory, as shown in the preceding example, enter [url = file ://.. 192.168.0.188.tech/] \ 192.168.0.188 \ Tech [/url] can access technical department information. If there are multiple directories in this way, you cannot call the boss to remember so many directory names. This will not be scolded by the boss ~~~ Ipv_^ the problem is that there is only one main configuration file for the samba service, while smb. conf does not provide the field to allow some users to browse and hide directories.
From another perspective, since a single configuration file cannot meet the requirements, then we can create corresponding configuration files for users or groups with different requirements and configure them separately to implement the hidden directory function. Now we create a configuration file for the boss account, in addition, this configuration file can be read during access.
(1) create an independent configuration file ~
First, create a separate configuration file for the boss account. We can directly copy/etc/samba/smb. the conf file can be renamed. If you create a configuration file for a single user, the name must contain the user name.
We use the CP command to copy the master configuration file and create an independent configuration file for the boss account.


(2) edit the main configuration file smb. conf ~
Add in [Global] Config file =/etc/samba/smb. conf. % u The Samba server reads the/etc/samba/smb. conf. % u file, where % u represents the current login user. Matching naming rules with independent configuration files ~


(3) edit the smb. conf. Boss independent configuration file
Edit the independent configuration file SMB of the boss account. conf. boss: delete browseable = no in the tech directory. In this way, when the boss account accesses samba, the tech shared directory is visible to the boss account. In this way, the main configuration file SMB is used. conf and the independent configuration file of the boss account can be used together to achieve the tech shared directory is hidden when other users access, while the boss account is visible when accessing.


(4) restart the samba service: Service SMB restart


(5) Test Results ~
Now we log on to the Samba server as an ordinary redking user ~~~


You cannot see the tech shared directory when logging on to Samba with a redking account ~~ This proves that the tech shared directory is a hidden share drop for people other than the boss account.


Now we can log on with the boss account ~~


We found that after logging on with the boss account, the tech shared directory is automatically displayed ~~~


In this way, it is very convenient to hide the visibility of sharing on different accounts using an independent configuration file ~
Note: If the directory is hidden, it does not mean that the share is not shared. You only need to know the Share Name and have the corresponding permissions, but you can still access the drop. As shown in the preceding example, you can enter" \ IP The address \ Share Name method can be used to hide the share.

5 samba client Configuration
5.1 Linux client access Samba sharing
There are two main methods for accessing the server from a Linux client:
1) Use the smbclient command
In Linux, the samba client uses the smbclintProgramTo access the Samba server, make sure that the client has installed the samba-client RPM package.

Smbclient can list the shared directories of target hosts
Smbclient command format:Smbclient-l target IP address or host name-u login username % Password
When we view the shared directory list of the rhel5 (192.168.0.188) host, the system prompts you to enter the password. If you do not enter the password, press enter to log on anonymously, the shared directory list displayed by anonymous users is displayed ~
Smbclient-l rhel5OrSmbclient-l 192.168.0.188

If you want to use the samba account to view the directories shared by the Samba server, you can add the-u parameter ~, Followed by the username % password.
Smbclient-l 192.168.0.188-u boss % boss
In this way, the shared directory of tech technology department is displayed only for the boss account.

Note: The results of smblient browsing by different users may be different, depending on the access control permissions set by the server ~
We can also use the smbclient command line shared access mode to browse shared data.
Smbclient command line shared access mode command format:
Smbclient // target IP address or host name/shared directory-u username % Password
The above shows that there is a tech shared directory on the server. Let's check the content ~

In addition, after the smbclient logs on to the Samba server, we can use help to query supported commands.

2) use the mount command to mount the shared directory.
Mount command Mount shared directory format:
Mount-t cifs // target IP address or host name/shared directory name mount point-O username = User Name
[Root @ client ~] # Mount-t cifs // 192.168.0.188/Tech/mnt/sambadata/-O username = boss % boss
This indicates that the shared directory on the host 192.168.0.188 is mounted to the/mnt/sambadata directory, and CIFS is the file system used by Samba.

