Linux Learning Notes-engineer technology: SMB Sharing, NFS sharing

Two virtual machines, all to be detected

1. is yum available

2. Firewall default zone modified to trusted

3. Whether the IP address is configured

-----------------------------------------------------------------------------------------

Samba file Share (shared folder)

Samba Software Project

– Purpose: Provide shared folders for clients

– Protocol: SMB (TCP 139), CIFS (TCP 445)

Required Packages: Samba

System Services: SMB

First, to build basic samba services

1. Install the Samba package

2. Create a shared account for samba. Same user name as system, different password

· Samba users: Users who are dedicated to accessing shared files

-Password with separate settings

-Create a system user with the same name in advance, without a password

· Pdbedit Management Tools

-Add User: Pdbedit-a user name

-Query User: PDBEDIT-L user name

-Delete User: Pdbedit-x user name

If the password is wrong, you can delete and add it first

[Email protected] ~]# useradd-s/sbin/nologin Harry

[Email protected] ~]# useradd-s/sbin/nologin Kenji

[Email protected] ~]# useradd-s/sbin/nologin Chihiro

#添加用户, but cannot access the local system user for access to shared services

[[email protected] ~]# pdbedit-a Harry #添加samba帐号, set the password

[[email protected] ~]# pdbedit-a Kenji #添加samba帐号, set password

[[email protected] ~]# pdbedit-a Chihiro #添加samba帐号, set password

[Email protected] ~]# pdbedit-l #列出所有有效的samba帐号

HARRY:1001:

CHIHIRO:1003:

KENJI:1002:

3. Modify the service configuration file/etc/samba/smb.conf

Added: Vim last line mode (ESC:) Set NU display line number

89 Rows Workgroup = Staff #可不做修改

Last line insert:

321 rows [Common] #共享名

322 line Path =/common #共享实际路径 (absolute path)

[Email protected] ~]# Mkdir/common #创建共享目录

[Email protected] ~]# echo haha >/common/abc.txt #重定向写入共享文本

4. Restart the SMB service, set to boot from

[[email protected] ~]# systemctl restart SMB

[[email protected] ~]# Systemctl enable SMB

Virtual Machine Desktop0

Required Packages: Samba-client

[Email protected] ~]# smbclient-l//172.25.0.11 #列出共享资源

Enter Root ' s password: #直接回车不需密码

[Email protected] ~]# smbclient-u Harry//172.25.0.11/common #连接到共享文件夹

Enter Harry ' s password:

Domain=[staff] Os=[unix] Server=[samba 4.1.1]

SMB: \> ls #不能访问到 because selinux access permissions are restricted

Nt_status_access_denied Listing \* #之前要将selinux权限设置为enforcing

Idea: Client access to server-side resources

1. Are firewalls restricted

2. Access control of the service itself

3.SELinux is limited

SELinux: Boolean value (switch of function)

Getsebool Viewing the SELinux switch

[Email protected] ~]# Getsebool-a | grep Samba

Samba_export_all_ro--off

SAMBA_EXPORT_ALL_RW--off

Setsebool Control SELinux Switch

– The Add-p option is required to enable permanent setup, which can be used without the addition of-p in the teaching environment because the permanent setting consumes the kernel resources a bit card

[Email protected] ~]# Setsebool Samba_export_all_ro=on

[Email protected] ~]# Getsebool-a | grep Samba

Virtual Machine Desktop0

[Email protected] ~]# smbclient-u Harry//172.25.0.11/common

Enter Harry ' s password:

Domain=[staff] Os=[unix] Server=[samba 4.1.1]

SMB: \> ls #此时能访问到共享文件

. D 0 Mon Nov 6 19:47:57 2017

.. D 0 Mon Nov 6 19:47:54 2017

Abc.txt N 5 Mon Nov 6 19:47:57 2017

40913 blocks of size 262144. 28569 blocks Available

--------------------------------------------------------------------------------------

