Samba: it is a free software to implement SMB protocol on Linux and UNIX systems, which is composed of server and client programs; SMB - Server Messages Block information service block: it is a communication protocol for sharing files and printers on the LAN. It provides sharing services for files, printers and other resources between different computers in the LAN; SMB protocol is a client / server protocol, through which the client can access the shared file system, printer and other resources on the server;
- Port 137(UDP) - NetBIOS name service nmbd;
- Port 138(UDP) - NetBIOS datagram service;
- Port 139(TCP) - file and print sharing;
- Port 389 (TCP) - for LDAP;
- Port 445 (TCP) - NetBIOS service uses this port in Windows 2000 and later versions;
- Port 901 (TCP) - for SWAT and Samba for web page management;
1. Installation services
[root@localhost ~]# dnf install -y samba Complete! [root@localhost ~]# rpm -qa | grep samba samba-common-libs-4.11.2-13.el8.x86_64 samba-common-4.11.2-13.el8.noarch samba-client-libs-4.11.2-13.el8.x86_64
View service endpoints
[root@localhost ~]# netstat -anop | grep 445 [root@localhost ~]# ss -lntup | grep 445
2. Configuration file
[root@localhost ~]# vim /etc/samba/smb.conf
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.
(#And; Are annotation symbols, case insensitive)
[global] # Global configuration
workgroup = SAMBA
security = user
passdb backend = tdbsam /Convert password file into database; Is:/var/lib/samba/private/passwd.tdb
printing = cups
printcap name = cups
load printers = yes /samba Whether the service starts to share the printer device;
cups options = raw /Printer options;
[homes] /Sharing configuration of user's home directory;
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[printers] /Printer sharing configuration;
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @printadmin root
force group = @printadmin
create mask = 0664
directory mask = 0775
*Detailed explanation of parameters
[global] / global parameter;
- config file = /usr/local/samba/lib/smb.conf.%m / use another file to overwrite the default configuration file. If the file does not exist, this parameter is invalid; If the client PC1 (host name) uses its own configuration file when accessing the samba service, we first create a file named smb.conf.pc1 in the directory / usr/local/samba/lib /, and then output the value of this parameter. When PC1 accesses the samba service, smb.conf.%m is replaced by smb.conf.pc1. For PC1, its Samba is defined by smb.conf.pc1, The samba service accessed by other hosts is defined by smb.conf;
- workgroup = WORKGROUP / set the workgroup or domain joined by the service;
- Server string = smaba server version%v / set the service comment, which can be any character or left blank;
- netbios name = smbserver / set the Netbios name, which cannot be duplicated with workgroup. If it is not set, the first part of the DNS name of the server will be used by default;
- interface = lo eth0 192.168.14.131/24 192.168.15.131/24 / set the monitoring network card and write the network card name or IP address;
- host allow = 127.0.0.1 / clients allowed to connect, with multiple parameters separated by spaces;
- host deny = 127.0.0.1 / client that refuses to connect, contrary to the above parameters;
- max connections = 0 / maximum concurrent number of connections, 0 is unlimited;
- deadtime = 0 / sets the time to disconnect a connection without opening any files. 0 is unlimited;
- time server = yes/no / whether to become the time server (NTP) of the client;
- log file = /var/log/samba/log.%m / set the log storage file path;
- max log size = 0 / sets the maximum log file size, in KB, 0 is unlimited;
- security = user / set user access authentication mode;
Verification method:
- share: users do not need to provide user name and password to access samba server. The security performance is low and deprecated;
- user: the samba server shared directory can only be accessed by authorized users. The samba server is responsible for checking the correctness of the account and password. The account and password should be established in Samba server;
- Server: similar to the user security level, but the user name and password are submitted to another server for verification. If the submission fails, it will be returned to the user security level and deprecated (deprecated);
- Domain: this security level requires a windows primary domain controller on the network, and samba submits the user name and password to it for verification;
passdb backend = tdbsam /Set user background;
User background:
There are three types: smbpasswd, tdbsam and ldapsam. sam is the abbreviation of security account manager;
-
Smbpasswd: this method uses smb's own tool smbpasswd to set a samba password for the system user, and the client uses the password to access resources. Smbpasswd is in the / etc/samba directory by default, and the file may need to be created manually;
