The theory of Samba server in Linux

First, Samba and NFS, FTP

Before you know about the Samba service, you need to know about the CIFS protocol (Common Internet File System), which was the first of a Microsoft deal. The CIFS protocol is the first to implement file sharing and print sharing between Windows hosts, and is not supported on Linux, Samba is a CIFS protocol software implemented by Andrew Tridgell engineers through reverse engineering. This package enables file sharing between Windows and Linux. This is just the opposite of the way NFS goes, NFS initially only supported on Unix-like systems, after Windows also learned, so the OS can not simply say who is good who bad, a lot of things are borrowed from each other.

One of the benefits of Samba versus NFS is that you can map a remote disk or mount point to the local computer, and edit the file each time as if you were a native editor. FTP needs to be downloaded to local modifications before uploading.

Ii. Samba related packages and procedures

1. Samba Package

At present, Samba is the source of the default Samba 4.x version, the main use of related software packages are:

# yum list|grep samba samba.x86_64                             4.1.12-21.el7_1                   @base samba-common.x86_64                     4.1.12-21.el7_1                   @base samba-libs.x86_64                        4.1.12-21.el7_1                   @base samba-client.x86_64                     4.1.12-21.el7_1                  base samba-python.x86_64                     4.1.12-21.el7_1                  base samba-winbind.x86_64                    4.1.12-21.el7_

1                 base Samba-winbind-modules.x86_64           4.1.12-21.el7_1                  base

Samba service-related configurations are mainly samba, Samba-common, samba-client three packages and cifs-utils packages, and the specific three packages function as follows:

Samba: Mainly provides the required grid services for SMB services such as SMBD and NMBD and samba-related EVENTLOGADM programs;

Samba-client: The package mainly provides the relevant procedures for the use of Samba client mount, such as SMBPASSWD, Smbtree, etc.

The package is required to support the CIFS protocol when the Cifs-utils:mount is mounted, and there is no mount.cifs command to install the package. There will also be an error when using mount mounts;

Smba-common: This package provides the main configuration files for Samba services smb.conf, Lmhosts files, pdbedit user-related and testparm syntax check directives, and so on.

2. Samba Related documents and procedures

/etc/samba/smb.conf:samba The main configuration file of the service;

/etc/samba/lmhosts:netbios name and IP corresponding relationship, do with similar to/etc/hosts, generally do not need to configure;

/ETC/SYSCONFIG/SAMBA:SMBD, NMBD Service custom parameter configuration file;

/etc/samba/smbusers:windows and Linux users are inconsistent, you can map the corresponding mapping, in the new version of the default does not exist, instead of the username map parameters, through this parameter can specify a specific mapping file;

/var/lib/samba/private/{passdb.tdb,secrets.tdb}:samba user and password database files;

/usr/bin/{tdbdump,tdbtool}: After Samba 3.0, the default is to use the TDB library (Trivial database), which is used to view and manipulate the TDB library, but the results are somewhat similar to the 16 data, generally not used, Need to install Tdb-tools package;

The/USR/BIN/{SMBPASSWD,PDBEDIT}:SMBPASSWD command is used to create the samba user and modify the password, which is the function of the passwd command. After Samba 3.0, the PDB library is used, and the Pdbedit command is the Information Management command for the samba user in the new version;

/usr/bin/testparm: Used to test the correctness of smb.conf syntax.

/usr/bin/smbclient: The resources that Samba shares can be managed interactively, somewhat similar to FTP commands;

/usr/bin/nmblookup:netblos query tool, similar to the function of Nslookup;

/usr/bin/smbtree: View workgroup and host names on your network, and so on, somewhat similar to the online neighborhood in Windows

。

Use examples:

