Linux Beginner-cifs Network File system Chapter
CIFS is a general-purpose network File system, which is mainly used for file sharing between network devices. CIFS can share files between Linux systems and Windows systems, so this file system is primarily used for clients that are Windows systems.
The services that provide CIFS are samba, and some of the configuration and usage of samba services are described below.
1. Installation and configuration of Samba
"Yum Install samba Samba-common samba-client-y". Install the Samba service.
"Systemctl start SMB" opens the Samba service. "Systemctl enable SMB", start Samba service on boot. "Systemctl Stop Firewalld", shut down the firewall, or you can configure the firewall.
"Smbpasswd-a student", which adds a user to the Samba service, must be a user who is really present in the host. "Pdbedit-l" to see which users have been added.
"Smbclient-l//172.25.254.202-u Student", enter your password to see which directories the Samba user "student" shared, for example, by default sharing the user's home directory.
"Smbclient//172.25.254.202/student-u Student", enter the password to view the files under the shared directory "student". However, in the case of SELinux open, it is impossible to see the file inside, need "setsebool-p samba_enable_home_dirs on" To open this function can be viewed.
"Mount-o username=student,password=student//172.25.254.202/student/mnt", you can mount this "student" directory in a different directory, Files written in this directory are automatically saved to the "student" directory.
"Vim/etc/samba/smb.conf", in the configuration file, modify the 89th line of "workgroup" can change the domain name, for example, set "Workgroup = text". Takes effect after restarting the service.
The "Hosts deny = IP" or "hosts Allow = IP" can be added on line 96th to block or allow the IP to log on. As shown, the hostname "singlenet" IP is "172.25.254.202".
2. Share other Directories
The default shared directory is the home directory, if you need to share other directories, such as a self-built directory "/we", there are "wefile{1..3}" three files.
The following steps are required:
A, "vim/etc/samba/smb.conf". Enter the following on lines No. 322 through No. 324:
[DATA]
Comment = local directory/we
Path =/we
"[DATA]" is a shared directory destination and can be written by itself. Restart the service. "Smbclient-l//172.25.254.202-u student", you can see this "DATA" directory, but not through the "Smbclient//172.25.254.202/data-u student" See the contents of this directory. This is due to the impact of SELinux.
B, "Semanage fcontext-a-T samba_share_t '/we (/.*)?". Modify the security context of the self-built directory "/we" and refresh it with "restorecon-rvvf/we".
After completing the restart service, you can see the contents of this directory through "smbclient//172.25.254.202/data-u student".
The above steps are suitable for self-built catalogs, but what if it is a directory of the system? The security context of the directory cannot be modified. For example, line No. 326 to No. 328, share "/mnt" directory, "mntfile{1..3}" three files in the directory.
The security context feature in Samba needs to be closed with "setsebool-p Samba_export_all_ro on". When you're done, you'll see the files under "/mnt". It is important to note that when "Samba_export_all_ro" is turned on, the shared self-built directory does not need to modify the security context because the security context is invalidated.
3. Anonymous User Login
After sharing the file in the profile "/etc/samba/smb.conf", enter "browseable = no" will not display this directory in the query, but this directory still exists, you can see the file. As shown in line No. 325.
Samba can also be logged on by anonymous users, and you need to include "Guest OK = yes" in the profile "/etc/samba/smb.conf", as shown in line No. 326, which opens an anonymous user login.
After restarting the service, you can enter "Smbclient//172.25.254.202/data" directly to view the files without passing the user.
However, although the above settings can be anonymously logged in, but cannot be mounted in a directory, you need to enter "map to Guest = Bad user" in the configuration file, this is to allow anonymous users to log on or mount the "guest" user. Once the service is restarted, it can be mounted.
If the anonymous user mount requires an automatic boot mount, enter "//172.25.254.202/data/mnt cifs defaults,username=guest 0 0" in the "/etc/fstab" file.
4. Write permission after the directory is mounted
4.1. Turn on Write permission
As shown, the directory cannot be created or deleted after it is mounted. This is because the Write permission is not turned on.
The Write permission needs to be entered in the configuration file "writable = yes" in the No. 327 line, and give the shared directory "/we" 777 permissions, after completion must also modify the "/we" Directory security context. After the completion of the re-mount the file can be created and deleted.
As with the shared system directory, the system directory cannot modify the security context, you need to enter "Setsebool-p SAMBA_EXPORT_ALL_RW on" To turn on the Write permission in SELinux, modified after the system directory mount can be set up and delete files. When the feature is turned on, the self-built directory does not need to modify the security context.
4.2, the limit of write permission
The above configuration is to allow all users to mount the file can be created or deleted, and sometimes need to restrict some users, such as the existing two users "student" and "class", want "student" can establish files, and "class" users do not. You need to enter "Write list = student" In the configuration file, then only the "student" user has write permission, then this problem can be resolved.
It is also possible to "student" after the profile "Write list =" is "+student", which means that the user belonging to the Student user group has write permissions, as shown in adding the student user group as an additional group of "class" users, at which time the "class" The user can create and delete the file.
4.3, the establishment of the ownership of documents
The file created after the shared directory is mounted defaults to which user is logged in, and which user is the owner of the file. You can enter the "admin users = Class" in the No. 335 line in the configuration file to allow the class user to mount the shared directory as the root user, as shown in. You can see that the file owner of the file "File1" that was created after Setup was "root", whereas the file owner of the file "File3" previously mounted with student user was "student".
5, the user's rights management
As shown, the root user to mount a shared directory, but switch to the ordinary user kiosk, found that the ordinary user can also see the files inside, which is obviously very insecure, and unreasonable, so the client needs to be user rights management. That is, other users of the client need to be authenticated before they can view the contents of the mount.
The setup steps are as follows:
"Yum install Cifs-utils-y". On the client side, the software being managed is "cifs-utils".
"Vim/root/smbpassword". In this file is written to the samba service on the real existence of the user and password, the file name can be self-editing, after completion for security to give 600 permissions.
"Mount-o CREDENTIALS=/ROOT/SMBPASSWORD,MULTIUSER,SEC=NTLMSSP//172.25.254.202/system/mnt". Mounted as shown in this command, the kiosk user cannot see the files attached to the mounted directory after it is mounted.
If the kiosk user needs to see the file inside, user authentication is required, and the kiosk user enters the "Cifscreds Add-u class 172.25.254.202" entry password to complete the authentication. Authentication can be entered into any real user of the samba service.
Kiosk users create a file "Kioskfile" in the Mount directory, such as the client can see that the file belongs to the kiosk user, but on the Samba server, you can see that this file belongs to the class user. This is because the file created by the kiosk user on the Samba server is the user whose UID belongs to the client kiosk user on the server side. The UID for the kiosk is 1001, and on the samba server, the 1001 UID corresponds to the user class.
The above is the way in which the client manages common user operations on shared directories.
You can also write "Valid users = Student" in the No. 328 line in the configuration file, which makes it possible to mount only student users, or to write "Valid users = @student", This is so that only users within the student user group can mount.
This is the main content of the shared file system cifs that is common to Linux and Windows systems. The Samba service is primarily used for client-side file sharing for Windows systems. File sharing between Linux systems is a shared file system that uses NFS.
Linux Beginner-cifs Network File System Chapter