Configuration and management of Samba server
In Linux, the Samba service is probably the one you hear the most. What is Samba? Samba is a bridge connecting Linux and Windows. It is because of the emergence of Samba that we can communicate with each other between Linux and Windows.
1. The workflow of Samba server configuration
After the Samba service is installed, it is not possible to directly use Windows or Linux clients to access the Samba server. We must also set up the server: tell the Samba server to share those directories for the client to access.
基本的Samba服务器搭建流程主要分为四个步骤。
(1) Edit the main configuration file smb.conf, specify the directory to be shared, and set the sharing permissions for the shared directory.
(2) Specify the log file name and storage path in the smb.conf file.
(3) Set the local system permissions of the shared directory
(4) Reload the configuration file or restart the SMB service to make the configuration take effect.
1.1 Samba workflow
1. The client requests to access the common directory on the Samba server
2. After receiving the request, the Samba server will query the main configuration file smb.conf to see if the share directory is shared. If it is shared, it will query whether the client has permission to access it.
3. The Samba server will record the access information in the log, and the name and path of the log file need to be set by us.
4. If the client meets the access authority settings, the client is allowed to access.
2. Interpret the main configuration file smb.conf
For Samba 配置文件一般就放在/etc/samba目录中。主配置文件名为smb.conf, if the Samba server is likened to a library, then smb.conf is equivalent to the general catalog of the library, recording a large amount of shared information and rules, and is the core of the samba server.
2.1 Global Settings
Global settings are set to the global variable area. 全局变量区域就是我们只要在Global是进行设置, 那么该设置项目就是针对所有共享资源生效的, This is very similar to many server configurations that we need to learn later.
The section starts with [Global]
[global]
workgroup = SAMBA //设置工作组或域名
security = user //设置安全模式
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
[Global]Common fields and setting methods are as follows
(1) Set the workgroup or domain name
A workgroup is a group of computers with equal status in the network. You can set the workgroup or domain name of the Samba server by setting the workgroup field.
(2) Set the Samba server security mode
The Samba server has five security modes: share, user, server, domain and ads.
1. share安全级别模式. When the client logs in to the Samba server, it can browse the resources of the Samba server without entering the user name and password. It is suitable for public resource sharing and has poor security. It needs to be set in conjunction with other permissions. Ensure the security of the Samba server.
2. user安全级别模式. When the client logs in to the Samba server, it needs to enter the specified user name and password to browse the resources of the Samba server. The server defaults to this level mode.
3. Server security level mode. The client needs to submit the user name and password to a designated Samba server for verification. If there is an error in the verification, the client will use user level access.
4. Domain security level mode. If the Samba server is added to the Windows domain environment, the Windows domain will be responsible for the verification work. The domain-level Samba server is a member client of the domain and does not have the characteristics of a server.
2.2 Client Access Control
For the security of the Samba server, you can use the vliad users field to implement user control access, but if the enterprise is huge and there are a large number of users, this method will be troublesome to operate. So we can use the two fields of hosts allow and hosts deny to realize this function.
Use of hosts allow and hosts deny fields
hosts allow 字段定义允许访问的客户端
hosts deny 字段定义禁止访问的客户端
There is a directory named /share in the Samba server. The directory needs to be published as a shared directory, and the name of the shared directory is defined as public.
3. The most commonly used fields
(1) Set the share name .
After the shared resource is published, a different shared name must be set for each shared directory, which is used for access by network users, and the shared name can be different from the original directory name.
格式:
[共享名]
(2) Shared resource description .
There are various shared resources in the network. In order to facilitate user identification, you can add remark information to them, so that users can know what the content of shared resources is when viewing.
comment = 备注信息
(3) Shared resource path .
The original full path of the shared resource can be published using the path field, which must be specified correctly.
path = 资源的绝对路径
(4) Set anonymous access .
This only allows anonymous access to shared resources.
public = yes //允许匿名访问
public = no //不允许匿名访问
(5) Set the access user .
If there is important data in the shared resource, the access user needs to be audited, and we can use the valid users field to set it.
valid users = 用户名
valid users = @组名
valid users = @组名,用户名
Example: The shared file of the samba server is the /share/tech directory, only the group tech and the user manager are allowed to access
comment=users //可不加
path=/share/tech
valid users = @tech,manager
(6) Set the directory to be read-only .
