Samba
Features: cross-platform file sharing is supported.
Added some access control and permissions
Samba-client.i386
Samba-common.i386
Samba. i386
Configuration Directory:/etc/samba
Configuration File: smb. conf
[Global]
Workgroup = mygroup
Server String = Samba server version % v
# Logs split per machine
# Max 50kb per log file, then rotate
Security = user <-- share, server, ads, Domain
Passdb backend = tdbsam
# The login script name depends on the machine name
# The login script name depends on the Unix user used
# Disables profiles support by specifing an empty path
Load printers = Yes
Cups Options = raw
# Obtain list of printers automatically on systemv
[Homes]
Comment = Home Directories
Browseable = No <-- anonymous scan or other account scans cannot see this resource
Writable = Yes <-- writeable
[Printers]
Comment = all printers
Path =/var/spool/samba
Browseable = No
Guest OK = No
Writable = No
Printable = Yes
I. Installation
[Root @ WWW ~] # Yum install samba *-y
Loaded plugins: rhnplugin, security
This system is not registered with RHN.
RHN support will be disabled.
Setting up install process
Parsing package install arguments
Resolving Dependencies
--> Running transaction check
---> Package samba-client.i386. 0.33-3.14.el5 set to be updated
---> Package samba-common.i386. 0.33-3.14.el5 set to be updated
---> Package samba-swat.i386. 0.33-3.14.el5 set to be updated
---> Package Samba. i386. 0.33-3.14.el5 set to be updated
--> Processing dependency: Perl (convert: ASN1) for package: Samba
--> Running transaction check
---> Package perl-Convert-ASN1.noarch. 20-1.1 set to be updated
--> Finished dependency resolution
Dependencies resolved
========================================================== ==========================================================
Package arch version repository size
========================================================== ==========================================================
Installing:
Samba i386 3.0.33-3.14.el5 RHEL-debuginfo 16 m
Samba-SWAT i386 3.0.33-3.14.el5 RHEL-debuginfo 8.2 m
Updating:
Samba-client i386 3.0.33-3.14.el5 RHEL-debuginfo 5.7 m
Samba-common i386 3.0.33-3.14.el5 RHEL-debuginfo 8.7 m
Installing for dependencies:
Perl-Convert-ASN1 noarch 0.20-1.1 RHEL-debuginfo 41 K
Transaction Summary
========================================================== ==========================================================
Install 3 package (s)
Update 2 package (s)
Remove 0 package (s)
Total download size: 39 m
Downloading packages:
(1/5): perl-Convert-ASN1-0.20-1.1.noarch.rpm | 41 KB
(2/5): samba-client-3.0.33-3.14.el5.i386.rpm | 5.7 MB
(3/5): samba-swat-3.0.33-3.14.el5.i386.rpm | 8.2 MB
(4/5): samba-common-3.0.33-3.14.el5.i386.rpm | 8.7 MB
(5/5): samba-3.0.33-3.14.el5.i386.rpm | 16 MB
--------------------------------------------------------------------------------
Total 3.8 Mb/s | 39 MB
Running rpm_check_debug
Running transaction Test
Finished transaction Test
Transaction test succeeded
Running transaction
Updating: Samba-Common [0, 1/7]
Updating: Samba-Client [2/7]
Installing: perl-Convert-ASN1 [3/7]
Installing: Samba [4/7]
Installing: Samba-SWAT [1, 5/7]
Cleanup: Samba-Client [6/7]
Cleanup: Samba-Common [7/7]
Installed: Samba. i386. 0.33-3.14.el5 samba-swat.i386. 0.33-3.14.el5
Dependency installed: perl-Convert-ASN1.noarch 0: 0. 20-1.1
Updated: samba-client.i386 0: 3. 0.33-3.14.el5 samba-common.i386 0: 3. 0.33-3.14.el5
Complete!
