Configuring Samba
samba相关的服务
First, let’s look at the two services responsible for running Samba:
| 服务 | 作用 |
|---|---|
| smbd | Samba server daemon |
| nmbd | NetBIOS service daemon |
samba相关的配置文件
There are also a handful of config files:
| 配置文件 | 作用 |
|---|---|
| /etc/samba/smb.conf | Contains the main config file |
| /etc/samba/smbusers | Maps Samba and Red Hat users |
| /etc/samba/smbpasswd | Contains Samba user passwords |
Samba相关的命令
I’m sure you could have guessed by now that no service this complex comes without a group of management commands as well:
| 命令 | 作用 |
|---|---|
| mount.cifs | Mounts a Samba resource without root privileges |
| smbclient | Connects to a Samba resource |
| smbpasswd | Configures Samba users and passwords |
| smbstatus | Displays the status of Samba connections |
| testparm | Tests the syntax of the main config file for issues |
| umount.cifs | Unmounts a Samba resource without root privileges |
samba主配置文件
You need to edit the main config file to set up the Samba server and directories that you’d like to make into Samba shares. Here is a sample /etc/samba/smb.conf config file you can use(just read through it for now):
# cat /etc/samba/smb.conf
### Global Data Section ###
[global]
### Define our workgroup and hostname information ###
workgroup = INET
server string = My Samba Server
netbios name = RHEL01
### Define the log file and its size ###
log file = /var/log/samba/%m.log
max log size = 50
### Use a local password file (/etc/samba/smbpasswd) ###
security = user
passdb backend = tdbsam
### Define printer settings ###
load printers = yes
printcap name = /etc/printcap
cups options = raw
### Samba Share for Company Data ###
[company_data]
### Define a comment for the share ###
comment = Directory for all employees within the company
### Allow users to access the share and define its location ###
browseable = yes
path = /opt/company_data
### Make the share writable and define access for valid users ###
valid users = user01
writable = yes
### Share for Samba printers ###
[printers]
### Define a comment for the share ###
comment = All Printers
### Allow users to access the share and define its location ###
browseable = no
path = /var/spool/samba
### Set permissions and user access ###
guest ok = no
writable = no
printable = yes
编辑配置文件
To set up the file, do the following:
Step 1. Make a backup of the main config file so you can review the comments in it later:
# cp /etc/samba/smb.conf /etc/samba/smb.bk
Step 2. Copy the sample file provided here into a new main config file:
# nano /etc/samba/smb.conf
Step 3. Save the file and exit. Now you need to check that the config file has no syntax errors by using the testparm command:
Syntax: testparm [options] <config file> [hostname] [host IP]
- Options:
| 参数 | 作用 |
|---|---|
| -s | Suppresses the prompt |
| -v | Provides verbose output (shows the default options) |
- Check the syntax of the config file:
# testparm
Load smb config files from /etc/samba/smb.conf
Processing section “[company_data]”
Processing section “[printers]”
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
[global]
workgroup = INET
netbios name = RHEL01
server string = My Samba Server
log file = /var/log/samba/%m.log
max log size = 50
printcap name = /etc/printcap
cups options = raw
[company_data]
comment = Directory for all employees within the company
path = /opt/company_data
valid users = user01
read only = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
There are no errors in the output shown here, but you can see the global options displayed, including the different shares that are accessible to users. Before you can start connecting clients, however, you also need to create Samba users because they are separate from system users. You can use the smbpasswd command to create a new Samba user.
添加用户
Syntax: smbpasswd [options] [user]
- Options:
| 参数 | 作用 |
|---|---|
| -a | Adds a user |
| -d | Disables a user |
| -e | Enables a user |
| -x | Deletes a user |
WARNING: Because you have specified to use the tdbsm back end, any user that you want to create for Samba must have an account locally on the Samba server.
MIGRATION TIP
For legacy purposes, you can specify smbpasswd as a back-end storage choice. If you do this, all username/password combinations are stored in the /etc/samba/ smbpasswd file.
