在Debian上安装和配置Samba服务器
时间:2020-03-21 11:45:14 来源:igfitidea点击:
我们将在Debian上安装和配置Samba v3服务器。
共享访问将仅提供给局域网(LAN)。
准备工作
Samba服务器的信息:
- 主机名:apps-vm。
- IP:10.10.1.17.
- 局域网:10.10.1.0/24.
将设置两个可浏览的Samba共享:
- 公用-可供局域网上任何人读写的公用共享。
- 用户-用户共享可用于对LAN上的smb组中的有效用户进行读写。
Samba客户端将是Windows 7和Debian Linux计算机。
Samba安装
安装Samba服务器:
# apt-get update && apt-get install samba samba-common-bin libpam-smbpass
Unix到SMB密码同步需要libpam-smbpass软件包。
Linux用户
创建一个名为“ smb”的Linux系统组(使用-g指定我们自己的组ID):
# groupadd -r smb
找出smb组的ID:
# grep smb /etc/group smb:x:997:
添加一个新的Linux系统用户win7,并将smb组(997)作为初始用户的登录组,但不要创建主目录:
# useradd -r -M -g 997 -s /bin/false win7
创建密码:
# passwd win7 Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully
Samba用户
现在,有(至少)两种方法可以将新的Samba用户添加到Samba数据库。
我们可以将Linux密码数据库同步到SMB密码数据库,也可以手动添加Samba用户。
如果配置了同步,那么(事实证明)我们必须登录用户才能将其添加到Samba数据库中。
如果我们列出数据库中存在的所有Samba用户帐户,则应该得到一个空列表:
# pdbedit -Lw
现在,如果我们登录到win7用户,则应将其添加(同步)到Samba数据库中:
$su win7 Password: Added user win7.
如果我们以“ smbpasswd”列表格式(输出被截断)列出数据库中存在的所有Samba用户帐户,则应该看到win7帐户:
# pdbedit -Lw win7:997:XXXXXXXX:0A640404B5C486AA12092587FE19FG02:[U ]:LCT-53DFD128:
要手动创建Samba用户并将其添加到本地smbpasswd数据库,我们可以运行smbpasswd命令:
# smbpasswd -a win7 New SMB password: Retype new SMB password: Added user win7.
Samba用户数据库可在'/var/lib/samba /'下找到。
# file /var/lib/samba/passdb.tdb /var/lib/samba/passdb.tdb: TDB database version 6, little-endian hash size 131 bytes
有需要时,我们可以通过输入以下命令从数据库中删除Samba用户:
# smbpasswd -x win7
但是,如果用户登录到他的帐户,这不会阻止将win7帐户重新添加(同步)到Samba数据库。
Samba存储
桑巴根:
# ls -ld /data/samba/ drwxr-xr-x 4 root root 4096 Aug 8 19:17 /data/samba
Samba共享,用于公共访问和已验证用户:
# ls -l /data/samba/ total 8 4 drwxrwxr-x 3 nobody nogroup 4096 Aug 8 19:18 public 4 drwxrwxr-x 2 root smb 4096 Aug 8 19:20 users
Samba配置
#------------------------------------------------------------ # This is: /etc/samba/smb.conf # Configuration file for the Samba suite for Debian GNU/Linux #------------------------------------------------------------ [global] #------------------------------------------------------------ # This section contains the global server settings and the # defaults that will be used for the parameters of the other # sections if they are not specifically assigned other values # in those other sections. ## Samba joins the WORKGROUP workgroup #------------------------------------------------------------ workgroup = WORKGROUP # Describe the server to the clients by using a hostname #----------------------------------------------------------- server string = %h server # Only allow connections from machines on our LAN #------------------------------------------------------------ hosts allow = 127.0.0.0/8 10.10.1.0/24 # Prevent nmbd to search for NetBIOS names through DNS #------------------------------------------------------------ dns proxy = no # Use a separate log file for each machine that connects #------------------------------------------------------------ log file = /var/log/samba/log.%m # Individual log files size (in KiB) #------------------------------------------------------------ max log size = 1000 # Log a minimum amount of information to syslog #------------------------------------------------------------ syslog = 0 # Mail the admin a backtrace when Samba crashes #------------------------------------------------------------ panic action = /usr/share/samba/panic-action %d # Using "User Level Security" #------------------------------------------------------------ security = user #username map = /etc/samba/users.txt # Use password encryption #------------------------------------------------------------ encrypt passwords = true # Tell Samba what encrypted password database to use #------------------------------------------------------------ passdb backend = tdbsam # Sync the Unix password with the SMB password when the # encrypted SMB password in the passdb is changed. # The libpam-smbpass package is required for the sync to work #------------------------------------------------------------ unix password sync = yes # For Unix password sync to work on a Debian Linux system, # the "passwd program" must be set #------------------------------------------------------------ passwd program = /usr/bin/passwd %u # Do not use PAM for password changes when requested by an # SMB client instead of the program listed in "passwd # program". ## When "pam password change" is set, it uses PAM rather than # "passwd program" to do the change. This is easier to debug, # and gives back sensible error returns. ## However, PAM does not have a changepass(user, newpass) # interface, you have to respond to a series of prompt in the # same way a user would. This is what the "passwd chat" is # about #------------------------------------------------------------ pam password change = no #passwd chat = "" # Unsuccessful authentication attempts are mapped to # anonymous connections #------------------------------------------------------------ map to guest = bad user #=================== Printers Definitions =================== ## Do not automatically load printer list #------------------------------------------------------------ load printers = no # lpr(ng) printing, to avoid filling log files #------------------------------------------------------------ printing = bsd printcap name = /dev/null #==================== Share Definitions ===================== [public] #------------------------------------------------------------ # This section defines the public share available for reading # and writing for anyone on our LAN #------------------------------------------------------------ comment = Public Storage on %L path = /data/samba/public/ # Show the public share when browsing #------------------------------------------------------------ browsable = yes # Allow everyone to write in this directory #------------------------------------------------------------ writeable = yes read only = no # Restrict access to guests only #------------------------------------------------------------ guest ok = yes guest only = yes # Create files with group=rw permissions #----------------------------------------------------------- force create mode = 0775 force directory mode = 0775 [users] #------------------------------------------------------------ # This section defines the users share available for reading # and writing for valid users in @smb group on our LAN #------------------------------------------------------------ comment = Users Storage on %L path = /data/samba/users/ # Show the public share when browsing #------------------------------------------------------------ browsable = yes # Allow users to write in this directory #------------------------------------------------------------ writeable = yes read only = no # Restrict access to valid users in an smb group #------------------------------------------------------------ valid users = @smb guest ok = no # Create files with group=rw permissions #----------------------------------------------------------- force create mode = 0775 force directory mode = 0775
测试Samba配置
# testparm -s Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[public]" Processing section "[users]" Loaded services file OK. Server role: ROLE_STANDALONE [global] server string = %h server map to guest = Bad User passwd program = /usr/bin/passwd %u unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 load printers = No printcap name = /dev/null dns proxy = No panic action = /usr/share/samba/panic-action %d idmap config * : backend = tdb hosts allow = 127.0.0.0/8, 10.10.1.0/24 printing = bsd print command = lpr -r -P'%p' %s lpq command = lpq -P'%p' lprm command = lprm -P'%p' %j [public] comment = Public Storage on %L path = /data/samba/public/ read only = No force create mode = 0775 force directory mode = 0775 guest only = Yes guest ok = Yes [users] comment = Users Storage on %L path = /data/samba/users/ valid users = @smb read only = No force create mode = 0775 force directory mode = 0775
重新启动Samba服务
# service samba restart
验证服务器名称:
# net server name -U guest%whatever Server name = APPS-VM
列出可用的股票:
# net share list -U guest%whatever public users IPC$
列出Samba用户:
# net rpc user -U guest%whatever win7
从Windows 7客户端连接
让我们在启动连接之前检查Samba服务器的状态:
$smbstatus Samba version 3.6.6 PID Username Group Machine ------------------------------------------------------------------ Service pid machine Connected at ------------------------------------------------------ No locked files
我们看到目前没有用户连接。
从Windows 7计算机连接到用户共享。
它应该提示输入用户名和密码。
让我们再次检查Samba服务器状态:
$smbstatus Samba version 3.6.6 PID Username Group Machine ------------------------------------------------------------------ 2659 win7 smb win7station (10.10.1.108) Service pid machine Connected at ------------------------------------------------------ users 2659 win7station Fri Aug 8 21:20:03 2014 No locked files
现在,我们看到win7用户已连接到win7station计算机上的用户共享。
从Debian Linux客户端连接
Linux客户端需要一个smbclient:
# apt-get install --no-install-recommends smbclient
让我们看一下Samba服务器上可用的服务:
$smbclient -L 10.10.1.17 -N Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.6] Sharename Type Comment --------- ---- ------ IPC$ IPC IPC Service (apps-vm server) users Disk Users Storage on apps-vm public Disk Public Storage on apps-vm Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.6] Server Comment --------- ------ APPS-VM apps-vm server Workgroup Master --------- ------ WORKGROUP APPS-VM
公开共享
使用没有密码的访客帐户访问公共共享:
$smbclient -U Guest -N //10.10.1.17/public Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.6] smb: \> pwd Current directory is \10.10.1.17\public\ smb: \> exit
访问用户共享
让我们为用户共享做同样的事情:
$smbclient -U Guest -N //10.10.1.17/users Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.6] tree connect failed: NT_STATUS_ACCESS_DENIED IN_YOUR_FACE!