You have new mail in/var/spool/mail/root
Ii. Configure shared files
The Samba server uses an account that must exist in the system, but the password of the account is Samba independent.
[Root @ WWW ~] # Useradd wych
You have new mail in/var/spool/mail/root
[Root @ WWW ~] # Passwd wych
Changing password for user wych.
New UNIX password:
Bad password: it is way too short
Retype new Unix Password:
Passwd: All authentication tokens updated successfully.
[Root @ WWW ~] # Servce SMB restart
-Bash: Servce: Command not found
[Root @ WWW ~] # Service SMB restart
Shutting down SMB services: [failed]
Shutting down nmb services: [failed]
Starting SMB services: [OK]
Starting nmb services: [OK]
[Root @ WWW ~] # Service SMB restart
[Root @ WWW ~] # Useradd wych
You have new mail in/var/spool/mail/root
[Root @ WWW ~] # Passwd wych
Changing password for user wych.
New UNIX password:
Bad password: it is way too short
Retype new Unix Password:
Passwd: All authentication tokens updated successfully.
[Root @ WWW ~] # Smbpasswd wych
New smb password:
Retype new smb password:
Failed to find entry for user wych.
Failed to modify password entry for user wych
You have new mail in/var/spool/mail/root
Example 1:
The Samba server uses an account that must exist in the system, but the password of the account is Samba independent.
[Root @ squid conf] # smbpasswd-a Tom
New smb password:
Retype new smb password:
Added user Tom.
[Root @ squid conf] # smbpasswd-a bean
New smb password:
Retype new smb password:
Added user bean.
Service SMB restart
Anonymous Scan
Smbclient-l // 10.1.1.21
Use an account to list Resources
# Smbclient-l // 10.1.1.21-u Tom
Access resources
Smbclient // 10.1.1.21/bean-u Bean
Example 2: add custom sharing
[Uplooking]
Comment = just for test
Path =/WWW
Browseable = Yes
Guest OK = No
Writable = No
# Smbclient // 10.1.1.21/uplooking
Password:
Anonymous login successful
Domain = [mygroup] OS = [UNIX] Server = [Samba 3.0.33-3.7.el5]
Tree connect failed: nt_status_access_denied
# Smbclient // 10.1.1.21/uplooking-u Tom
In user mode, resources can be accessed anonymously, and resources can be written.
Public = yes -- guest OK = Yes
Read Only = No <--- writeable = Yes
Access format in Windows
// 10.1.1.21/uplooking
Disable established Resource Access
Net use */del/y
In user mode, an account is required to access anonymous resources.
After changing to share mode:
Security = Share
Example 3: Permission for writable resource files
You can use two independent accounts to upload files and find that files can be deleted from each other. Cause: as long as the owner has the write permission on the files, other accounts can delete the files.
How can this problem be solved? Prevent others from deleting other files.
Set stick bit for the Resource Directory
Chmod o + T/WWW
2nd methods:
After the file is uploaded, the owner's write permission is automatically removed.
Create mask = 0444 <-- for such permissions, the owner cannot delete his/her own files.
Directory mask = 0755
Example 4: Change the access control level to user
Control resource parameters
Write list = Tom <-- if read only = No exists, the write list is invalid.
Valid users = Tom, bean <--- invalid users =
Control Access Source
Hosts deny = 10.1.1.
Hosts allow = 10.1.1.20 -- only 10.1.1.20 is allowed, and all others are rejected
Conclusion: When deny and allow overlap, allow has the say.
Deny all access, but 10.1.1.0/24 can access, but 10.1.1.20 cannot access
Hosts deny = all
Hosts allow = 10.1.1. Failed t 10.1.1.20
If the domain name is used, DNS must support forward and direction resolution.
Hosts allow = .upl.com
Example 5: In user mode, Tom can upload and download, bean can only download, other users cannot log on, and anonymous access is denied.
Valid users = Tom, Bean
Guest OK = No
Write list = Tom
Read list = bean <--- optional