珠海飞跃巅峰,卫校女,电工电子技术基础
smbd, nmbd:smbd提供文件和打印共享服务器,nmbd提供netbios名称服务和浏览支持,帮助客户端定位服务器,处理所有基于udp的协议
tdbdump, tdbtool:samba使用了tdb数据库,可以使用tdb工具来查看数据库内容
smbstatus:查看samba的状态
smbpasswd, pdbedit:服务器功能,用于管理samba的用户账号和密码,早期是使用smbpasswd命令,后来因为使用了tdb数据库,所以推荐使用pdbedit命令来管理用户数据
mount.cifs:用来挂载分享目录
smbclient:samba客户端
nmblookup:查找netbios name
smbtree:未知,可能是用来查找网络邻居的吧
testparm:验证smb.conf文件的内容是否合法
samba服务器有5种工作模式,分别为:
通过设置security选项即可设置samba的工作模式:security = share
全局必须的配置项有:workgroup,netbios name,serverstirng,log file,max log size,security,passdb backend,load printer
workgroup = rhel_6.3 server string = samba server version %v netbios name = rhel # logs split per machine log file = /var/log/samba/log.%m # max 500kb per log file, then rotate max log size = 500 security = user passdb backend = tdbsam load printers = no
需要将全局参数中的security设置成share(暂不清楚,在user工作模式下通过设置guest ok好像也可以,需要验证)
最小化配置:
[test] comment = test path = /tmp read only = no guest ok = yes create mask = 644
其中:
read only默认为yes,表示只允许读,不允许写,所以需要修改
guest ok默认是no,表示不允许匿名访问
create mask默认是744,导致客户端创建的文件都是可执行文件,所以需要修改
注意:
writable和writeable是同义词
writeable和read only是反义同义词
writeable默认为no
read only默认为yes
完整配置需要配置available和browseable,不过这两个默认都是yes
需要将全局参数中的security设置成user
[win] comment = win path = /home/win read only = yes create mask = 644 valid users = win
这种方式首先需要使用root权限添加一个账户,然后使用smbpasswd -a xxx在samba数据库添加此用户的samba密码
输入smbpasswd -a xxx 时会直接让用户设置这个账户的samba密码
这个用户信息保存在tdb数据库里
修改密码:root权限下输入smbpasswd user_name即可修改user_name的samba密码
使用testparm可以验证smb.conf文件的内容是否合法
[rhel@localhost ~]$ testparm load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum windows limit (16384) processing section "[test]" loaded services file ok. server role: role_standalone press enter to see a dump of your service definitions [global] workgroup = test netbios name = testnet server string = samba server version %v security = share log file = /var/log/samba/log.%m max log size = 50 load printers = no [test] comment = test path = /tmp read only = no guest ok = yes
smbclient -l //127.0.0.1
当samba服务器的工作模式被设置成share模式时,需要在上面的命令后面加-n选项表示不请求密码
[rhel@localhost ~]$ smbclient -l //127.0.0.1 -n domain=[test] os=[unix] server=[samba 3.5.10-125.el6] sharename type comment --------- ---- ------- test disk test ipc$ ipc ipc service (samba server version 3.5.10-125.el6) domain=[test] os=[unix] server=[samba 3.5.10-125.el6] server comment --------- ------- testnet samba server version 3.5.10-125.el6 workgroup master --------- ------- test testnet
pdbedit -l
关闭防火墙:/etc/init.d/iptables stop
设置selinux为宽容模式:setenforce 0
获取selinux的状态: getenforce
排障总共4种方式,
常见问题场景:
1、windows访问时提示找不到网络路径,并带有错误码0x80070035,表示samba服务器未监听139和445端口(通过nmap可以看到)
2、直接在windows的文件管理器里输入网络路径后提示"找不到xxxx,请检查拼写并重试",且无错误码,
通过映射网络驱动器发现windows给出了详细的信息:smb1协议不安全,需要使用smb2以上的安全的协议,
这种情况一般出现在win 10上,解决办法有两个,一是升级samba服务器,二是给win 10添加smb1支持(在程序与功能里面可以启用)
3、windows访问时提示无权限
一般来说应该是和selinux有关
解决办法也有两个:
原文:
#---------------
# selinux notes:
#
# if you want to use the useradd/groupadd family of binaries please run:
# setsebool -p samba_domain_controller on
#
# if you want to share home directories via samba please run:
# setsebool -p samba_enable_home_dirs on
#
# if you create a new directory you want to share you should mark it as
# "samba_share_t" so that selinux will let you write into it.
# make sure not to do that on system directories as they may already have
# been marked with othe selinux labels.
#
# use ls -ldz /path to see which context a directory has
#
# set labels only on directories you created!
# to set a label use the following: chcon -t samba_share_t /path
#
# if you need to share a system created directory you can use one of the
# following (read-only/read-write):
# setsebool -p samba_export_all_ro on
# or
# setsebool -p samba_export_all_rw on
#
# if you want to run scripts (preexec/root prexec/print command/...) please
# put them into the /var/lib/samba/scripts directory so that smbd will be
# allowed to run them.
# make sure you copy them and not move them so that the right selinux context
# is applied, to check all is ok use restorecon -r -v /var/lib/samba/scripts
#
#--------------
3.5.10里使用的是smb1协议,被证明有漏洞,不推荐使用。
在/etc/samba/smb.conf里添加如下的内容即可正常
[global] unix extensions = no [share] follow symlinks = yes wide links = yes
其中:
man 5 smb.conf中的解释如下
unix extensions (g) this boolean parameter controls whether samba implements the cifs unix extensions, as defined by hp. these extensions enable samba to better serve unix cifs clients by supporting features such as symbolic links, hard links, etc... these extensions require a similarly enabled client, and are of no current use to windows clients. note if this parameter is turned on, the wide links parameter will automatically be disabled. default: unix extensions = yes follow symlinks (s) this parameter allows the samba administrator to stop smbd(8) from following symbolic links in a particular share. setting this parameter to no prevents any file or directory that is a symbolic link from being followed (the user will get an error). this option is very useful to stop users from adding a symbolic link to /etc/passwd in their home directory for instance. however it will slow filename lookups down slightly. this option is enabled (i.e. smbd will follow symbolic links) by default. default: follow symlinks = yes wide links (s) this parameter controls whether or not links in the unix file system may be followed by the server. links that point to areas within the directory tree exported by the server are always allowed; this parameter controls access only to areas that are outside the directory tree being exported. note: turning this parameter on when unix extensions are enabled will allow unix clients to create symbolic links on the share that can point to files or directories outside restricted path exported by the share definition. this can cause access to areas outside of the share. due to this problem, this parameter will be automatically disabled (with a message in the log file) if the unix extensions option is on. default: wide links = no
比如follow symlinks字段默认是yes, 则当在smb.conf里配置了这个字段等于yes时在testparm里不会显示这个字段,如果配置成no则会显示
如对本文有疑问,请在下面进行留言讨论,广大热心网友会与你互动!! 点击进行留言回复
linux下文本编辑器vim的使用方法(复制、粘贴、替换、行号、撤销、多文件操作)
网友评论