Mount with Mount

Required Packages: Cifs-utils

_netdev: Mount the device after you open the Network service

Virtual Machine desktop0

1. Install the package cifs-utils

2. Modify/etc/fstab

[Email protected] ~]# Mkdir/mnt/samba #创建挂载点目录

[Email protected] ~]# Vim/etc/fstab #设置开机自动挂载

172.25.0.11/common/mnt/samba CIFS User=harry,pass=123,_netdev 0 0

3. Mount-a Verification

Df-h #查看挂载信息

-------------------------------------------------------------------------------

Share read and write by Samba

On the virtual machine Server0

1. Modify the configuration file/etc/samba/smb.conf

[DevOps]

Path =/devops

Write list = Chihiro #允许chihiro对共享文件/devops writable

[Email protected]/]# Mkdir/devops

[Email protected]/]# echo Hahaxixi >/devops/123.txt

2. Restart the SMB service

[[email protected] ~]# systemctl restart SMB

3. Client Authentication:

[Email protected] ~]# smbclient-l 172.25.0.11

Enter Root ' s password:

4. Client Mount Verification

[Email protected] ~]# Mkdir/mnt/dev #创建挂载目录

[Email protected] ~]# Vim/etc/fstab

172.25.0.11/devops/mnt/dev CIFS User=chihiro,pass=123,_netdev 0 0

[[email protected] ~]# mount-a #很卡, restart SMB service on SERVER0

[Email protected] ~]# df-h

---------------------------------------------------------------------------------------

Other operations for reading and writing to samba shares

Idea: Client access to server-side resources

1. Are firewalls restricted

2. Access control of the service itself

3.SELinux is limited

4. Server-side directory local permissions

I. Modify server-side SELinux boolean value, open read/write

[Email protected]/]# Getsebool-a | grep Samba

[Email protected]/]# Setsebool Samba_export_all_rw=on

[Email protected]/]# Getsebool-a | grep Samba

#客户端desktop0上写不了, the document cannot be created under/mnt/dev because the server-side directory has limited local permissions

Second, directory local permissions

[Email protected]/]# ls-ld/devops/

[Email protected]/]# setfacl-m u:chihiro:rwx/devops/

[Email protected]/]# getfacl/devops/

Third, client authentication

[Email protected] ~]# Touch/mnt/dev/test.txt

---------------------------------------------------------------------------------------

There are 4 ways to share files: samba,nfs,http,ftp

Multiuser multi-user access (just understand, support only ordinary users)

–multiuser, provides differentiated support for multiple user identities on clients

–SEC=NTLMSSP, providing NT LAN management security support

Client Completion:

[Email protected]/]# Vim/etc/fstab

172.25.0.11/devops/mnt/dev cifs USER=KENJI,PASS=123,_NETDEV,MULTIUSER,SEC=NTLMSSP 0 0 #不是追加写

[Email protected]/]# umount/mnt/dev/

[Email protected]/]# mount-a

[Email protected]/]# df-h

[Email protected]/]# su-student

[Email protected] dev]$ Cd/mnt/dev

[Email protected] dev]$ cifscreds add-u Chihiro 172.25.0.11 #使用cifscreds提交新的用户凭据并测试

Password:

[[email protected] dev]$ ls

[email protected] dev]$ Touch Abc.txt #写测试

[email protected] dev]$ ls #验证结果

Abc.txt

[[Email protected] dev]$ exit

-------------------------------------------------------------------------------------------

Configure NFS Sharing

Network File system

– Purpose: Provide shared folders for clients

– Protocol: NFS (TCP/UDP 2049), RPC (TCP/UDP 111)

Required Packages: Nfs-utils

System Services: Nfs-server

Building basic read-only NFS services

1. On the virtual machine Server0, detect if the nfs-utils is installed

[Email protected]/]# rpm-q nfs-utils

2. Modify the configuration file/etc/exports

[Email protected]/]# mkdir/public #创建共享文件夹目录

[Email protected]/]# echo Hehelele >/public/nsd.txt

[Email protected]/]# Vim/etc/exports

/public 172.25.0.0/24 (RO) #文件夹路径 client address (permissions)