Step 1. Create your first Samba user:
# smbpasswd -a user01
New SMB password:
Retype new SMB password:
Added user user01.
Step 2. Verify that the user was created successfully by using the pdbedit command:
# pdbedit -w -L
user01:501:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:17601CAE62CBC5D649CF7D1
951C42806:[
U ]:LCT-4D498DE8:
TIP
Whenever you make changes to the Samba users,
you need to restart the service before you are able to use them.
At this point, everything should be in place for your Samba server. You just need to make sure that the directories you specified to be a Samba share exist (yours does because you created /opt/company_data back in Chapter 4, “File Systems and Such”).
Step 1. If you haven’t done so already, start the Samba service:
# service smb start
Starting SMB services: [ OK ]
Step 2. Verify that the service is running:
# service smb status
smbd (pid 3145) is running...
SELinux and Firewall Configuration
windows相关设置
If you are accustomed to Windows systems, you should already know what ports you need to open on the firewall.
1.iptables
Step 1. Use the iptables command to create your firewall rules:
# iptables -I INPUT 5 -p tcp -m tcp --dport 137 -j ACCEPT
# iptables -I INPUT 5 -p udp -m udp --dport 138 -j ACCEPT
# iptables -I INPUT 5 -p udp -m udp --dport 139 -j ACCEPT
# iptables -I INPUT 5 -p tcp -m tcp --dport 445 -j ACCEPT
Step 2. Save the rules you just created:
# service iptables save
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
Step 3. Restart the firewall service for the changes to take effect:
# service iptables restart
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
2.selinux
These four ports are very common to Windows administrators, as they are heavily used in Windows environments. Next, you need to deal with the SELinux protection for the Samba service. Due to the complexities of Samba and its integration with Windows, there are quite a few different Boolean values that you need to change. Table 16-1 shows the Booleans available for Samba.
| Booleans | Description |
|---|---|
| samba_domain_controller | Allows Samba to act as the domain controller, add users and groups, and change passwords. |
| samba_enable_home_dirs | Allows Samba to share users’ home directories. |
| samba_export_all_ro | Allows Samba to share any file/directory as read-only. |
| samba_export_all_rw | Allows Samba to share any file/directory as read/write. |
| use_samba_home_dirs | Supports Samba home directories. |
| samba_create_home_dirs | Allows Samba to create new home directories (via PAM, for example). |
| allow_smbd_anon_write | Allows Samba to modify public files used for public file transfer services. Files/directories must be labeled public_content_rw_t . |
| samba_share_fusefs | Allows Samba to export ntfs/fusefs volumes. |
| samba_share_nfs | Allows Samba to export NFS volumes. |
| samba_run_unconfined | Allows Samba to run unconfined scripts. |
| virt_use_samba | Allows virt to manage CIFS files. |
Step 1. Query for available Boolean options:
# getsebool -a | egrep ‘(samba)|(smb)|(nmb)|(win)’
allow_httpd_mod_auth_ntlm_winbind --> off
allow_smbd_anon_write --> off
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
use_samba_home_dirs --> off
virt_use_samba --> off
wine_mmap_zero_ignore --> off
Step 2. You need to change only a few settings for the shares to work properly:
# setsebool -P samba_export_all_ro=1 samba_export_all_rw=1
Step 3. Verify that the changes have been made:
# getsebool -a | egrep ‘(samba)|(smb)|(nmb)|(win)’
allow_httpd_mod_auth_ntlm_winbind --> off
allow_smbd_anon_write --> off
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> on
samba_export_all_rw --> on
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
use_samba_home_dirs --> off
virt_use_samba --> off
wine_mmap_zero_ignore --> off
Don’t forget that you can always look up the available Boolean options in the/selinux/booleans directory if you forget which options you need. Another huge benefit with Samba is that if you read the comments in the main config file, it tells you which Boolean values need to be enabled for the different services that Samba can provide. When creating directories that you’d like to make into a Samba share, you can mark them as a Samba share with the correct SELinux context:
# chcon -Rt samba_share_t /opt/company_data
Now the directory is accessible to the Samba service.