NotePublic/Software/Application/Samba/Linux_搭建_Samba_服务器.md

447 lines
16 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Linux 搭建 Samba 服务器
Samba 主要提供三个服务器工具smbd、nmbd、smbpasswd。smb 是 Samba 的主要启动服务器用于实现共享服务nmbd 是名称服务器,不开启 nmbd 的情况下只能通过 ip 地址来访问 samba 服务器,如果开启了 nmbd 则可以通过 netbios name 来访问 samba 服务smbpasswd 用来设置访问 samba 服务的账户名和密码。
smbd 的运行依赖于 /etc/samba/smb.conf 配置文件,这个是 smbd 的默认配置文件。访问 samba 服务需要账户名和密码,这个通过 smbpasswd 来设置。
## SELinux
SELinux 开启的状态下会影响其他系统对 Samba 服务器的访问,可能造成 Windows 或 Android 系统的 Samba 客户端无法访问服务器(错误提示内容类似于没有授权之类),可以关闭 SELinux 或正确设置 SELinux。临时关闭 SELinux 的方法如下:
```sh
setenforce 0
```
此时查看 SeLinux 状态
```sh
sestatus
Current mode: permissive
```
永久关闭 SeLinux需要重启需要修改 /etc/selinux/config 文件:
```sh
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
# SELINUX=enforcing
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
```
## 创建配置文件
在 /etc/samba 下创建 smb.conf 文件,编写内容如下:
```sh
[global]
security = user
guest account = nobody
map to guest = bad password
[NAME]
available = yes
browseable = yes
path = /YOUPATH
public = yes
writable = yes
create mask = 0777
sync always = yes
```
其中 NAME 为共享时虚拟的文件夹名YOUPATH 为共享文件夹的路径。security 可以设置成 share 或 user 等share 方式访问时不需要账户密码。
## 分配账户和密码
在 shell 中输入如下命令为 samba 服务分配账户和密码
```sh
smbpasswd -a <user name>
# 然后按提示输入密码并确认
# <user name> 必须是已存在的 Linux 用户
```
分配好后,就可以使用该账户和密码远程访问 samba 服务了。
**因此需要记牢该账户和密码。**
如果忘记了已经分配过哪些 samba 账户,则可以通过 pdbedit 列出已添加的 samba 用户pdbedit 还可以编辑 samba 的用户数据库),用法如下:
```sh
pdbedit -L
```
## 开启 Samba 服务
通过 systemctl 开启 samba 服务命令如下:
```sh
systemctl enable smb.service
systemctl start smb.service
```
必要时需关闭防火墙,或设置防火墙规则。如果修改了 samba 配置信息,则需要重启 samba 服务:
```sh
systemctl restart smb.service
```
## 远程访问
可在 Linux 系统或 Windows 系统下远程访问 Samba 服务。
### Linux 客户端
在 Nautilus 文件浏览器右侧选择“Other Locations”下方出现“Connect to Server”然后输入
```sh
smb://<IP or host name>
```
之后按提示输入通过 smbpasswd 设置的用户名和密码。
### Windows 客户端
进入“控制面板->卸载或更改程序->启用或关闭 Windows 功能“勾选“SMB 1.0/CIFS File Sharing Support”确定。
进入“控制面板->网络和 Internet->网络和共享中心->高级共享设置“,启用网络发现,启用文件和打印机共享。如果不能开启“网络发现”功能,请参考[《Win10 无法开启网络发现功能》](../../OperatingSystem/Windows/Windows10/Win10_无法开启网络发现功能.md)
单击”开始->运行”输入“gpedit.msc”打开“组策略编辑器”将“计算机配置->管理模板->网络->Lanman 工作站->启用不安全的来宾登录”配置为已启用。
单击”开始->运行”输入“secpol.msc”打开“本地安全策略”在本地安全策略窗口中依次打开“本地策略->安全选项”然后再右侧的列表中找到“网络安全LAN 管理器身份验证级别”,把这个选项的值改为“发送 LM 和 NTLM 如果已协商,则使用 NTLMv2 会话安全”,最后确定,重启。
右击“网络->映射网络驱动器”,或右键“新建快捷方式->键入对象的位置”,或在 Windows 资源管理器地址栏里输入:
```sh
\\<IP or host name>\[share name]
```
之后按提示输入用户和密码就可以访问了。
## smb.conf.example
以下截取自 Centos 7 的 samba 配置文件:
```sh
# This is the main Samba configuration file. For detailed information about the
# options listed here, refer to the smb.conf(5) manual page. Samba has a huge
# number of configurable options, most of which are not shown in this example.
#
# The Samba Wiki contains a lot of step-by-step guides installing, configuring,
# and using Samba:
# https://wiki.samba.org/index.php/User_Documentation
#
# In this file, lines starting with a semicolon (;) or a hash (#) are
# comments and are ignored. This file uses hashes to denote commentary and
# semicolons for parts of the file you may wish to configure.
#
# NOTE: Run the "testparm" command after modifying this file to check for basic
# syntax errors.
#
#---------------
# Security-Enhanced Linux (SELinux) Notes:
#
# Turn the samba_domain_controller Boolean on to allow a Samba PDC to use the
# useradd and groupadd family of binaries. Run the following command as the
# root user to turn this Boolean on:
# setsebool -P samba_domain_controller on
#
# Turn the samba_enable_home_dirs Boolean on if you want to share home
# directories via Samba. Run the following command as the root user to turn this
# Boolean on:
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory, such as a new top-level directory, label it
# with samba_share_t so that SELinux allows Samba to read and write to it. Do
# not label system directories, such as /etc/ and /home/, with samba_share_t, as
# such directories should already have an SELinux label.
#
# Run the "ls -ldZ /path/to/directory" command to view the current SELinux
# label for a given directory.
#
# Set SELinux labels only on files and directories you have created. Use the
# chcon command to temporarily change a label:
# chcon -t samba_share_t /path/to/directory
#
# Changes made via chcon are lost when the file system is relabeled or commands
# such as restorecon are run.
#
# Use the samba_export_all_ro or samba_export_all_rw Boolean to share system
# directories. To share such directories and only allow read-only permissions:
# setsebool -P samba_export_all_ro on
# To share such directories and allow read and write permissions:
# setsebool -P samba_export_all_rw on
#
# To run scripts (preexec/root prexec/print command/...), copy them to the
# /var/lib/samba/scripts/ directory so that SELinux will allow smbd to run them.
# Note that if you move the scripts to /var/lib/samba/scripts/, they retain
# their existing SELinux labels, which may be labels that SELinux does not allow
# smbd to run. Copying the scripts will result in the correct SELinux labels.
# Run the "restorecon -R -v /var/lib/samba/scripts" command as the root user to
# apply the correct SELinux labels to these files.
#
#--------------
#
#======================= Global Settings =====================================
[global]
# ----------------------- Network-Related Options -------------------------
#
# workgroup = the Windows NT domain name or workgroup name, for example, MYGROUP.
#
# server string = the equivalent of the Windows NT Description field.
#
# netbios name = used to specify a server name that is not tied to the hostname,
# maximum is 15 characters.
#
# interfaces = used to configure Samba to listen on multiple network interfaces.
# If you have multiple interfaces, you can use the "interfaces =" option to
# configure which of those interfaces Samba listens on. Never omit the localhost
# interface (lo).
#
# hosts allow = the hosts allowed to connect. This option can also be used on a
# per-share basis.
#
# hosts deny = the hosts not allowed to connect. This option can also be used on
# a per-share basis.
#
workgroup = MYGROUP
server string = Samba Server Version %v
;netbios name = MYSERVER
;interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
;hosts allow = 127. 192.168.12. 192.168.13.