3. Restart Nfs-server service, set boot from

[Email protected]/]# systemctl restart Nfs-server

[Email protected]/]# Systemctl enable Nfs-server

4. Client access to the Nfs-server service

[Email protected]/]# Mkdir/mnt/nfs #创建挂载点

[Email protected]/]# showmount-e 172.25.0.11 #列出有哪些NFS共享资源

[Email protected]/]# Vim/etc/fstab

172.25.0.11:/public/mnt/nfs NFS _netdev 0 0

[Email protected]/]# mount-a

[Email protected]/]# Ls/mnt/nfs

----------------------------------------------------------------------------------------

read-write Nfs-server service

I. Client root user Read and write

Service side:

[Email protected]/]# MKDIR/ABC

[Email protected]/]# echo 123 >/abc/a.txt

[Email protected]/]# Vim/etc/exports

/ABC 172.25.0.0/24 (rw)

[Email protected]/]# systemctl restart Nfs-server

Client:

[Email protected]/]# Vim/etc/fstab

Append Write

172.25.0.11:/ABC/MNT/NSD NFS _netdev 0 0

[Email protected]/]# MKDIR/MNT/NSD

[Email protected]/]# mount-a

[Email protected]/]# df-h #没有显示abc的挂载点, changed to Df-ah

Service side:

[Email protected]/]# Vim/etc/exports

/ABC 172.25.0.0/24 (Rw,no_root_squash) #不压榨客户端root权限 (? Watch video)

[Email protected]/]# systemctl restart Nfs-server

Client:

[Email protected]/]# Systemctl restart NFS #重起客户端服务

[Email protected]/]# Touch/mnt/nsd/5.txt #前面服务端压榨客户端root权限就不能创建

---------------------------------------------------------------------------------------

Second, ordinary users (must restore the environment)

Client access to the service-side Nfs-server service,

The server will determine the permissions of the local user with the same UID as the client.

LDAP: Network user, providing user name

Kerberos: Password authentication, implementation of "One-time password authentication, multiple free login" pass mechanism

1. Two virtual machines run scripts to join LDAP and Kerberos

# Lab NFSKRB5 Setup

2. The server modifies the configuration file to create a read-write share

[Email protected] ~]# mkdir/test

[Email protected] ~]# Vim/etc/exports

/test * (rw,sec=krb5p)

3. Server-side deployment of encrypted keys

# wget Http://172.25.254.254/pub/keytabs/server0.keytab-O/etc/krb5.keytab

# Ls/etc/krb5.keytab

4. Service end multiplicity from Nfs-server and Nfs-secure-server

# systemctl Restart Nfs-server nfs-secure-server

5. Service side guarantee Ldapuser0 user has Write permission, set local permissions

[Email protected] ~]# setfacl-m u:ldapuser0:rwx/test

[Email protected] ~]# getfacl/test

6. Client Access and Mount sharing

[Email protected] ~]# showmount-e 172.25.0.11

[Email protected] ~]# Mkdir/mnt/nfs

[Email protected] ~]# Vim/etc/fstab

172.25.0.11:/test/mnt/nfs NFS _netdev,sec=krb5p 0 0

7. Client deployment key file, restart related services

# wget Http://172.25.254.254/pub/keytabs/desktop0.keytab-O/etc/krb5.keytab

# Systemctl Restart NFS Nfs-secure

8. Client-side verification mount, write (must be in SSH mode, SU without Kerberos authentication)

[Email protected] ~]# mount-a

[Email protected] ~]# df-h

[[email protected] ~]# ssh [email protected]

[Email protected] ~]$ cd/mnt/nfs/

[[email protected] nfs]$ Touch 1.txt

[[email protected] nfs]$ ls

1.txt

[[Email protected] nfs]$ exit

Linux Learning Notes-engineer technology: SMB Sharing, NFS sharing