1, Tdbdump

# tdbdump passdb.tdb {key  =  "rid_000003e8\00" data (6)  =  "usera\00"} {key (one)  =  "user_usera\00" data ()  =  "\00\00\00\00\7f\a9t|\7f\ a9t|\00\00\00\00bd\f5u\00\00\00\00\7f\a9t|\06\00\00\00usera\00\04\00\00\00www\00\01\00\00\00\00\01\00\00\00\00 \00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00\ E8\03\00\00\01\02\00\00\00\00\00\00\10\00\00\00\e5\81\0f<\99\ae*\bb\222\ed\84x\a6\13\09\00\00\00\00\10\00\ 00\00\a8\00\15\00\00\00 \00\00\00\ff\ff\ff\ff\ff\ff\ff\ff\ff\ff\ff\ff\ff\ff\ff\ff\ff\ff\ff\ff\ff\00\00\00 \00\00\00\00\00\00\00\00\00\00\00\00\ec\04\00\00 "} {key  = " info/minor_version\00 "data (4)  =& nbsp; " \00\00\00\00 "} {key (9)  = " next_rid\00 "data (4)  = " \e9\03\00\00 "} {key (+)  =  INFO /version\00 "Data (4)  = " \04\00\00\00 "} 

2, Tdbtool

# tdbtool passdb.tdb tdb> list hash=23  rec:  Hash=23 offset=0x00001e38 next=0x00000000 rec_len=28 key_len=13 data_len=6 full_ hash=0xc6948dbc magic=0x26011999 hash=33  rec: hash=33 offset=0x00001e6c next=

0x00000000 rec_len=228 key_len=11 data_len=182 full_hash=0x41061b85 magic=0x26011999 hash=52  rec: hash=52 offset=0x00001f68 next=0x00000000 rec_len=32 key_len=19  data_len=4 full_hash=0x538a9285 magic=0x26011999 hash=65  rec: hash=65 offset= 0x00001fd4 next=0x00000000 rec_len=20 key_len=9 data_len=4 full_hash=0x70a13a4c  magic=0x26011999 hash=103  rec: hash=103 offset=0x00001fa0 next=0x00000000 rec_len=28  key_len=13 data_len=4 full_hash=0xf2394cd5 magic=0x26011999 freelist: 

3, SMBPASSWD and Pdbedit

Before you create a samba user, you need the user to exist locally

# useradd-g users smb1
# useradd-g users smb2
# echo 361way.com | passwd--stdin smb1
# echo 361way.com | passwd--stdin SMB2

Use SMBAPSSWD to create:

SMBAPSSWD Common items:

-A: Create a new user, without a parameter directly with the user to modify the user password;
-C: Specifies the location where the password file is generated;
-x: Delete user;
-D: Temporarily disable a user;
-e:enable a user;
-D: Specifies the debug level;
-N: Sets a user's password to be null, the user uses the blank password in the SMB.CONF global item configuration null passwords = yes;
# smbpasswd-a SMB1
New SMB Password:
Retype new SMB Password:
Added user Smb1.
Use the Pdbedit command to create:

Pdbedit Common options:
-L: Lists samba users and information;
-V: needs to be executed with-l to list more information;
-W: needs to be executed with-l, using the old version of the SMBPASSWD format to display information;
-A : Add samba users;
-r: Modify a user's information, with a lot of special parameters, please man pdbedit;
-x: Delete a user, you can use-l to find the user before? h except;

# pdbedit -a -u smb2 New password:retype new password:unix username:         SMB2 nt username:account flags:         [u          ] User SID:               s-1-5-21-1462619673-710706269-1943266961-1002 primary group sid:     s-1-5-21-1462619673-710706269-1943266961-513 full name:home directory:         \\WWW\SMB2 homedir drive:logon script:profile path:           \\www\smb2\profile domain:                www account desc:workstations:munged dial:logon time:  & nbsp;         0 logoff time:          wed, 06  FEB 2036 23:06:39 CST kickoff time:          WED, 06 FEB 2036 23:06:39 CST password last set:     SUN, 13 SEP 2015 21:09:45 CST Password can change:  sun,  13 SEP 2015 21:09:45 CST Password must change: never Last bad  password   : 0 bad password count  : 0 Logon hours          : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF pdbedit  is a new directive, but cannot modify the user password, so it is still unable to completely replace the role of SMBPASSWD.