5.2 Windows Client Access Samba sharing
This is relatively simple. We have been using this shared directory to access Microsoft. The above has already been discussed, the method is to use the UNC path for direct access in the start operation ~~ You can also find it in the network neighbors, but I do not like this method, because the speed is too slow. I still think it is faster to enter the UNC path in the address bar of the resource manager or IE to start running or directly enter it ~
1) Use the UNC path for direct access in start-run.

2) map the network drive to access the Samba server shared directory

Enter the address of the tech shared directory

Enter the samba account and password that can access the tech shared directory.

At this time, I can see the mapped Z disk in my computer's network drive ~

Open the Z drive to access the resources in the tech shared directory.

6. Samba printing and sharing
By default, Samba's printing service is open ~ Therefore, after the printer is installed, the client users can use the printer.
1) set global configuration items
Modify the global configuration of smb. conf to enable the print sharing function.

2) Set printers configuration items

You can use the default settings to make the client use the printer normally. Note that printable must be set to yes. If it is not set to yes, what else is it ~~~ The path field defines the printer queue. You can customize it as needed. In addition, Shared printing is different from the shared directory. After the printer is installed, you must restart the samba service, otherwise, the client may not be able to see the shared printer. If the setting only allows some employees to use the printer, we can use the valid users, hosts allow, or hosts deny fields to implement it. These have already been mentioned when talking about the shared directory, I don't know. I can refer to it again ~~ Next we will go to Samba enterprise practices and applications.
7 Samba enterprise practices and applications
7.1 enterprise environment and requirements
Samba server directory:
Enterprise data directory: /Companydata
Public directory: /Companydata/share
Sales Department directory: /Companydata/sales
Technology Department: /Companydata/Tech
Enterprise employees:
General Manager: GM
Sales Department: Sales Manager redking, employee sky, employee Jane
Technical Department: technical department manager Michael, employee bill, employee joy
Set up a Samba file server, create a public shared directory, and allow everyone to access it. The permission is read-only. Separate directories are created for the Sales Department and the technology department, which can only be accessed by the General Manager and employees of the corresponding departments, in addition, employees of the Company are prohibited from accessing shared directories that are not in the department. This is a typical Enterprise File Server case.
General Manager -----------------------
|
Sales Department ----------------- switch ------------------ Samba Server
|
Technical Department -----------------------
7.2 Requirement Analysis
Anonymous access can be achieved by setting the public directory public field. Employees can only access the shared directory of their own department, and access to the shared directory of other departments is prohibited, you can set the shared directory Field "browseable = No" and the field "Valid users" to implement its hiding function and corresponding access permissions. In this way, the permission settings cannot meet the multiple requirements of the same directory, so we need to create an independent configuration file, creating a group for each department and creating configuration files for each group to isolate user permissions is flexible ~
7.3 Solutions
1) create a dedicated shared directory for each department
Use mkdir to create a shared directory to store data in different categories.

Set the user permissions for the/companydata shared directory

2) Add the Samba server description and set the smbpasswd file

No smbpasswd file exists in the/etc/samba/directory by default. Disable tdbsam verification for Samba first.
Solution: Comment out a line of passdb backend = tdbsam in the SMB. conf file, add SMB passwd file =/etc/samba/smbpasswd, and save and exit.

3) Add users and groups
First, create sales department group sales, Technical Department group tech, and then use the useradd command to add the General Manager account GM and the accounts of each employee and add the corresponding user group.

Run the smbpasswd command to add the samba user.

Er ~~~ Sorry ~~~ The Samba user of the account GM has forgotten to add the account. Now add the account to the account ~

4) configure the smb. conf file
(1) create a separate configuration file
The user configuration file uses the user name command, and the group configuration file uses the group name command.

