samba 就像 samba舞一样迷人
安装 :yum -y install samba* 这样会附带安装samba客户端
其中服务端是实现共享linux里边的资源 包括打印机 .客户端是实现在linux里边访问其他机器共享的资源 如windows共享的!
samba service 配置
1、配置 文件路径:/etc/samba/smb.conf
文件开头是samba的简介,其中#号表示注释,为用户提供配置解释,不用理会
其中还有一;开头的行,这是samba的格式范例,去掉;号之后生效
在smb.conf文件中有以下几段:
1)、全局配置
#======================= Global Settings ====================
[global]
workgroup = WORKGROUP #设置工作组和域名名称
server string = Samba Server Version %v #服务器描述
; netbios name = MYSERVER #netbios名称
; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24 #监听的接口
; hosts allow = 127. 192.168.12. 192.168.13.#允许访问的客户端网段
2)、服务日志配置
# --------------------------- Logging Options -----------------------------
#
# Log File let you specify where to put logs and how to split them up.
#
# Max Log Size let you specify the max size log files should reach
# logs split per machine
log file = /var/log/samba/%m.log
# max 50KB per log file, then rotate
max log size = 50
3)、独立的电脑 和域成员配置
# ----------------------- Standalone Server Options ------------------------
#
# Security can be set to user, share(deprecated) or server(deprecated)
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
security = share #samba服务器的安全模式 share 级别安全模式--不需输入用户名和密码就可以浏览服务器资源
passdb backend = tdbsam
#samba服务器的安全模式 一共有五种:
#share 级别安全模式--不需输入用户名和密码就可以浏览服务器的资源。适合于公共的资源,安全性较差。
#user 级别的安全模式---需要提交合法的用户名和密码,经过服务器验证,才能访问共享资源。服务器默认级别就是user也是最常用的
#级别
#server 级别的安全模式--客户端需要将用户名和密码提交到一台指定的samba服务器上进行验证。如果验证错误会自动转为user级别的验#证
#domain 级别的安全模式--如果服务器加入到windows域环境中的话,验证工作由域控制来做。domain级别的samba服务器 只作为域的成员#客户端,并不具备服务器的特性,samba最早期版本使用此级别登入windows域环境。
#ads安全级别--当samba服务器使用ads安全级别加入到windows域环境中,其中包含有domain中的所有功能,并且可以具备域控制器的功能
#
# ----------------------- Domain Members Options ------------------------
#
# Security must be set to domain or ads
#
# Use the realm option only with security = ads
# Specifies the Active Directory realm the host is part of
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
#
# Use password server option only with security = server or if you can't
# use the DNS to locate Domain Controllers
# The argument list may include:
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
# password server = *
; security = domain
; passdb backend = tdbsam
; realm = MY_REALM
; password server = <NT-Server-Name>
4)、作为域控制器的配置
# ----------------------- Domain Controller Options ------------------------
#
# Security must be set to user for domain controllers
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
#
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
#
# Domain Logons let Samba be a domain logon server for Windows workstations.
#
# Logon Scrpit let yuou specify a script to be run at login time on the client
# You need to provide it in a share called NETLOGON
#
# Logon Path let you specify where user profiles are stored (UNC path)
#
# Various scripts can be used on a domain controller or stand-alone
# machine to add or delete corresponding unix accounts
#
; security = user
; passdb backend = tdbsam
; domain master = yes
; domain logons = yes
# the login script name depends on the machine name
; logon script = %m.bat
# the login script name depends on the unix user used
; logon script = %u.bat
; logon path = \\%L\Profiles\%u
# disables profiles support by specifing an empty path
; logon path =
; add user script = /usr/sbin/useradd "%u" -n -g users
; add group script = /usr/sbin/groupadd "%g"
; add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
; delete user script = /usr/sbin/userdel "%u"
; delete user from group script = /usr/sbin/userdel "%u" "%g"
; delete group script = /usr/sbin/groupdel "%g"
5)、作为打印服务器的配置
# --------------------------- Printing Options -----------------------------
#
# Load Printers let you load automatically the list of printers rather
# than setting them up individually
#
# Cups Options let you pass the cups libs custom options, setting it to raw
# for example will let you use drivers on your Windows clients
#
# Printcap Name let you specify an alternative printcap file
#
# You can choose a non default printing system using the Printing option
load printers = yes