4, Testparm

Testparm is a grammar test command, as follows:

  # testparm load smb config files from /etc/samba/smb.conf rlimit_max:  increasing rlimit_max  (1024)  to minimum Windows limit  (16384) processing
 section  [Homes] "processing section " [Printers] "processing section " [public] "
Loaded services file ok. Server role: role_standalone Press enter to see a dump of your  service definitions [Global]         workgroup =  MyGroup         server string = Samba Server  Version %v         map to guest = Bad  User         log file = /var/log/samba/log.%m          max log size = 50  &NBsp;      load printers = no          idmap config * : backend = tdb          cups options = raw [Homes] ............. ..... Slightly

5, Smbclient

Smbclient has two functions, one is query function, one is similar to FTP interactive management function, as follows:

Smbclient query for current shared information

# smbclient -l 192.168.0.109 enter root ' S password:domain=[mygroup] os=[unix]  SERVER=[SAMBA 4.1.12]         Sharename        type      comment       

  ---------       ----      -------         public           disk      public dir          ipc$            ipc        IPC Service  (samba server version 4.1.12) Domain=[mygroup] os=[unix]  SERVER=[SAMBA 4.1.12]         Server      &nbSp;         comment          ---------            -------

Usage of class FTP interactive management

# smbclient '//192.168.0.109/public '-u smb1

Enter smb1 ' password:

Anonymous login Successful

domain=[ MyGroup] Os=[unix] Server=[samba 4.1.12]

SMB: \> dir

# me? You can use common FTP directives such as Dir, get, and put to transfer files
? : List all the commands you can use, commonly used!
CDS: Switching directories
Del: Deleting files
LCD: Change the local directory
LS: View file information under the Samba share directory
Dir: Same as S
Get: Downloading Files
Mget: Multiple file downloads
Mput: Multiple file uploads
Put: Single File upload
RM: Deleting files
Exit: Exiting
# Internal More instructions can be viewed, or man smbclient can be obtained.
6, Smbtree

# Smbtree
Enter Root ' s password:
WORKGROUP
\\YNNYCSK9X26EZUE//My Win7 mainframe is here, too.
MyGroup
\\WWW Samba Server Version 4.1.12

7, the Client mount

Common parameters for Mount.cifs or mount-t cifs are (-O-back):

Username= login user name, such as USERNAME=SMB1;

password= login Password: corresponding to the above username;

iocharset= the default encoding of the machine, such as UTF8 or gb2312;

Codepage= the encoding of the remote host that provides the samba service, for example, under Windows Traditional Chinese for cp950 and Simplified Chinese for cp936.

Mount under Linux Client
# mount-t CIFS//192.168.1.109/smb1/mnt/samba \
-O username=smb1,password=361way.com,codepage=cp936
Mount under Windows Client, or you can enter \\IP in the start-run
NET Use Q: \\192.168.0.109\public
NET use H: \\192.168.0.109\shareFile "password"/user: "username"
Note: It is necessary to note that Linux and win under the Mount, the use of oblique direction is different.

8, Smbstatus

Used to view the client host information currently connected to the server side:

# smbstatus

Samba version 4.1.12

PID Username Group Machine

--------------------------------- ----------------------------------

2894 Nobody Nobody 192.168.0.104 (ipv4:192.168.0.104:50709)

Service pid Machine Connected at

-------------------------------------------------------

public 2894 192.168.0.104 Sun Sep 21:40:04 2015

No locked files

Third, the Samba service configuration

/etc/samba/smb.conf configuration file:

[Global]         workgroup = MYGROUP         //Working Group         netbios name     = 361way     //netbios name        

