# Linux 搭建 Samba 服务器 Samba 主要提供三个服务器工具:smbd、nmbd、smbpasswd。smb 是 Samba 的主要启动服务器,用于实现共享服务;nmbd 是名称服务器,不开启 nmbd 的情况下只能通过 ip 地址来访问 samba 服务器,如果开启了 nmbd 则可以通过 netbios name 来访问 samba 服务;smbpasswd 用来设置访问 samba 服务的账户名和密码。 smbd 的运行依赖于 /etc/samba/smb.conf 配置文件,这个是 smbd 的默认配置文件。访问 samba 服务需要账户名和密码,这个通过 smbpasswd 来设置。 ## SELinux SELinux 开启的状态下会影响其他系统对 Samba 服务器的访问,可能造成 Windows 或 Android 系统的 Samba 客户端无法访问服务器(错误提示内容类似于没有授权之类),可以关闭 SELinux 或正确设置 SELinux。临时关闭 SELinux 的方法如下: ```sh setenforce 0 ``` 此时查看 SeLinux 状态 ```sh sestatus Current mode: permissive ``` 永久关闭 SeLinux(需要重启)需要修改 /etc/selinux/config 文件: ```sh # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. # SELINUX=enforcing SELINUX=disabled # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted ``` ## 安装 Samba ```sh # Ubuntu apt-get install samba samba-common ``` ## 创建配置文件 在 /etc/samba 下备份 smb.conf 文件,并向其添加如下内容(如果没有则 touch 一个): ```sh [global] security = user guest account = nobody map to guest = bad password [NAME] available = yes browseable = yes path = /YOUPATH public = yes writable = yes create mask = 0777 sync always = yes ``` 其中 NAME 为共享时虚拟的文件夹名,YOUPATH 为共享文件夹的路径。security 可以设置成 share 或 user 等,share 方式访问时不需要账户密码。 ## 分配账户和密码 在 shell 中输入如下命令为 samba 服务分配账户和密码 ```sh sudo smbpasswd -a # 然后按提示输入密码并确认 # 必须是已存在的 Linux 用户 sudo smbpasswd -e ``` 分配好后,就可以使用该账户和密码远程访问 samba 服务了。 **因此需要记牢该账户和密码。** 如果忘记了已经分配过哪些 samba 账户,则可以通过 pdbedit 列出已添加的 samba 用户(pdbedit 还可以编辑 samba 的用户数据库),用法如下: ```sh pdbedit -L ``` ## 开启 Samba 服务 通过 systemctl 开启 samba 服务命令如下: ```sh # Arch Linux systemctl enable smb.service systemctl start smb.service # Ubuntu systemctl enable smbd.service systemctl start smbd.service ``` 必要时需关闭防火墙,或设置防火墙规则。如果修改了 samba 配置信息,则需要重启 samba 服务: ```sh systemctl restart smb.service ``` ## 远程访问 可在 Linux 系统或 Windows 系统下远程访问 Samba 服务。 ### Linux 客户端 在 Nautilus 文件浏览器右侧选择“Other Locations”,下方出现“Connect to Server”,然后输入: ```sh smb:// ``` 之后按提示输入通过 smbpasswd 设置的用户名和密码。 ### Windows 客户端 进入“控制面板->卸载或更改程序->启用或关闭 Windows 功能“,勾选“SMB 1.0/CIFS File Sharing Support”,确定。 进入“控制面板->网络和 Internet->网络和共享中心->高级共享设置“,启用网络发现,启用文件和打印机共享。如果不能开启“网络发现”功能,请参考[《Win10 无法开启网络发现功能》](../../OperatingSystem/Windows/Windows10/Win10_无法开启网络发现功能.md)。最后将“密码保护的共享”修改为“无密码保护的共享”。 单击”开始->运行”,输入“gpedit.msc”,打开“组策略编辑器”,将“计算机配置->管理模板->网络->Lanman 工作站->启用不安全的来宾登录”配置为已启用。 单击”开始->运行”,输入“secpol.msc”,打开“本地安全策略”,在本地安全策略窗口中依次打开“本地策略->安全选项”,然后再右侧的列表中找到“网络安全:LAN 管理器身份验证级别”,把这个选项的值改为“发送 LM 和 NTLM – 如果已协商,则使用 NTLMv2 会话安全”或“仅发送NTLMv2响应,拒绝LM和NTLM”,确定。本路径下再找到“网络访问:本地账户的共享和安全模型”打开,选择“经典 – 对本地用户进行身份验证,不改变其本来身份”,确定。 重启系统。 右击“网络->映射网络驱动器”,或右键“新建快捷方式->键入对象的位置”,或在 Windows 资源管理器地址栏里输入: ```sh \\\[share name] ``` 之后按提示输入用户和密码就可以访问了。 ## smb.conf.example 以下截取自 Centos 7 的 samba 配置文件: ```sh # This is the main Samba configuration file. For detailed information about the # options listed here, refer to the smb.conf(5) manual page. Samba has a huge # number of configurable options, most of which are not shown in this example. # # The Samba Wiki contains a lot of step-by-step guides installing, configuring, # and using Samba: # https://wiki.samba.org/index.php/User_Documentation # # In this file, lines starting with a semicolon (;) or a hash (#) are # comments and are ignored. This file uses hashes to denote commentary and # semicolons for parts of the file you may wish to configure. # # NOTE: Run the "testparm" command after modifying this file to check for basic # syntax errors. # #--------------- # Security-Enhanced Linux (SELinux) Notes: # # Turn the samba_domain_controller Boolean on to allow a Samba PDC to use the # useradd and groupadd family of binaries. Run the following command as the # root user to turn this Boolean on: # setsebool -P samba_domain_controller on # # Turn the samba_enable_home_dirs Boolean on if you want to share home # directories via Samba. Run the following command as the root user to turn this # Boolean on: # setsebool -P samba_enable_home_dirs on # # If you create a new directory, such as a new top-level directory, label it # with samba_share_t so that SELinux allows Samba to read and write to it. Do # not label system directories, such as /etc/ and /home/, with samba_share_t, as # such directories should already have an SELinux label. # # Run the "ls -ldZ /path/to/directory" command to view the current SELinux # label for a given directory. # # Set SELinux labels only on files and directories you have created. Use the # chcon command to temporarily change a label: # chcon -t samba_share_t /path/to/directory # # Changes made via chcon are lost when the file system is relabeled or commands # such as restorecon are run. # # Use the