tdbsam: this method uses a database file to establish a user database. The database file is called passdb.tdb. By default, it is in the / etc/samba directory. The passwd.tdb user database can use smbpasswd -a to establish a samba user, but the samba user to be established must be a system user. We can also use the pdbedit command to establish a samba user;
pdbedit -a username: create a new user;
pdbedit -x username: delete the user;
pdbedit -L: ; List the user list and read the passdb.tdb database file;
pdbedit -Lv: lists the user list details;
pdbedit -c "[D]" - u username: pause a user;
pdbedit -c "[]" -u username: recover a user;
Ldapsam: this method is based on LDAP account management to authenticate users. First, establish LDAP service, and then set passdb backend = ldapsam: ldap://LDAP Server; -
encrypt passwords = yes/no / whether to encrypt the authentication password;
-
smb passwd file = /etc/samba/smbpasswd / define the path of smbpasswd password file;
-
username map = /etc/samba/smbusers / to define user name mapping, first define the mapping relationship in the smbusers file, for example, root = administrator admin, and multiple parameters are separated by spaces;
-
guest account = nobody / set guest information;
-
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 / set the session Socket option between the server and the client to optimize the transmission speed;
-
domain master = yes/no / set whether the server is the main browser. The main browser can manage other browsing servers across the network;
-
local master = yes/no / whether to become the local master browser, with an election mechanism;
-
preferred master = yes/no / force the main browser election to provide the opportunity to become the local main browser;
-
os level = 200 / the value ranges from 0-255. The higher the value, the higher the priority of becoming the main browser;
-
domain logons = yes/no / whether to become a local domain controller;
-
dns proxy = yes/no / whether to start DNS proxy service;
-
load printers = yes/no / whether to share the printer when starting the service;
-
printcap name = cups / set the configuration file of the shared printer;
-
printing = cups / set the type of shared printer. Currently, the supported systems include bsd, sysv, plp, lprng, aix, hpux and qnx;
[share] / shared parameter;
- comment = share / information describing the shared directory, which can be any string;
- Path = / shared directory path. A macro can be used instead of a name in the path;
- public = yes / whether the guest account is allowed to access the service;
- guest ok =yes / ditto;
- browseable = yes / whether the shared directory supports browsing;
- writable = yes / whether the shared directory has write permission;
- available = yes/no / whether the shared directory is available;
- read only = yes / read-only permission, which is equivalent to no. in case of conflict, the following configuration parameters will take effect;
- admin user = root / shared directory administrator, multiple users are separated by commas;
- valid users = username / users allowed to access, empty indicates all users, multiple users are separated by commas, @ group1 indicates User Group;
- invalid users = username / users not allowed to access, separated by commas;
- write list = username / a user can write, and multiple users are separated by commas;
- create mask = 0700 / the created file permission is 700;
- directory mode = 0700 / ditto;
3. Service configuration
(1) Share a user's home directory - xiaoming
Server configuration
[root@localhost ~]# vim /etc/samba/smb.conf
[global]
workgroup = work
security = user
[homes]
browseable = No
writeable = yes
[root@localhost ~]# systemctl restart smb nmb
Users required to create a share
[root@localhost ~]# useradd xiaoming [root@localhost ~]# smbpasswd -a xiaoming New SMB password:redhat Retype new SMB password:redhat Added user xiaoming. [root@localhost ~]# pdbedit -a xiaoming new password:redhat retype new password:redhat [root@localhost ~]# pdbedit -L xiaoming:1003: [root@localhost ~]# touch /home/xiaoming/test [root@localhost ~]# ll /home/xiaoming/ total 0 -rw-r--r--. 1 root root 0 Sep 25 17:38 test
Turn off firewall and SeLinux
[root@localhost ~]# systemctl stop firewalld.service [root@localhost ~]# setenforce 0
Client configuration
[root@localhost ~]# dnf install -y samba-client Complete! [root@localhost ~]# smbclient -L //192.168.14.131 -U xiaoming Enter WORK\xiaoming's password: redhat Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers IPC$ IPC IPC Service (Samba 4.11.2) xiaoming Disk Home Directories SMB1 disabled -- no workgroup available [root@localhost ~]# smbclient //192.168.14.131/xiaoming -U xiaoming Enter WORK\xiaoming's password: redhat Try "help" to get a list of possible commands. smb: \> help ? allinfo altname archive backup blocksize cancel case_sensitive cd chmod chown close del deltree dir du echo exit get getfacl geteas hardlink help history iosize lcd link lock lowercase ls l mask md mget mkdir more mput newer notify open posix posix_encrypt posix_open posix_mkdir posix_rmdir posix_unlink posix_whoami print prompt put pwd q queue quit readlink rd recurse reget rename reput rm rmdir showacls setea setmode scopy stat symlink tar tarmode timeout translate unlock volume vuid wdel logon listconnect showconnect tcon tdis tid utimes logoff .. smb: \> ls . D 0 Fri Sep 25 17:38:55 2020 .. D 0 Fri Sep 25 17:36:51 2020 .mozilla DH 0 Wed Aug 19 17:14:51 2020 .bash_logout H 18 Fri Aug 30 13:30:21 2019 .bash_profile H 141 Fri Aug 30 13:30:21 2019 .bashrc H 312 Fri Aug 30 13:30:21 2019 test N 0 Fri Sep 25 17:38:55 2020 36678148 blocks of size 1024. 