Samba文件共享--实验实施
实验案例:构建Samba文件共享服务器
实验环境
根据公司的信息化建设要求,需要在局域网内部搭建一台文件服务器,便于对数据的集中管理和备份。考虑到服务器的运行效率及稳定性、安全性问题,选择在RHEL 6操作系统中构建Samba服务器以提供文件资源共享服务。
需求描述
- 在/var/share/目录中建立三个子目录public、training、devel,用途如下。
- public目录用于存放公共数据,如公司的规章制度、员工手册等。
- training目录用于存放公司的技术培训资料。
- devel目录用于存放项目开发数据。
- 将/var/share/public/目录共享为public,所有员工都可以访问,但只有读取权限。
- 将/var/share/training/目录共享为peixun,允许管理员admin和技术部的所有员工读取数据,但不能写入;禁止其他人访问。
- 将/var/share/devel/目录共享为kaifa,技术部的所有员工都可以读取该目录中的文件,但是只有管理员admin及kgc项目组的员工有写入权限。
问题分析
- 建立Kgc项目组的组账户kgc、技术部的组账户tech。将Kgc项目组的所有员工账户(如kgc01 )都加入基本组kgc、公共组tech。将技术部的其他所有员工账户 (如tec01 )都加入基本组tech。
- 将/var/share/devel/目录的属组改为kgc,并在组权限中增加可写(w )属性。
- 将tech组、kgc组内的每个系统用户都创建共享用户,在Samba配置中使用“@ 组名”的形式进行访问授权。
推荐步骤
(1 )建立组账户tech、kgc ;创建Kgc员工账户kgc01、技术部员工账户tec01 ;创建普通用户yua01。
查看当前是否安装samba软件包
[root@test1 ~]# rpm -qa | grep samba
samba-winbind-clients-3.6.9-164.el6.x86_64
samba-client-3.6.9-164.el6.x86_64
samba4-libs-4.0.0-58.el6.rc4.x86_64
samba-3.6.9-164.el6.x86_64 //samba服务的软件包
samba-winbind-3.6.9-164.el6.x86_64
samba-common-3.6.9-164.el6.x86_64
[root@test1 ~]#
[root@test1 ~]# groupadd tech
[root@test1 ~]# groupadd kgc
[root@test1 ~]# tail -2 /etc/group
tech:x:502:
kgc:x:503:
[root@test1 ~]# useradd kgc01 -g kgc
[root@test1 ~]# useradd tec01 -g tech
[root@test1 ~]# useradd yuan01
[root@test1 ~]# tail -3 /etc/passwd
kgc01:x:502:503::/home/kgc01:/bin/bash
tec01:x:503:502::/home/tec01:/bin/bash
yuan01:x:504:504::/home/yuan01:/bin/bash
[root@test1 ~]#
(2 )创建存放共享资源的文件夹/var/share/,以及子目录public、training、devel。
[root@test1 ~]# cd /var
[root@test1 var]# mkdir share
[root@test1 var]# cd share
[root@test1 share]# mkdir public
[root@test1 share]# mkdir training
[root@test1 share]# mkdir devel
[root@test1 share]# ls
devel public training
(3 )创建共享用户yua01、kgc01、tec01、root,为root用户设置别名admin。
[root@test1 share]# pdbedit -a -u yua01
new password:
retype new password:
Failed to add entry for user yua01.
