Learning notes-Samba Server SETUP

Samba
Features: cross-platform file sharing is supported.
Added some access control and permissions

Samba-client.i386
Samba-common.i386
Samba. i386

Configuration Directory:/etc/samba
Configuration File: smb. conf

[Global]
Workgroup = mygroup
Server String = Samba server version % v
# Logs split per machine
# Max 50kb per log file, then rotate
Security = user <-- share, server, ads, Domain
Passdb backend = tdbsam
# The login script name depends on the machine name
# The login script name depends on the Unix user used
# Disables profiles support by specifing an empty path
Load printers = Yes
Cups Options = raw
# Obtain list of printers automatically on systemv
[Homes]
Comment = Home Directories
Browseable = No <-- anonymous scan or other account scans cannot see this resource
Writable = Yes <-- writeable
[Printers]
Comment = all printers
Path =/var/spool/samba
Browseable = No
Guest OK = No
Writable = No
Printable = Yes

 

I. Installation

[Root @ WWW ~] # Yum install samba *-y
Loaded plugins: rhnplugin, security
This system is not registered with RHN.
RHN support will be disabled.
Setting up install process
Parsing package install arguments
Resolving Dependencies
--> Running transaction check
---> Package samba-client.i386. 0.33-3.14.el5 set to be updated
---> Package samba-common.i386. 0.33-3.14.el5 set to be updated
---> Package samba-swat.i386. 0.33-3.14.el5 set to be updated
---> Package Samba. i386. 0.33-3.14.el5 set to be updated
--> Processing dependency: Perl (convert: ASN1) for package: Samba
--> Running transaction check
---> Package perl-Convert-ASN1.noarch. 20-1.1 set to be updated
--> Finished dependency resolution

Dependencies resolved

========================================================== ==========================================================
Package arch version repository size
========================================================== ==========================================================
Installing:
Samba i386 3.0.33-3.14.el5 RHEL-debuginfo 16 m
Samba-SWAT i386 3.0.33-3.14.el5 RHEL-debuginfo 8.2 m
Updating:
Samba-client i386 3.0.33-3.14.el5 RHEL-debuginfo 5.7 m
Samba-common i386 3.0.33-3.14.el5 RHEL-debuginfo 8.7 m
Installing for dependencies:
Perl-Convert-ASN1 noarch 0.20-1.1 RHEL-debuginfo 41 K

Transaction Summary
========================================================== ==========================================================
Install 3 package (s)
Update 2 package (s)
Remove 0 package (s)

Total download size: 39 m
Downloading packages:
(1/5): perl-Convert-ASN1-0.20-1.1.noarch.rpm | 41 KB
(2/5): samba-client-3.0.33-3.14.el5.i386.rpm | 5.7 MB
(3/5): samba-swat-3.0.33-3.14.el5.i386.rpm | 8.2 MB
(4/5): samba-common-3.0.33-3.14.el5.i386.rpm | 8.7 MB
(5/5): samba-3.0.33-3.14.el5.i386.rpm | 16 MB
--------------------------------------------------------------------------------
Total 3.8 Mb/s | 39 MB
Running rpm_check_debug
Running transaction Test
Finished transaction Test
Transaction test succeeded
Running transaction
Updating: Samba-Common [0, 1/7]
Updating: Samba-Client [2/7]
Installing: perl-Convert-ASN1 [3/7]
Installing: Samba [4/7]
Installing: Samba-SWAT [1, 5/7]
Cleanup: Samba-Client [6/7]
Cleanup: Samba-Common [7/7]

Installed: Samba. i386. 0.33-3.14.el5 samba-swat.i386. 0.33-3.14.el5
Dependency installed: perl-Convert-ASN1.noarch 0: 0. 20-1.1
Updated: samba-client.i386 0: 3. 0.33-3.14.el5 samba-common.i386 0: 3. 0.33-3.14.el5
Complete!
You have new mail in/var/spool/mail/root

 

 

Ii. Configure shared files

The Samba server uses an account that must exist in the system, but the password of the account is Samba independent.

