Practical Samba skills: Changing users, port listening, and list control

BKJIA exclusive Article] This article describes the basic configurations of samba in FreeBSD8.1 step by step. The SMB protocol can be seen as a protocol for shared files/Printers on the LAN. It can provide file systems, print services, or other information for other Windows and Linux machines in the network. Samba is a software used to implement SMB. It is developed by Andew Tridgell in Australia and is a free software running in Linux (Unix) environments. By using Samba, Linux can implement multiple functions. For more basic Samba server knowledge, refer to the previous article: Samba server introduction and quick Configuration Guide.

Author profile: Yu hongchun blog), online name: fuqin liquor, English name: Andrew. yu is a senior Linux/Unix system administrator and project implementation engineer in a foreign company in Wuhan. He is a red hat RHCE lecturer and is good at Server Load balancer high availability and Small and Medium securities and Business website architecture, currently, we focus on website architecture research and network security.

I. Samba Basics

1. Introduction

1) SMB protocol

Server MessageBlock (SMB) protocol can be seen as a protocol for shared files/Printers on LAN, it can provide file system, Print Service or other information for other Windows and Linux machines in the network. The working principle of SMB is to allow NetBIOS (Win95 network neighbor Communication Protocol) and SMB to run on the TCP/IP communication protocol, netBIOS nameserver allows your Linux machine to be seen in Windows Network neighbors, so you can communicate with the Win95/NT host on the network to share files and services.

2) What is Samba?

Samba is a software used to implement SMB. It is developed by Andew Tridgell in Australia and is a free software running in Linux (Unix) environments.

By using Samba, the Linux system can implement the following functions:

● File service and Printing Service (sharing of printers and disks between Linux and Win95/NT systems)

● Log on to the server and use Windows to register with the network.

● Functions as main domain controllers and domain members

● WINS server and browsing Functions

● Support SSL (Secure Socket Layer)

● Support for SWAT (Samba Web Administration Tool)

In addition to Linux (Unix) and Win95/NT, Samba also supports DOS, ibm OS/2, Macintosh, and other operating systems.

2. Samba record files

Samba provides the following record files for smbd, nmbd, and customers accessing Samba, respectively recording smbd, nmbd running information, and access information for each customer:

Record smbd Information

/var/log/samba/log.smb

Record nmbd Information

/var/log/samba/log.nmb

Record customer access information

/var/log/samba/log.%m

3. Configure samba34 in FreeBSD8.1

#cd /usr/ports/net/samba34#make install clean

Default Configuration without any changes

#cp /usr/local/share/examples/samba34/smb.conf.default /usr/local/etc/smb.conf#vi /usr/local/etc/smb.conf

Add the following

[dev]path = /usr/local/devpublic = yesonly guest = yeswritable = yesprintable = no

Add an smbpasswd user

#/Usr/local/bin/smbpasswd-a username to add a user name, and more prompt information for operations # vi/etc/rc. conf

Join

nmbd_enable=”YES”smbd_enable=”YES”

Manual start is

#/usr/local/etc/rc.d/samba start

2. Configure and use Samba in FreeBSD8.1

1. Custom file/etc/smb. conf

After installing Samba, you also need to customize its configuration file smb. conf to make Samba work properly to meet the requirements. Because SMB is a very complex protocol, it is complicated to configure Samba. About 170 configuration items appear in the smb. conf file.

1) smb. conf syntax

The smb. conf file has a clear syntax structure, which is similar to the Windows *. ini file. As follows:

This file is divided into several parts, each of which includes several parameters to define Samba output sharing and detailed operations.

Files are separated into several sections, each of which starts with an identifier enclosed by square brackets (for example, [global], [home], [printers]). each configuration parameter is either a global parameter (affecting or controlling the entire server) or a service parameter (affecting or controlling a service provided by the server ).

The global parameters are used to control the overall features of Samba. In addition to the global part, each part defines a special service.

You can use the following statement to specify a parameter:

name=VALUE

Name can be a word or multiple words separated by spaces. VALUE can be a Boolean VALUE (true or false; yes or no; 1 or 0), number, or string.

A comment starts with a semicolon. It can be a single line or followed by a statement.

You can add a backslash "\" after the last character of a row to split a row into multiple rows.

The names and parameters of each part are case-insensitive. For example, the browseable = yes parameter is equivalent to browseable = YES.

2) smb. conf file functions

The smbd and nmbd daemon read the configuration file smb at startup (usually during system boot. conf, the configuration file shows the two daemon processes what to share, who to share the output, and how to output. Because security issues are the most important, you must specify which computers can access this sharing. The smb. conf file can flexibly specify which users can access each service. As the Linux network grows, this control becomes more and more important.

3) smb. conf file structure

The smb. conf file consists of three parts:

● Global Parameters

● Directory shares (directory sharing) part-including standard [home] Part

● Printer shares

The global parameter is used to set the rules of the entire system. The [home] and [printer] parts are specific routines of the service, services) this term is the Samba term for directories shared or output by network clients and printers. These services define which users can access these directories and printers and how to access these directories and printers.