(2) set the main configuration file smb. conf
Here we configure the main configuration file smb. conf and add the corresponding fields to global to ensure that the main configuration file of the Samba server can call an independent user configuration file and group configuration file.
Include =/etc/samba/% u. smb. confIndicates that the Samba server is loaded with a configuration file in the format of "username. smb. conf" under the/etc/samba directory.
Include =/etc/samba/% G. smb. confEnables the Samba server to load the configuration file in the format of "group name. smb. conf" under the/etc/samba directory.

Set the shared directory/companydata/share

(5) set the general manager GM configuration file
Vim/etc/samba/GM. smb. conf

(6) set the sales configuration file of the Sales Department Group
Vim/etc/samba/sales. smb. conf

(7) set the tech configuration file of the technical department Group
Vim/etc/samba/Tech. smb. conf

(8) Enable the samba Service
Service SMB start

(9) test
We first use the GM account to log on to the test.

You can see all the shared directories.

/Companydata/share directory read-only

Note:
It is best to disable SELinux in rhel5. Otherwise, some inexplicable problems may occur. For example, the account gm below clearly grants 777 permissions to the shared directory sales and tech, but only files can be created, but folders cannot be created ~

Disable SELinux, open the SELinux configuration file/etc/SELinux/config and set SELinux = disabled. Then save the settings and restart the system.

View the current status of SELinuxSestatus-V

Now we can create a folder.

Now let's test it with another account. Use Technology Department joy.

Employees in the technical department cannot see the shared directory of the Sales Department. Read-Only permission on the public directory and read/write permission on the tech directory.

Because access to the shared directory sales is prohibited, even if you know the [url = file: //. rhel5.sales/] \ rhel5 \ sales [/url] path

8 Samba troubleshooting
1) Linux services
(1) error message
Generally, let's take a closer look at the displayed error information. Based on the error prompt, we can tell where the problem is.
(2) configuration file
We can check 2nd configuration files. Sometimes misoperations may cause configuration errors and the service cannot run properly. We can check the configuration file to confirm the problem. Many service software packages now have their own configuration file check tools. We can use these tools to check the configuration file ~
(3) log files
If there is a problem with the service, we can also use the tail command to dynamically monitor log files (in the CLI state, we can use CTRL + ALT + F1 ~ F6 switch to another CLI text terminal ).
Tail-F/var/log/messages
2) SAMBA service troubleshooting
(1) Use the testparm command to check
As mentioned above, the software package has its own configuration file check tool. We can use the testparm command to detect SMB. conf File Syntax. If an error is reported, it indicates SMB. the conf file is incorrectly set, so that we can modify the master configuration file and independent configuration file according to the prompt.
Testparm/etc/samba/smb. conf