访问被拒绝,很好。
如果我们提供win7用户的凭据怎么办:
$smbclient -U win7 //10.10.1.17/users Enter win7's password: Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.6] smb: \> pwd Current directory is \10.10.1.17\users\ smb: \> exit
授予访问权限。
在Debian Linux客户端上挂载公共Samba共享
smbfs文件系统是Linux上可安装的SMB文件系统。
在Debian 7上,smbfs软件包已替换为cifs-utils:
# apt-cache show cifs-utils | grep Replaces Replaces: smbfs (<< 2:4.0~rc1-1)
如果打算使用mount.cifs工具来安装通用Internet文件系统,请安装cifs-utils。
# apt-get install --no-install-recommends cifs-utils
为Samba共享文件夹创建安装点:
# mkdir -p /mnt/smb/public /mnt/smb/users
使用没有密码的来宾帐户挂载公共Samba共享:
# mount -t cifs //10.10.1.17/public /mnt/smb/public -o rw,username=guest,password=
查看:
# df -hT | egrep "File|smb" Filesystem Type Size Used Avail Use% Mounted on //10.10.1.17/public cifs 384G 4.7G 360G 2% /mnt/smb/public
# mount -l | grep smb //10.10.1.17/public on /mnt/smb/public type cifs (rw,relatime,sec=ntlm,unc=\10.10.1.17\public,username=guest,uid=0,noforceuid,gid=0,noforcegid,addr=10.10.1.17,unix,posixpaths,serverino,acl,rsize=1048576,wsize=65536,actimeo=1)
使用win7凭据挂载用户Samba共享:
# mount -t cifs //10.10.1.17/users /mnt/smb/users -o rw,username=win7 Password:
查看:
# df -hT | egrep "File|smb" Filesystem Type Size Used Avail Use% Mounted on //10.10.1.17/users cifs 384G 4.7G 360G 2% /mnt/smb/users
在Samba服务器上配置iptables
找出Samba服务器正在侦听的端口:
# netstat -nltup | grep mbd tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 30417/smbd tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 30417/smbd tcp6 0 0 :::139 :::* LISTEN 30417/smbd tcp6 0 0 :::445 :::* LISTEN 30417/smbd udp 0 0 10.10.1.255:137 0.0.0.0:* 30414/nmbd udp 0 0 10.10.1.17:137 0.0.0.0:* 30414/nmbd udp 0 0 0.0.0.0:137 0.0.0.0:* 30414/nmbd udp 0 0 10.10.1.255:138 0.0.0.0:* 30414/nmbd udp 0 0 10.10.1.17:138 0.0.0.0:* 30414/nmbd udp 0 0 0.0.0.0:138 0.0.0.0:* 30414/nmbd
从上面可以看出,Samba同时使用UDP和TCP协议。
TCP用于端口139上的文件和打印机共享。
UDP用于注册和转换NetBIOS名称以及浏览网络。
端口137用于名称服务请求和响应。
端口138用于数据报服务,以传输少量数据,例如服务器公告。
打开以上仅用于LAN的端口:
# iptables -A INPUT -s 10.10.1.0/24 -p tcp -m multiport --dport 139,445 -j ACCEPT # iptables -A INPUT -s 10.10.1.0/24 -p udp -m multiport --dport 137,138 -j ACCEPT
![如何升级到Ubuntu 18.04 LTS [桌面和服务器]](/res/img/loading.gif)