 

[Root @ WWW ~] # Useradd wych
You have new mail in/var/spool/mail/root
[Root @ WWW ~] # Passwd wych
Changing password for user wych.
New UNIX password:
Bad password: it is way too short
Retype new Unix Password:
Passwd: All authentication tokens updated successfully.
[Root @ WWW ~] # Servce SMB restart
-Bash: Servce: Command not found
[Root @ WWW ~] # Service SMB restart
Shutting down SMB services: [failed]
Shutting down nmb services: [failed]
Starting SMB services: [OK]
Starting nmb services: [OK]
[Root @ WWW ~] # Service SMB restart
[Root @ WWW ~] # Useradd wych
You have new mail in/var/spool/mail/root
[Root @ WWW ~] # Passwd wych
Changing password for user wych.
New UNIX password:
Bad password: it is way too short
Retype new Unix Password:
Passwd: All authentication tokens updated successfully.
[Root @ WWW ~] # Smbpasswd wych
New smb password:
Retype new smb password:
Failed to find entry for user wych.
Failed to modify password entry for user wych
You have new mail in/var/spool/mail/root

 

 

Example 1:

The Samba server uses an account that must exist in the system, but the password of the account is Samba independent.
[Root @ squid conf] # smbpasswd-a Tom
New smb password:
Retype new smb password:
Added user Tom.
[Root @ squid conf] # smbpasswd-a bean
New smb password:
Retype new smb password:
Added user bean.

Service SMB restart

Anonymous Scan
Smbclient-l // 10.1.1.21
Use an account to list Resources
# Smbclient-l // 10.1.1.21-u Tom
Access resources
Smbclient // 10.1.1.21/bean-u Bean

Example 2: add custom sharing

[Uplooking]
Comment = just for test
Path =/WWW
Browseable = Yes
Guest OK = No
Writable = No

# Smbclient // 10.1.1.21/uplooking
Password:
Anonymous login successful
Domain = [mygroup] OS = [UNIX] Server = [Samba 3.0.33-3.7.el5]
Tree connect failed: nt_status_access_denied

# Smbclient // 10.1.1.21/uplooking-u Tom

In user mode, resources can be accessed anonymously, and resources can be written.
Public = yes -- guest OK = Yes
Read Only = No <--- writeable = Yes

Access format in Windows
// 10.1.1.21/uplooking
Disable established Resource Access
Net use */del/y
In user mode, an account is required to access anonymous resources.

After changing to share mode:
Security = Share

Example 3: Permission for writable resource files

You can use two independent accounts to upload files and find that files can be deleted from each other. Cause: as long as the owner has the write permission on the files, other accounts can delete the files.

How can this problem be solved? Prevent others from deleting other files.

Set stick bit for the Resource Directory
Chmod o + T/WWW

2nd methods:
After the file is uploaded, the owner's write permission is automatically removed.
Create mask = 0444 <-- for such permissions, the owner cannot delete his/her own files.
Directory mask = 0755

Example 4: Change the access control level to user

Control resource parameters
Write list = Tom <-- if read only = No exists, the write list is invalid.
Valid users = Tom, bean <--- invalid users =

Control Access Source

Hosts deny = 10.1.1.
Hosts allow = 10.1.1.20 -- only 10.1.1.20 is allowed, and all others are rejected
Conclusion: When deny and allow overlap, allow has the say.

Deny all access, but 10.1.1.0/24 can access, but 10.1.1.20 cannot access
Hosts deny = all
Hosts allow = 10.1.1. Failed t 10.1.1.20

If the domain name is used, DNS must support forward and direction resolution.
Hosts allow = .upl.com

Example 5: In user mode, Tom can upload and download, bean can only download, other users cannot log on, and anonymous access is denied.

Valid users = Tom, Bean
Guest OK = No
Write list = Tom
Read list = bean <--- optional