# --------------------------- Logging Options -----------------------------
#
# log file = specify where log files are written to and how they are split.
#
# max log size = specify the maximum size log files are allowed to reach. Log
# files are rotated when they reach the size specified with "max log size".
#
# log files split per-machine:
log file = /var/log/samba/log.%m
# maximum size of 50KB per log file, then rotate:
max log size = 50
# ----------------------- Standalone Server Options ------------------------
#
# security = the mode Samba runs in. This can be set to user, share
# (deprecated), or server (deprecated).
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards
# compatibility.
#
security = user
passdb backend = tdbsam
# ----------------------- Domain Members Options ------------------------
#
# security = must be set to domain or ads.
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards
# compatibility.
#
# realm = only use the realm option when the "security = ads" option is set.
# The realm option specifies the Active Directory realm the host is a part of.
#
# password server = only use this option when the "security = server"
# option is set, or if you cannot use DNS to locate a Domain Controller. The
# argument list can include My_PDC_Name, [My_BDC_Name], and [My_Next_BDC_Name]:
#
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
#
# Use "password server = *" to automatically locate Domain Controllers.
;security = domain
;passdb backend = tdbsam
;realm = MY_REALM
;password server = <NT-Server-Name>
# ----------------------- Domain Controller Options ------------------------
#
# security = must be set to user for domain controllers.
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards
# compatibility.
#
# domain master = specifies Samba to be the Domain Master Browser, allowing
# Samba to collate browse lists between subnets. Do not use the "domain master"
# option if you already have a Windows NT domain controller performing this task.
#
# domain logons = allows Samba to provide a network logon service for Windows
# workstations.
#
# logon script = specifies a script to run at login time on the client. These
# scripts must be provided in a share named NETLOGON.
#
# logon path = specifies (with a UNC path) where user profiles are stored.
#
#
;security = user
;passdb backend = tdbsam
;domain master = yes
;domain logons = yes
# the following login script name is determined by the machine name
# (%m):
;logon script = %m.bat
# the following login script name is determined by the UNIX user used:
;logon script = %u.bat
;logon path = \\%L\Profiles\%u
# use an empty path to disable profile support:
;logon path =
# various scripts can be used on a domain controller or a stand-alone
# machine to add or delete corresponding UNIX accounts:
;add user script = /usr/sbin/useradd "%u" -n -g users
;add group script = /usr/sbin/groupadd "%g"
;add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
;delete user script = /usr/sbin/userdel "%u"
;delete user from group script = /usr/sbin/userdel "%u" "%g"
;delete group script = /usr/sbin/groupdel "%g"
# ----------------------- Browser Control Options ----------------------------
#
# local master = when set to no, Samba does not become the master browser on
# your network. When set to yes, normal election rules apply.
#
# os level = determines the precedence the server has in master browser
# elections. The default value should be reasonable.
#
# preferred master = when set to yes, Samba forces a local browser election at
# start up (and gives itself a slightly higher chance of winning the election).
#
;local master = no
;os level = 33
;preferred master = yes
#----------------------------- Name Resolution -------------------------------
#
# This section details the support for the Windows Internet Name Service (WINS).
#
# Note: Samba can be either a WINS server or a WINS client, but not both.
#
# wins support = when set to yes, the NMBD component of Samba enables its WINS
# server.
#
# wins server = tells the NMBD component of Samba to be a WINS client.
#
# wins proxy = when set to yes, Samba answers name resolution queries on behalf
# of a non WINS capable client. For this to work, there must be at least one
# WINS server on the network. The default is no.
#
# dns proxy = when set to yes, Samba attempts to resolve NetBIOS names via DNS
# nslookups.
;wins support = yes
;wins server = w.x.y.z
;wins proxy = yes
;dns proxy = yes
# --------------------------- Printing Options -----------------------------
#
# The options in this section allow you to configure a non-default printing
# system.
#
# load printers = when set you yes, the list of printers is automatically
# loaded, rather than setting them up individually.
#
# cups options = allows you to pass options to the CUPS library. Setting this
# option to raw, for example, allows you to use drivers on your Windows clients.
#
# printcap name = used to specify an alternative printcap file.
#
load printers = yes
cups options = raw
;printcap name = /etc/printcap
# obtain a list of printers automatically on UNIX System V systems:
;printcap name = lpstat
;printing = cups
# --------------------------- File System Options ---------------------------
#
# The options in this section can be un-commented if the file system supports
# extended attributes, and those attributes are enabled (usually via the
# "user_xattr" mount option). These options allow the administrator to specify
# that DOS attributes are stored in extended attributes and also make sure that
# Samba does not change the permission bits.
#
# Note: These options can be used on a per-share basis. Setting them globally
# (in the [global] section) makes them the default for all shares.
;map archive = no
;map hidden = no
;map read only = no
;map system = no
;store dos attributes = yes
#============================ Share Definitions ==============================
[homes]
comment = Home Directories
browseable = no
writable = yes
;valid users = %S
;valid users = MYDOMAIN\%S
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
# Un-comment the following and create the netlogon directory for Domain Logons:
;[netlogon]
;comment = Network Logon Service
;path = /var/lib/samba/netlogon
;guest ok = yes
;writable = no
;share modes = no
# Un-comment the following to provide a specific roaming profile share.
# The default is to use the user's home directory:
;[Profiles]
;path = /var/lib/samba/profiles
;browseable = no
;guest ok = yes
# A publicly accessible directory that is read only, except for users in the
# "staff" group (which have write permissions):
;[public]
;comment = Public Stuff
;path = /home/samba
;public = yes
;writable = no
;printable = no
;write list = +staff
```