samba_export_all_ro or samba_export_all_rw Boolean to share system # directories. To share such directories and only allow read-only permissions: # setsebool -P samba_export_all_ro on # To share such directories and allow read and write permissions: # setsebool -P samba_export_all_rw on # # To run scripts (preexec/root prexec/print command/...), copy them to the # /var/lib/samba/scripts/ directory so that SELinux will allow smbd to run them. # Note that if you move the scripts to /var/lib/samba/scripts/, they retain # their existing SELinux labels, which may be labels that SELinux does not allow # smbd to run. Copying the scripts will result in the correct SELinux labels. # Run the "restorecon -R -v /var/lib/samba/scripts" command as the root user to # apply the correct SELinux labels to these files. # #-------------- # #======================= Global Settings ===================================== [global] # ----------------------- Network-Related Options ------------------------- # # workgroup = the Windows NT domain name or workgroup name, for example, MYGROUP. # # server string = the equivalent of the Windows NT Description field. # # netbios name = used to specify a server name that is not tied to the hostname, # maximum is 15 characters. # # interfaces = used to configure Samba to listen on multiple network interfaces. # If you have multiple interfaces, you can use the "interfaces =" option to # configure which of those interfaces Samba listens on. Never omit the localhost # interface (lo). # # hosts allow = the hosts allowed to connect. This option can also be used on a # per-share basis. # # hosts deny = the hosts not allowed to connect. This option can also be used on # a per-share basis. # workgroup = MYGROUP server string = Samba Server Version %v ;netbios name = MYSERVER ;interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24 ;hosts allow = 127. 192.168.12. 192.168.13. # --------------------------- Logging Options ----------------------------- # # log file = specify where log files are written to and how they are split. # # max log size = specify the maximum size log files are allowed to reach. Log # files are rotated when they reach the size specified with "max log size". # # log files split per-machine: log file = /var/log/samba/log.%m # maximum size of 50KB per log file, then rotate: max log size = 50 # ----------------------- Standalone Server Options ------------------------ # # security = the mode Samba runs in. This can be set to user, share # (deprecated), or server (deprecated). # # passdb backend = the backend used to store user information in. New # installations should use either tdbsam or ldapsam. No additional configuration # is required for tdbsam. The "smbpasswd" utility is available for backwards # compatibility. # security = user passdb backend = tdbsam # ----------------------- Domain Members Options ------------------------ # # security = must be set to domain or ads. # # passdb backend = the backend used to store user information in. New # installations should use either tdbsam or ldapsam. No additional configuration # is required for tdbsam. The "smbpasswd" utility is available for backwards # compatibility. # # realm = only use the realm option when the "security = ads" option is set. # The realm option specifies the Active Directory realm the host is a part of. # # password server = only use this option when the "security = server" # option is set, or if you cannot use DNS to locate a Domain Controller. The # argument list can include My_PDC_Name, [My_BDC_Name], and [My_Next_BDC_Name]: # # password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name] # # Use "password server = *" to automatically locate Domain Controllers. ;security = domain ;passdb backend = tdbsam ;realm = MY_REALM ;password server = # ----------------------- Domain Controller Options ------------------------ # # security = must be set to user for domain controllers. # # passdb backend = the backend used to store user information in. New # installations should use either tdbsam or ldapsam. No additional configuration # is required for tdbsam. The "smbpasswd" utility is available for backwards # compatibility. # # domain master = specifies Samba to be the Domain Master Browser, allowing # Samba to collate browse lists between subnets. Do not use the "domain master" # option if you already have a Windows NT domain controller performing this task. # # domain logons = allows Samba to provide a network logon service for Windows # workstations. # # logon script = specifies a script to run at login time