失败,因为上面新建用户的时候,不是yua01而是yuan01 重新建立yua01用户
[root@test1 share]# cat /etc/passwd | grep yua01
[root@test1 share]# useradd yua01
[root@test1 share]# tail -1 /etc/passwd
yua01:x:505:505::/home/yua01:/bin/bash
[root@test1 share]#
创建共享用户kgc01
[root@test1 share]# pdbedit -a -u kgc01
new password:
retype new password:
Unix username: kgc01
NT username:
Account Flags: [U ]
User SID: S-1-5-21-426876717-3061933966-2582735009-1000
Primary Group SID: S-1-5-21-426876717-3061933966-2582735009-513
Full Name:
Home Directory: \\test1\kgc01
HomeDir Drive:
Logon Script:
Profile Path: \\test1\kgc01\profile
Domain: TEST1
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Wed, 06 Feb 2036 23:06:39 CST
Kickoff time: Wed, 06 Feb 2036 23:06:39 CST
Password last set: Fri, 08 Jul 2016 08:20:03 CST
Password can change: Fri, 08 Jul 2016 08:20:03 CST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[root@test1 share]#
创建共享用户tech01
[root@test1 share]# pdbedit -a -u tec01
new password:
retype new password:
Unix username: tec01
NT username:
Account Flags: [U ]
User SID: S-1-5-21-426876717-3061933966-2582735009-1001
Primary Group SID: S-1-5-21-426876717-3061933966-2582735009-513
Full Name:
Home Directory: \\test1\tec01
HomeDir Drive:
Logon Script:
Profile Path: \\test1\tec01\profile
Domain: TEST1
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Wed, 06 Feb 2036 23:06:39 CST
Kickoff time: Wed, 06 Feb 2036 23:06:39 CST
Password last set: Fri, 08 Jul 2016 08:28:20 CST
Password can change: Fri, 08 Jul 2016 08:28:20 CST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[root@test1 share]#
创建root共享用户
[root@test1 share]# pdbedit -a -u root
new password:
retype new password:
Unix username: root
NT username:
Account Flags: [U ]
User SID: S-1-5-21-426876717-3061933966-2582735009-1002
Primary Group SID: S-1-5-21-426876717-3061933966-2582735009-513
Full Name: root
Home Directory: \\test1\root
HomeDir Drive:
Logon Script:
Profile Path: \\test1\root\profile
Domain: TEST1
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Wed, 06 Feb 2036 23:06:39 CST
Kickoff time: Wed, 06 Feb 2036 23:06:39 CST
Password last set: Fri, 08 Jul 2016 08:29:45 CST
Password can change: Fri, 08 Jul 2016 08:29:45 CST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[root@test1 share]#
设置root的别名
[root@test1 share]# vi /etc/samba/smbusers
# Unix_name = SMB_name1 SMB_name2 ...
root = administrator admin //这里root可以映射成为用户administrator和admin,也就是可以使用admin登录
nobody = guest pcguest smbguest
[root@test1 share]# vi /etc/samba/smb.conf
#======================= Global Settings =====================================
[global]
username map = /etc/samba/smbusers
(4 )修改smb.conf文件,添加共享设置,并启动smb服务。
man smb.conf
valid users (S)
This is a list of users that should be allowed to login to this service. Names starting with ´@´, ´+´ and ´&´ are
interpreted using the same rules as described in the invalid users parameter.
If this is empty (the default) then any user can login. If a username is in both this list and the invalid users list
then access is denied for that user.
The current servicename is substituted for %S. This is useful in the [homes] section.
Note: When used in the [global] section this parameter may have unwanted side effects. For example: If samba is
configured as a MASTER BROWSER (see local master, os level, domain master, preferred master) this option will prevent
workstations from being able to browse the network.
Default: valid users = # No valid users list (anyone can login)
Example: valid users = greg, @pcusers
-valid (S)
This parameter indicates whether a share is valid and thus can be used. When this parameter is set to false, the share
will be in no way visible nor accessible.
This option should not be used by regular users but might be of help to developers. Samba uses this option internally to
mark shares as deleted.
Default: -valid = yes
write list (S)
This is a list of users that are given read-write access to a service. If the connecting user is in this list then they
will be given write access, no matter what the read only option is set to. The list can include group names using the
@group syntax.
Note that if a user is in both the read list and the write list then they will be given write access.
By design, this parameter will not work with the security = share in Samba 3.0.