30422640 blocks available smb: \> mget test /You can only download files, not directories; Get file test? y getting file \test of size 0 as test (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec) [root@localhost ~]# ll . | grep test -rw-r--r--. 1 root root 0 Sep 25 17:43 test
Mount the user's home directory
[root@localhost ~]# mkdir /share/xiaoming -pv mkdir: created directory '/share' mkdir: created directory '/share/xiaoming' [root@localhost ~]# mount //192.168.14.131/xiaoming /share/xiaoming -o username=xiaoming,password=redhat [root@localhost ~]# df -h Filesystem Size Used Avail Use% Mounted on //192.168.14.131/xiaoming 35G 6.0G 30G 18% /share/xiaoming [root@localhost ~]# ll /share/xiaoming/ total 0 -rwxr-xr-x. 1 root root 0 Sep 25 17:38 test
(2) Share custom directory
Requirement: the name of the shared directory is zxc; Anyone can browse the files in this directory, but can't delete the files created by others, only the files created by himself;
Server configuration
[root@localhost ~]# vim /etc/samba/smb.conf
[public]
path = /zxc
browseable = yes
writeable = yes
[root@localhost ~]# mkdir /zxc
[root@localhost ~]# chmod o=rwx /zxc/
[root@localhost ~]# systemctl restart smb nmb
Client configuration
[root@localhost ~]# smbclient //192.168.14.131/public -U xiaoming Enter WORK\xiaoming's password: redhat Try "help" to get a list of possible commands. smb: \> ls . D 0 Fri Sep 25 18:12:55 2020 .. D 0 Fri Sep 25 18:10:07 2020 111.txt N 4 Fri Sep 25 18:12:55 2020 36678148 blocks of size 1024. 30421624 blocks available smb: \> mget 111.txt Get file 111.txt? y getting file \111.txt of size 4 as 111.txt (3.9 KiloBytes/sec) (average 3.9 KiloBytes/sec) smb: \> exit [root@localhost ~]# ll | grep 111 -rw-r--r--. 1 root root 4 Sep 25 18:15 111.txt [root@localhost ~]# pwd /root
Mount the temporary directory
[root@localhost ~]# mount //192.168.14.131/public /share/zxc/ -o username=xiaoming,password=redhat [root@localhost ~]# df -h Filesystem Size Used Avail Use% Mounted on //192.168.14.131/xiaoming 35G 6.0G 30G 18% /share/xiaoming //192.168.14.131/public 35G 6.0G 30G 18% /share/zxc [root@localhost ~]# ll /share/zxc/ total 4 -rwxr-xr-x. 1 root root 4 Sep 25 18:12 111.txt
(3) Share custom directory
Requirements: the samba server is a member of the work team. The shared directory is / test111 and the shared name is test222. Everyone can access it. Only user aaa can write files to this directory;
Server configuration
[root@localhost ~]# vim /etc/samba/smb.conf
[test222]
comment = test111
path = /test111
browseable = yes
write list = aaa
[root@localhost ~]# mkdir /test111
[root@localhost ~]# chmod o=rwx /test111/
[root@localhost ~]# echo this is test > /test111/test111
[root@localhost ~]# systemctl restart smb nmb
[root@localhost ~]# useradd aaa
[root@localhost ~]# smbpasswd -a aaa
New SMB password:redhat
Retype new SMB password:redhat
Added user aaa.
Client configuration
[root@localhost ~]# smbclient //192.168.14.131/test222 -U aaa Enter WORK\xiaoming's password: Try "help" to get a list of possible commands. smb: \> mkdir test222 smb: \> ls . D 0 Fri Sep 25 18:35:25 2020 .. D 0 Fri Sep 25 18:30:04 2020 test111 N 13 Fri Sep 25 18:30:56 2020 test222 D 0 Fri Sep 25 18:35:25 2020 36678148 blocks of size 1024. 30403056 blocks available [root@localhost ~]# smbclient //192.168.14.131/test222 -U xiaoming Enter WORK\xiaoming's password: Try "help" to get a list of possible commands. smb: \> mkdir test333 NT_STATUS_ACCESS_DENIED making remote directory \test333
(4) Multi user mount
Requirements: mount the directory of (3) on the client, use user xiaoming as the authentication user, and temporarily obtain the write permission through user bbb;
[root@localhost ~]# dnf install -y cifs-utils Complete! [root@localhost ~]# vim /etc/fstab //192.168.14.131/test222 /test111 cifs defaults,multiuser,username=xiaoming,password=redhat,sec=ntlmssp 0 0 [root@localhost ~]# mkdir /share/test111 [root@localhost ~]# mount -a [root@localhost ~]# df -h Filesystem Size Used Avail Use% Mounted on //192.168.14.131/xiaoming 35G 6.0G 29G 18% /share/xiaoming //192.168.14.131/public 35G 6.0G 29G 18% /share/zxc //192.168.14.131/test222 35G 6.0G 29G 18% /test111 [root@localhost test111]# touch test333 touch: cannot touch 'test333': Permission denied [root@localhost test111]# useradd bbb [root@localhost test111]# su bbb [bbb@localhost test111]$ touch test333 touch: cannot touch 'test333': Permission denied [bbb@localhost test111]$ cifscreds add 192.168.14.131 Password: redhat