[Root @ rhel5 ~] # Testparm/etc/samba/smb. conf Load SMB config files from/etc/samba/smb. conf Can't find include file/etc/samba/. smb. conf Can't find include file/etc/samba/% G. smb. conf Processing Section "[homes]" Processing Section "[printers]" Processing Section "[public]" Loaded services file OK. Server role: role_standalone Press enter to see a dump of your service Definitions [Global] Workgroup = companydomain Server String = company Samba File Server Cups Options = raw Include =/etc/samba/% G. smb. conf [Homes] Comment = Home Directories Read. Ly = No Browseable = No [Printers] Comment = all printers Path =/var/spool/samba Printable = Yes Browseable = No [Public] Comment = Public Data Path =/companydata/share Guest OK = Yes [Root @ rhel5 ~] # Testparm/etc/samba/GM. smb. conf Load SMB config files from/etc/samba/GM. smb. conf Processing Section "[homes]" Processing Section "[printers]" Processing Section "[sales]" Processing Section "[tech]" Loaded services file OK. Server role: role_standalone Press enter to see a dump of your service Definitions [Global] Workgroup = companydomain Server String = company Samba File Server Cups Options = raw [Homes] Comment = Home Directories Read. Ly = No Browseable = No [Printers] Comment = all printers Path =/var/spool/samba Printable = Yes Browseable = No [Sales] Comment = Sales data Path =/companydata/sales Valid users = GM Read. Ly = No [Tech] Comment = tech data Path =/companydata/Tech Valid users = GM Read. Ly = No [Root @ rhel5 ~] # Testparm/etc/samba/sales. smb. conf Load SMB config files from/etc/samba/sales. smb. conf Processing Section "[homes]" Processing Section "[printers]" Processing Section "[sales]" Loaded services file OK. Server role: role_standalone Press enter to see a dump of your service Definitions [Global] Workgroup = companydomain Server String = company Samba File Server Cups Options = raw [Homes] Comment = Home Directories Read. Ly = No Browseable = No [Printers] Comment = all printers Path =/var/spool/samba Printable = Yes Browseable = No [Sales] Comment = Sales data Path =/companydata/sales Valid users = @ sales, GM Read. Ly = No [Root @ rhel5 ~] # Testparm/etc/samba/Tech. smb. conf Load SMB config files from/etc/samba/Tech. smb. conf Processing Section "[homes]" Processing Section "[printers]" Processing Section "[tech]" Loaded services file OK. Server role: role_standalone Press enter to see a dump of your service Definitions [Global] Workgroup = companydomain Server String = company Samba File Server Cups Options = raw [Homes] Comment = Home Directories Read. Ly = No Browseable = No [Printers] Comment = all printers Path =/var/spool/samba Printable = Yes Browseable = No [Tech] Comment = tech data Path =/companydata/Tech Valid users = @ tech, GM Read. Ly = No [Root @ rhel5 ~] #

2) use the ping command to test
After troubleshooting the main configuration file of the Samba server, restart the smb service. If the client still cannot connect to the Samba server, we can use the ping command on the client for testing. This is the same as troubleshooting in Microsoft's system, you can analyze it based on different situations.
(1) If no prompt is received, it indicates that there is a problem with the client's TCP/IP protocol installation. You need to re-install the client's TCP/IP protocol and then re-test it.
(2) If "Host Not Found" is displayed, check whether the client DNS or/etc/hosts file is correctly set to ensure that the client can access the Samba server by name.
(3) The failure to ping may also result from the firewall setting dropping problem. You need to re-set the firewall rules and enable the port on which Samba is connected to the outside world.
(4) Of course, there is also a low-level situation, that is, the host name cannot be pinged due to incorrect input. correct the problem and try again ~~~ O (^_^) O
3) use the smbclient command for testing
If the client and Samba server can be pinged, the connection between the client and the server is normal. If you still cannot access Samba shared resources, run the smbclient command to further test the server configuration.
If the Samba server is normal and the correct account and password are entered, execute the smbclient command to obtain the sharing list.
Smbclient-l 192.168.0.188-u Joy % 123

If the error message "tree connect failed" is displayed, it indicates that it can be found in SMB. in the conf file, the host deny field is set to deny the IP address or domain name of the client. We can modify SMB. the conf configuration file can be accessed by the client ~

If the returned message is "connection refused" and the system prompts that the connection is denied, it indicates that the Samba server's smbd process can be disabled ~ Make sure that the smbd and nmbd processes are enabled and use netstat-a to check whether port 139 used by NETBIOS is in the listening status.

Check SAMBA service

Enable the smb service
NetBIOS-SSN session management
NetBIOS-NS name resolution
NetBIOS-DGM Datagram

If the "Session Setup failed" connection fails, the server rejects the connection request because the user name and password entered are incorrect, you can enter the correct account and password ~

Sometimes you will receive an error message such as "your server software is being unfriendly", prompting you that the server software is faulty, this fault is generally caused by incorrect parameters used during smbd configuration or similar serious damage errors encountered when smbd is enabled, we can use testparm to check the corresponding configuration file and related log files.