Default: write list =
Example: write list = admin, root, @staff
[root@test1 share]# vi /etc/samba/smb.conf
...//省略
[public]
comment = Public data
path = /var/share/public
read only = yes
writable = no
[peixun]
comment = Resource about teaching
path = /var/share/training
public = no
valid users = admin, @tech
read only = yes
writable = no
[kaifa]
comment = Projects and develop datas
path = /var/share/devel
public = no
valid users = @tech
read only = yes
write list = admin, @kgc
[root@test1 share]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Processing section "[public]"
Processing section "[peixun]"
Processing section "[kaifa]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
[global]
workgroup = MYGROUP
server string = Samba Server Version %v
username map = /etc/samba/smbusers
log file = /var/log/samba/log.%m
max log size = 50
idmap config * : backend = tdb
cups options = raw
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
print ok = Yes
browseable = No
[public]
comment = Public data
path = /var/share/public
[peixun]
comment = Resource about teaching
path = /var/share/training
valid users = admin, @tech
[kaifa]
comment = Projects and develop datas
path = /var/share/devel
valid users = @tech
write list = admin, @kgc
[root@test1 share]#
[root@test1 share]#
[root@test1 share]#
(5)在客户机以不同的用户访问共享文件夹时,根据实验需求验证实施结果。
测试 /var/share/public/
使用客户机来测试
[root@jason ~]# smbclient -L 192.168.4.99 -U kgc01
Enter kgc01's password:
Connection to 192.168.4.99 failed (Error NT_STATUS_CONNECTION_REFUSED)
回到samba服务器
[root@test1 share]# service smb start
Starting SMB services: [ OK ]
[root@test1 share]# service nmb start
Starting NMB services: [ OK ]
[root@test1 share]# service smb reload
Reloading smb.conf file: [ OK ]
[root@test1 share]# service nmb reload
Reloading smb.conf file: [ OK ]
[root@test1 share]#
在/var/share/public当中建立文件用来测试
[root@test1 public]# vi testpublic
[root@test1 public]# cat testpublic
This file is used to test the shared folder /var/share/public
[root@jason ~]# smbclient -L 192.168.4.99 -U kgc01
Enter kgc01's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.9-164.el6]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Server Version 3.6.9-164.el6)
kaifa Disk Projects and develop datas
peixun Disk Resource about teaching
public Disk Public data
kgc01 Disk Home Directories
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.9-164.el6]
Server Comment
--------- -------
TEST1 Samba Server Version 3.6.9-164.el6
Workgroup Master
--------- -------
MYGROUP
[root@jason ~]#
登录
[root@jason ~]# smbclient //192.168.4.99/public
Enter root's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.9-164.el6]
smb: \> ls
. D 0 Fri Jul 8 09:21:45 2016
.. D 0 Fri Jul 8 08:17:27 2016
testpublic 62 Fri Jul 8 09:21:45 2016
35788 blocks of size 1048576. 29971 blocks available
smb: \> cat testpublic
cat: command not found
smb: \> vi testpublic
vi: command not found
smb: \> help
? allinfo altname archive blocksize
cancel case_sensitive cd chmod chown
close del dir du echo
exit get getfacl geteas hardlink
help history iosize lcd link
lock lowercase ls l mask
md mget mkdir more mput
newer open posix posix_encrypt posix_open
posix_mkdir posix_rmdir posix_unlink print prompt
put pwd q queue quit
readlink rd recurse reget rename
reput rm rmdir showacls setea
setmode stat symlink tar tarmode
translate unlock volume vuid wdel
logon listconnect showconnect .. !