cups options = raw
printcap name = /etc/printcap
#obtain list of printers automatically on SystemV
; printcap name = lpstat
printing = cups
6)、共享文件路径配置
机构
[共享名]
comment = 注释信息
path = 共享路径
public = yes/no #匿名访问控制
valid users = 用户名 or @组名 #设置访问用户 或者用户组
readonly = yew/no #目录只读控制
writable = yew/no #目录读写控制
writelist =用户名 or @组名 #读写用户控制
browsable = yes/no #控制是否能浏览
#============================ Share Definitions ==================
[homes] #这个是特殊共享目录 表示用户的家目录
comment = Home Directories
browseable = no
writable = yes
; valid users = %S
; valid users = MYDOMAIN\%S
[printers]#这个表示共享打印机
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
[src]#这个是共享的源代码存放目录
comment = local src code
path = /usr/local/src
public = yes
writeable = yes
[webroot]#这个共享的是web服务器的www目录
comment = webroot
path = /var/www
public = yes
readonly =yes
如何建立samba账号认证:
samba将用户名和密码存放到了/etc/samba/smbpasswd中,在客户端提交用户名和密码资料后,samba回将其与该文件中的
信息做比较,如果相同并且samba服务器其他安全设置允许,客户端与samba服务器连接才能成功。
建立samba账号:
samba账号不能直接建立,必须在系统中存在同名的系统账号,如建立一个user1的账号 那么在系统中必须提前有一个user1的系统账号
建立方式如下:
useradd -s:/bin/bash/nologin user1 #建立系统账号
passwd user1 #设置系统账号密码
smbpasswd -a user1 #建立samba账号
案例实战:
一、share级别共享建立
配置如下:
[global]
workgroup = WORKGROUP #设置工作组和域名名称
server string = Samba Server Version %v #服务器描述
log file = /var/log/samba/%m.log
max log size = 50
security = share
passdb backend = tdbsam
#============================ Share Definitions =================
[src]#这个是共享的源代码存放目录
comment = local src code
path = /usr/local/src
public = yes
writeable = yes
[webroot]#这个共享的是web服务器的www目录
comment = webroot
path = /var/www
public = yes
readonly =yes
二、user级别的共享建立
配置如下:
1)、建立系统用户和系统用户组
groupadd web
useradd -g web user1
useradd -g web user2
passwd user1
passwd user2
2)、建立samba账号
smbpasswd -a user1
smbpasswd -a user2
3)、修改smb.conf
[global]
workgroup = WORKGROUP #设置工作组和域名名称
server string = Samba Server Version %v #服务器描述
log file = /var/log/samba/%m.log
max log size = 50
security = user
#============================ Share Definitions ==================
[web] #设置共享名
comment = webroot
path = /var/www #设置共享路径
valid users = @web#设置访问用户为web组
三、高级配置
1)、用户账号映射
在主配置文件smb.conf中添加全局设定 username map = /etc/samba/smbusers
在/etc/samba/smbusers中添加账号映射 /等号前面是系统账号 后面是映射的虚拟账号
root = Admistrator admin
nobody = guest smbguest
user1 = hangjialin
user2 = james
2)、客户端访问控制
禁止IP和网段 或者某个域的用户访问
hosts deny = 10. 172.16 192.168.1
hosts allow = 10.0.0.2
hosts deny = .sale.com .net free
hosts deny = All
hosts allow = user1
hosts deny = All
hosts allow = 192.168.1 EXCEPT 192.168.1.100
hosts deny 和hosts allow的作用范围
把这两个字段放在不同位置上作用范围是不一样的
放到[global] 小节里边对所有共享点都有效
放到某个共享点下只对该共享点有效,对单一目录生效
3)、设置权限
writeable = yes #所有账号可以写入
writeable = no #所有账号不可以写入
write list = user1 #列表中的账号可以写入
4)、设置隐藏共享
隐藏共享就是让某个目录不出现在浏览的时候,这是出于安全考虑,只有管理员和一些重要人员找到有这样一个共享
其他人无从知道。
brewsable = no 表示隐藏该目录
四、隐藏目录实列:一个目录只有user1这个用户能浏览到,其他的人不可以浏览
1、cp smb.conf smb.conf.user1
2、[global]
config = /etc/samba/smb.conf.%U
[src]#这个是共享的源代码存放目录
comment = local src code
path = /usr/local/src
public = yes
writeable = yes
brewsable = no
3、编辑独立配置文件
vi smb.conf.user1
[src]#这个是共享的源代码存放目录
path = /usr/local/src
writeable = yes
NOTIC:经过测试发现,如果给一个用设定了单独的配置文件 那么主配置文件中的配置项对该用户失效,只使用独立配置文件中的项目
五、samba客户端使用(用于浏览其它计算机上共享的资源)
1)、smbclient -L 192.168.124.129 #查看主机192.168.124.129上边所有共享资源
2)、smbclient -L 192.168.124.129 -U user1%hjllove 用账户user1 密码hjllove 查看samba服务器的共享资源
3)、smbclient //192.168.124.129/src -U user2%test 用账户user2 密码test 查看smb服务器上共享的src文件夹
4)、采用挂载的方式使用其它共享服务器上的资源(包括Windows上的共享资源)
mount -t cifs //192.168.124.129/webroot /media [-o username=user1]
六、samba服务器打印共享设置(打印服务器)
# --------------------------- Printing Options -----------------------------
load printers = yes
cups options = raw
printcap name = /etc/printcap
#obtain list of printers automatically on SystemV
;printcap name = lpstat
printing = cups
#============================ Share Definitions ====================
[printers]#共享打印机
comment = All Printers
path = /var/spool/samba
browseable = yes
guest ok = no
writable = no
printable = yes