on the client. These # scripts must be provided in a share named NETLOGON. # # logon path = specifies (with a UNC path) where user profiles are stored. # # ;security = user ;passdb backend = tdbsam ;domain master = yes ;domain logons = yes # the following login script name is determined by the machine name # (%m): ;logon script = %m.bat # the following login script name is determined by the UNIX user used: ;logon script = %u.bat ;logon path = \\%L\Profiles\%u # use an empty path to disable profile support: ;logon path = # various scripts can be used on a domain controller or a stand-alone # machine to add or delete corresponding UNIX accounts: ;add user script = /usr/sbin/useradd "%u" -n -g users ;add group script = /usr/sbin/groupadd "%g" ;add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u" ;delete user script = /usr/sbin/userdel "%u" ;delete user from group script = /usr/sbin/userdel "%u" "%g" ;delete group script = /usr/sbin/groupdel "%g" # ----------------------- Browser Control Options ---------------------------- # # local master = when set to no, Samba does not become the master browser on # your network. When set to yes, normal election rules apply. # # os level = determines the precedence the server has in master browser # elections. The default value should be reasonable. # # preferred master = when set to yes, Samba forces a local browser election at # start up (and gives itself a slightly higher chance of winning the election). # ;local master = no ;os level = 33 ;preferred master = yes #----------------------------- Name Resolution ------------------------------- # # This section details the support for the Windows Internet Name Service (WINS). # # Note: Samba can be either a WINS server or a WINS client, but not both. # # wins support = when set to yes, the NMBD component of Samba enables its WINS # server. # # wins server = tells the NMBD component of Samba to be a WINS client. # # wins proxy = when set to yes, Samba answers name resolution queries on behalf # of a non WINS capable client. For this to work, there must be at least one # WINS server on the network. The default is no. # # dns proxy = when set to yes, Samba attempts to resolve NetBIOS names via DNS # nslookups. ;wins support = yes ;wins server = w.x.y.z ;wins proxy = yes ;dns proxy = yes # --------------------------- Printing Options ----------------------------- # # The options in this section allow you to configure a non-default printing # system. # # load printers = when set you yes, the list of printers is automatically # loaded, rather than setting them up individually. # # cups options = allows you to pass options to the CUPS library. Setting this # option to raw, for example, allows you to use drivers on your Windows clients. # # printcap name = used to specify an alternative printcap file. # load printers = yes cups options = raw ;printcap name = /etc/printcap # obtain a list of printers automatically on UNIX System V systems: ;printcap name = lpstat ;printing = cups # --------------------------- File System Options --------------------------- # # The options in this section can be un-commented if the file system supports # extended attributes, and those attributes are enabled (usually via the # "user_xattr" mount option). These options allow the administrator to specify # that DOS attributes are stored in extended attributes and also make sure that # Samba does not change the permission bits. # # Note: These options can be used on a per-share basis. Setting them globally # (in the [global] section) makes them the default for all shares. ;map archive = no ;map hidden = no ;map read only = no ;map system = no ;store dos attributes = yes #============================ Share Definitions ============================== [homes] comment = Home Directories browseable = no writable = yes ;valid users = %S ;valid users = MYDOMAIN\%S [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes # Un-comment the following and create the netlogon directory for Domain Logons: ;[netlogon] ;comment = Network Logon Service ;path = /var/lib/samba/netlogon ;guest ok = yes ;writable = no ;share modes = no # Un-comment the following to provide a specific roaming profile share. # The default is to use the user's home directory: ;[Profiles] ;path = /var/lib/samba/profiles ;browseable = no ;guest ok = yes # A publicly accessible directory that is read only, except for users in the # "staff" group (which have write permissions): ;[public] ;comment = Public Stuff ;path = /home/samba ;public = yes ;writable = no ;printable = no ;write list = +staff ```