The following list provides a simple example of the smb. conf file.

[global]workgroup = MYGROUPserver string = Samba Serversecurity = userprinting = lprnglog file = /var/log/sambalock directory = /var/lock/samba[homes]comment = Home Directorybrowseable = noread only = no[printers]browseable = noguest ok = yesprintable = yes

Set the host name in the [global] section, the name of the Working group where the host is located, and the description of the Local Machine displayed during browsing. Security parameters tell Samba to use the "user-level" security protection method. SMB has two security modes: shared level, resource and password control; user level, all resources of a user can be used.

The subtle differences between the two methods cannot be explained in detail here, but in most cases, you will want to use user-level security control.

The [global] section also defines the log file directory and the location of the locked file. Log files are useful in fault resolution and system improvement. Locking a file can prevent multiple users from modifying the same file at the same time.

The setting in the [homes] section controls the sharing permissions of each home directory. The string specified by the comment parameter appears next to the specified resource when you browse the local resource.

The browseable parameter controls whether a service can appear in the network resource browsing table. Here are some unintuitive things. browseable = no means that this directory will be displayed as the user name to be verified during browsing. For example, specify browseable = no. When I browse this Samba server, I will see a shared directory named cuckoo. When browseable = yes is specified, I will see a shared directory named homes and cuckoo. Setting read only = no will allow users who pass the verification to write data to the main directory. However, if the UNIX permission of their home directory does not allow writing, they do not have the write permission. Regardless of the UNIX permission, after read only = yes is set, their main directory is read-only.

The printing command describes the type of the local printing system. This allows Samba to know how to submit a printing task, display a printing queue, delete a printing task, and perform other operations.

If the print system is unknown to Samba, you must specify the command each time you execute the print operation.

The [printing] section of the configuration in the list allows any user who can log on to the Samba server to use each printer that appears in printcap. Under normal circumstances, if user-level security control is used, guest OK = yes cannot authorize every user (using the system ). Each print service must be defined as printable = yes.

3. a more practical way to share samba with Windows xp

After FreeBSD8.1 has installed samba34, if you add the actual user to the samba user library, the user of the FreeBSD machine itself is the samba user, it can read and write its/home/user directory by default, and we can use the disk ing method. In this way, after the windows machine is started by default, a remote disk can be read and written, this example works on your own, as shown below:

 

4. Change the user access to the Samba server in windows

When the mongodows client accesses the Samba server, a common phenomenon is that after a connection to the Samba server is established, the authentication dialog box no longer appears when the client accesses the server again, in this way, the user identity cannot be changed. Many users prefer to use logout to solve this problem, which is troublesome and time-consuming; in fact, the reason for this phenomenon is that the mechanism of Windows itself is more specifically a problem with the SMB service, because the NETBIOS service is connection-oriented, after a customer establishes a connection with the Samba server, the connection remains active for a period of time. Therefore, when the user accesses the server again, the preceding identity does not need to be verified again. Solution: net use \ samba File Server IP address \ IPC $/delete, after the shared connection is successfully deleted, you can change the user identity to access the Samba server.

V. ports used by the samba Service

During the experiment, it was found that although the samba service listened to four ports, only port 445 was used to transmit data. To verify this description, a firewall and packet capture tool were specially enabled for verification, and INPUT and OUTPUT are DROP by default.

iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 445 -j ACCEPT

The samba service can communicate with the client normally and provide data. wireshark captured the next packet with the packet capture tool and confirmed this statement. Port 137, port 138, and port 139 are also used in many teaching materials. This is also true because samba is used as a WINS server, that is, UDP138 and UDP139 perform NETBIOS resolution. If NETBIOS resolution is not performed, port 445 is sufficient. Currently, only port 445 is used for the RHEL5 textbook, which can be used when you build a samba server.

6. Control Samba access through host name and IP address list

Vi/etc/samba/smb. conf, add the following in [global:

hosts allow=192.168.1.0/24 127.0.0.1

That is, it indicates that the server only accepts access from hosts and local hosts in the network 192.168.1.0. You can also use the host name instead of the IP address. Otherwise, all hosts are allowed to access the server by default, by default, hosts other than 192.168.1.0 and local hosts are prohibited from accessing the samba server.

hosts allow=mail.test.com

Of course, if only a few hosts are prohibited, you can use the following syntax.

hosts allow=test.com EXCEPT mail.test.com

In actual work, it is recommended to write it in dotted decimal to facilitate memory: hosts allow = 192.168.1.0/255.255.255.0; if in reality, user service and host access control should be implemented simultaneously, you can use PAM (Pluggable Authentication Module), that is, samba + PAM, which allows specific users to access the samba server through a specific host.

Bkjia.com is an exclusive special article. For more information, see the original author and source .]