 server string = samba server version %v   //server string that can be written arbitrarily         unix charset    = utf8                     Coding for use under  //linux         display charset = utf8                      //the native display of the encoding         dos charset     =  cp936                  // The code used under win         log file = /var/log/samba/log.%m      //Log File Location         # maximum size  Of 50kb per log file, then rotate:          max log size = 50         security =  user         passdb backend = tdbsam            //specify the data format for the user name password store          passdb backend = tdbsam:/etc/samba/private/passdb.tdb  //Specify the location of the password file  
       passdb backend = ldapsam: "ldap://ldap-1.example.com   LDAP://LDAP-2.example.com " //uses LDAP authentication, followed by an alternate node         map to guest  = bad user             // Turn on anonymous access         interfaces = lo eth0 192.168.12.2/24  192.168.13.2/24   //listening for native ports and using IP, default listener for all          hosts allow = 192.168.12.  192.168.13. except 192.168.12.100  // Allow connected IP network segments, default allow all         cluster addresses = 10.0.0.1  10.0.0.2 10.0.0.3    Cluster Setup         username  map = /usr/local/samba/lib/users.map   //User name Correspondence mapping          logon drive   = K:                //windows the local letter name mapped when automatic mount         logon  script  = startup.bat     //scripted programs automatically executed after client access          time server   = yes              //automatically lets  windows host    Samba  server time sync          admin users   = root             //Default Admin user         logon  path    =  \\%n\%u\profile  //User's personalized settings          logon home    =  \\%n\%u         

 //User's home directory location!         set quota command = /usr/local/sbin/set_quota   //disk quota related         load printers =  yes                      //Open Printer Sharing         cups options  = raw         # obtain a list of printers  automatically on unix system v systems://Common options for specific shared Items

[Share name]
comment= suggestive Information
Path= a specific shared directory path
Browseable= whether the user is allowed to view, yes or no
Writable= whether there is write permission, yes or no
Create mode and directory mode, default permission settings, such as: force create mode = 0755, Default is 000
writelist = user, @ Group? In addition to @, there are +, & two symbols
I've commented on most of the above options, and here's a few more typical sections to go through.

Security = User: In the old version, the option in the share, user, Domain,share is open anonymous defense, in the new version of the item due to safety considerations were canceled. The default is user, and you want to open the map to guest row behind anonymous anti-Q Plus. The new version of the security behind can be followed by the auto, USER, DOMAIN, ADS (Windows AD domain);

Logon script = Startup.bat: Automate scripts, and when used for Windows client access, automatically maps access directories to this site, such as the use of scripting content here:

NET time \\192.168.0.109/set/yes
NET use K:/samba or
NET Use Q: \\192.168.0.109\public
Note that the above content needs to be edited under Windows, and if you use Linux to edit, you need to use the Unix2dos command to convert.

For more configuration, use the man smb.conf view.

Four, firewall and SELinux

Ports that need to be released on the firewall are UDP 137, 138--NMBD service footprint, TCP 139, 445--SMBD service usage:

# netstat -ntlup|grep mb tcp        0       0 0.0.0.0:139              0.0.0.0:*                LISTEN      2483/SMBD tcp        0       0 0.0.0.0:445              0.0.0.0:*                LISTEN      2483/SMBD tcp6       0       0 :::139                  &NBSP:::*                      LISTEN      2483/SMBD tcp6        0      0 :::445                  &NBSP:::*                      LISTEN       2483/SMBD udp        0       0 192.168.0.255:137       0.0.0.0:*                             2489/NMBD udp        0       0 192.168.0.109:137       0.0.0.0:*                             2489/NMBD udp        0       0 0.0.0.0:137              0.0.0.0:*                            2489/NMBD udp         0      0 192.168.0.255:138        0.0.0.0:*                            2489/NMBD udp         0      0 192.168.0.109:138        0.0.0.0:*                            2489/NMBD udp         0      0 0.0.0.0:138              0.0.0.0:*                             2489/nmbd

Use the following command to release:

Firewall-cmd--permanent--add-port=137-138/udp
firewall-cmd--permanent--add-port=139/tcp
firewall-cmd--reload
selinux related items are described in the comments section of/etc/samba/smb.conf, as follows:
modify the upper and lower files for a shared directory as Samba_share mode
# CHCON-T samba_share_t/test
System directory needs to be opened when read and write:
# setsebool-p Samba_export_all_ro on
# setsebool-p Samba_expor T_ALL_RW on Home
directory share needs to be
used when #setsebool-p samba_enable_home_dirs on
domain control (generally not used)
# setsebool-p Samba_domain_controller on