Linux samba Server Installation and Security Settings

Linux samba Server Installation and Security Settings
Samba is a free software that implements the SMB protocol on Linux and UNIX systems. It consists of servers and client programs.
Server Messages Block (SMB) is a communication protocol used to share files and printers on a LAN, it provides sharing services for files, printers, and other resources between different computers in the LAN. The SMB protocol is a client/server protocol that allows a client to access shared file systems, printers, and other resources on the server. By setting "NetBIOS over TCP/IP", Samba can not only share resources with local network hosts, but also share resources with computers around the world.
Samba should be mainly used in networks where Windows and Linux systems coexist. If a network environment is a Linux or Unix system, it is better to use NFS if Samba is not necessary;
Samba sharing is simple in the form of \ 10.0.0.126 \ shared directory. The following describes the installation and configuration process in detail.
1. Install the samba server
I chose the centos5.8 operating system, which is relatively simple to install.
Run rpm-qa | grep samba to check whether samba is installed.

Samba ----- all files of the samba server program samba-common ----- provides public files that must be used by both the Samba server and the client samba-client ----- provides all files of the Samba client samba-swat ----- the Web interface provides the ability to manage Samba servers without or with a low version.
Yum install samba-*-y
The installation is relatively simple. See the configuration below.
Chkconfig smb on # Set samba to start upon startup
Service smb start # start the samba server
Ii. samba Configuration
Location of the samba configuration file:/etc/samba/smb. conf. Before modification, back up the default configuration file. Here we will focus on permission and security configuration.
Cp smb. conf smb. conf. default # backup is a good habit
Vi smb. conf
1) Global Configuration
[Global]
Workgroup = WORKGROUP # Name of the Working Group of the computer to be accessed. This is usually the name of the Working Group in windows by default.
Security = user # access method. Password is not required for share. user name and password are required for share.

----------- Standalone Server Options ----------

# Use an independent server as the Samba server to authenticate the user source, that is, the authentication of the username and password entered when accessing the Samba server is completed by the account in the Local System of the Samba server.

Security = user sets the security level, that is, the authentication method for the client to access the Samba server. In this section, you can only set the following three parameters: share (not recommended), user, and server (not recommended ).

Passdb backend = tdbsam parameter settings: smbpasswd, tdbsam, ldapsam, and mysql. The default value is tdbsam, which generally does not need to be modified unless you want to use the smbpasswd file or other methods of the Samba server of the old version.

Encrypt passwords = yes/no whether the authentication password is encrypted during transmission.

Parameter description:

Security = share/user/server/domain/ads

The following three security levels are used in the Standalone Server Options section, and the user level is also used in the Domain Controller Options section.

(1) share: the user name and password are not required to access the resources shared by the Samba server.

(2) user: Enter the user name and password to access the resources shared by the Samba server. The user source for authentication is the Samba server.

(3) server: Enter the user name and password to access the resources shared by the Samba server, and authenticate the user from another Samba server or Windows server.

The following two security levels are used in the Domain Members Options section:

(4) domain: the Samba server is in a Windows domain Based on the Windows NT platform. To access shared resources, enter the user name and password and authenticate the user from the Windows domain.

(5) ads: the Samba server is located in a Windows activity directory based on the Windows x platform. To access shared resources, you must enter the user name and password to authenticate the user from the Windows activity directory.

Passdb backend = tdbsam/smbpasswd/ldapsam/mysql

(1) tdbsam: This method uses a database file to create a user database. The database file name is passdb. tdb. You can use # smbpasswd-a [user name] to create a Samba user. You can also use the pdbedit command to create a user.

(2) smbpasswd: This method uses the tool smbpasswd provided by Samba to set a password for the System user to access the Samba service, and the client uses this password to access Samba shared resources. This method also uses an smb passwd file =/usr/local/samba/etc/smbpasswd (or/etc/samba/smbpasswd) parameter to specify the file for saving the user name and password, this file needs to be created manually. This method is not recommended.

(3) ldapsam: This method is used to verify the user based on the account management method of LADP. The LDAP service must be established first.

(4) mysql: This method stores the username and password of the Samba server in the MySQL database.

Common Parameters of the pdbedit command:

Pdbedit-a username: Create a Samba account.
Pdbedit-x username: Delete the Samba account.
Pdbedit-L: List Samba users and read the passdb. tdb database files.
Pdbedit-Lv: list detailed information about the Samba user list.
Pdbedit-c "[D]"-u username: suspend the account of this Samba user.
Pdbedit-c "[]"-u username: Restore the Samba user's account.

Note:

Standalone Server Options, Domain Members Options, and Domain Controller Options are related to Samba authentication methods and work roles, and all three must be configured with appropriate security (security level, used to configure the Samba authentication method). The three roles are the three roles of the server.

Add a custom shared directory: [yourworkdir] comment = work Directories ----- set shared description browseable = yes ----- all samba users can see this Directory writable = yes ----- users can write path =/data/yourworkdir to the shared directory ----- specify the path of the shared directory

3. Restart the smb service after the configuration is complete.
Service smb restart

Add a User. Note that the Account must exist in the system and the password cannot be the same as the system logon password.
Useradd user
Smbpasswd-a user # Set the samba logon password for the user. Enter the same password twice.

The following describes how to create folders and set properties.
Mkdir/data/yourworkdir
Chown-R user/data/yourworkdir
Chmod-R 750/data/yourworkdir
Test to find an intranet windows client. Enter the IP address of the samba server, for example, \ 10.0.0.126 \, and enter the username and password.