If the shared directory restricts the user's read and write operations, we can implement it through read only.
read only = yes //只读
read only = no //读写
Example: The public directory /public of the samba server stores a large amount of shared data. To ensure the security of the directory, we only allow reading and prohibit writing.
comment = public
path = /public
public = yes
read only = yes
(7) Set the directory to be writable
If the shared directory allows users to write, you can use the two fields writable or write list to set.
writable = yes //读写
writable = no //只读
write list
write list = 用户名
write list =@组名
4. Samba service password file
After the samba server publishes the shared resources ,客户端访问samba服务器,需要提交用户名和密码进行身份验证,验证合格才可以登录. In order to realize the client authentication function, the Samba server用户名和密码存放在/etc/samba/smbpasswd will compare the information submitted by the user with the information stored in smbpasswd when the client accesses, and if they are the same, the connection between the client and the samba server can be established successfully.
那如何建立Samba账号呢. First, we need to create a system account, such as toto.
After the creation is complete, we use the following command to create an account in the samba service
useradd toto //创建系统账号
passwd toto //设置密码
smbpasswd -a toto //创建samba服务账号
5. Share server instance analysis
Below we introduce how to configure the server of samba, and make a project example by the way
某公司需要添加samba服务器作为文件服务器,共享目录为/share,共享名为public,这个共享目录允许所有员工访问。
Analysis: This shared directory allows all employees to access, because we don't know how much he owns, so for the convenience of management, we directly use anonymous access, which will be much simpler.
-
Create a share directory and create a test file under it
mkdir /share toch /share/toto -
Modify the samba main configuration file smb.conf
[global] workgroup = SAMBA security = user map to guest = bad user guest ok = yes [public] path = /share browseable = yes public = yes -
Modify the owner and permissions of a file/share
[root@localhost ~]# mkdir /share [root@localhost ~]# chmod 777 /share/ [root@localhost ~]# chown nobody.nobody /share -
reload configuration file
[root@localhost ~]# systemctl restart smb nmb -
Turn off firewall and disable selinux
[root@localhost ~]# systemctl stop firewalld [root@localhost ~]# setenforce 0 -
Through the above settings, the user can directly log in to the samba server and access the directory public without entering an account and password.
6. Configuration of samba server client
We can use two different methods to log in to the samba server between the windows client and the linux client
6.1 Linux client accesses Samba server
Use the smbclient command
我们在使用smbclient时,先要确保安装了samba-client这个软件包。
yum install -y samba-client
smbclient can list the target host shared directory list. The format is as follows:
smbclient -L target IP address -U login username
When we view the IP address host with the IP address of 172.168.1.1, if we do not enter a user, we will see the following content, which means the list of shared directories that anonymous users can see.
[root@localhost ~]# smbclient -L 172.168.1.1
Enter SAMBA\root's password:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
public Disk
IPC$ IPC IPC Service (Samba 4.10.16)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
SAMBA LOCALHOST
We can also use the smbclient command line share access mode to browse shared data.
smbclient command line shared access mode command format:
smbclient //目标IP地址或主机名/共享目录 -U 用户名%密码
Example: When the shared directory of the samba server is public and user toto can log in
smbclient //172.168.1.1/public -U toto%123456
Example: When the shared directory of the samba server is public and anonymous users can log in
[root@localhost ~]# smbclient //172.168.1.1/public
Enter SAMBA\root's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue May 30 08:56:31 2023
.. D 0 Tue May 30 08:50:38 2023
toto D 0 Tue May 30 08:56:31 2023
17811456 blocks of size 1024. 15658328 blocks available
6.2 Use Windows client to access Samba shared directory
There are many ways for windows client to access the samba shared directory, here are two of them:
1. First, we press and hold the win+R key, and then enter the following
Click OK, we can log in to the samba server directly
Method 2. After we click This Computer, or any folder, click This Computer.
Locate the mapped network drive.
Click and enter the ip address and shared directory of the samba server
Finally, we can log in to the samba server.