smb: \> rd testpublic
NT_STATUS_MEDIA_WRITE_PROTECTED removing remote directory file \testpublic
smb: \> open testpublic
open file \testpublic: for read/write fnum 9284 //只读,无法做更改
smb: \> get testpubli //下载testpublic文件
NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file \testpubli
smb: \> get testpublic
getting file \testpublic of size 62 as testpublic (30.3 KiloBytes/sec) (average 30.3 KiloBytes/sec)
smb: \> exit
[root@jason ~]# ls -lh | grep testpublic
-rw-r--r-- 1 root root 62 Jul 8 09:25 testpublic //刚刚从Samba分享文件夹中下载的文件
[root@jason ~]# cat testpublic
This file is used to test the shared folder /var/share/public //下载文件的内容
[root@jason ~]#
测试/var/share/training/
[root@jason ~]# smbclient -U admin //1192.168.4.99/training
Enter admin's password:
^C
[root@jason ~]# smbclient -U admin //192.168.4.99/training
Enter admin's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.9-164.el6]
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
[root@jason ~]# smbclient -U admin //192.168.4.99/training -U root
Enter root's password:
session setup failed: NT_STATUS_LOGON_FAILURE
[root@jason ~]# smbclient -U tech01 //192.168.4.99/training
Enter tech01's password:
session setup failed: NT_STATUS_LOGON_FAILURE
[root@jason ~]# smbclient -U tech01 //192.168.4.99/peixun
Enter tech01's password:
session setup failed: NT_STATUS_LOGON_FAILURE
[root@jason ~]# smbclient -U tec01 //192.168.4.99/peixun
Enter tec01's password:
session setup failed: NT_STATUS_LOGON_FAILURE
[root@jason ~]# smbclient -U admin //192.168.4.99/peixun
Enter admin's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.9-164.el6]
tree connect failed: NT_STATUS_ACCESS_DENIED
[root@jason ~]# smbclient -U admin //192.168.4.99/peixun -U root
Enter root's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.9-164.el6]
tree connect failed: NT_STATUS_ACCESS_DENIED
[root@jason ~]#
找原因没有找到
再次尝试从客户机登录
[root@jason ~]# smbclient -U tec01 //192.168.4.99/peixun
Enter tec01's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.9-164.el6]
smb: \> ls
. D 0 Fri Jul 8 08:17:22 2016
.. D 0 Fri Jul 8 08:17:27 2016
35788 blocks of size 1048576. 29971 blocks available
smb: \>
登录成功
在Samba服务器上创建测试文件
[root@test1 training]# vi testpeixun
[root@test1 training]# cat testpeixun
This text is about test training.
[root@test1 training]#
在客户机上测试
[root@jason ~]# ls
anaconda-ks.cfg Documents etc.tar.gz install.log man2.txt Music Pictures Templates Videos
Desktop Downloads home.bak.tar.gzip install.log.syslog man.txt mvtotrash Public testpublic
[root@jason ~]# smbclient -U tec01 //192.168.4.99/peixun
Enter tec01's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.9-164.el6]
smb: \> put etc.tar.gz
NT_STATUS_ACCESS_DENIED opening remote file \etc.tar.gz
smb: \> chmod testpeixun
chmod mode file
smb: \>
smb: \> chmod 777 testpeixun
NT_STATUS_NETWORK_ACCESS_DENIED chmod file \testpeixun 0777 //没有权限
smb: \>
smb: \> get testpeixun
getting file \testpeixun of size 34 as testpeixun (33.2 KiloBytes/sec) (average 33.2 KiloBytes/sec)
smb: \> exit
[root@jason ~]# ls -lh | grep testp
testpeixun testpublic
[root@jason ~]# ls -lh | grep testpeixun
-rw-r--r-- 1 root root 34 Jul 8 09:49 testpeixun
[root@jason ~]# cat testpeixun
This text is about test training.
[root@jason ~]#
测试admin是否可以登录
[root@jason ~]# smbclient -U admin //192.168.4.99/peixun
Enter admin's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.9-164.el6]
tree connect failed: NT_STATUS_ACCESS_DENIED
[root@jason ~]# smbclient -U admin //192.168.4.99/peixun -U root
Enter root's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.9-164.el6]
tree connect failed: NT_STATUS_ACCESS_DENIED
[root@jason ~]#
依然不可以登录
测试其他用户
[root@jason ~]# smbclient -U kgc01 //192.168.4.99/peixun
Enter kgc01's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.6.9-164.el6]
tree connect failed: NT_STATUS_ACCESS_DENIED
[root@jason ~]#
测试/var/share/devel/
Samba服务器中建立测试文件
[root@test1 training]# cd ../devel/
[root@test1 devel]# vi testdevel
[root@test1 devel]# cat testdevel
This is test devel
[root@test1 devel]#