在一般的局域网如果都是windows系统,那么使用网络邻居功能,就可以让不同的windows系统共享彼此的文件。如果LAN里面有一个Linux主机,Windows系统也可以通过“网上邻居”来访问Linux主机上面的文件,这时就要使用samba服务器了。它可以使Linux成为一个文件服务器,并为整个LAN里面的windows提供简单的方法,来访问Linux中的文件。其实,Samba还可以让Linux上面的打印机成为打印机服务器。下面我来搭建一个简单的Samba服务器:
1. 场景
某单位需要使用开源技术来构建一个 Samba 服务器。
| 主机名 | IP地址 |
nas1.abc.local | 192.168.1.241 |
2. 实验环境
2.1. 操作系统安装
根据《01 RHEL 安装-文本最小化安装.docx》进行的最小化安装。
安装了 core 及 base 两个组。
# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.4 (Santiago)
# uname -a
Linux localhost.localdomain 2.6.32-358.el6.x86_64 #1 SMP Tue Jan 29
11:47:41 EST 2013 x86_64 x86_64 x86_64 GNU/Linux
2.2. 服务器基本配置
修改 IP 地址。 (注意:根据您的实现环境进行配置)
# vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=static
IPADDR=192.168.1.241
NETMASK=255.255.255.0
GATEWAY=192.168.1.1
修改主机名
# vi /etc/sysconfig/network
NETWORKING=yes
#HOSTNAME=localhost.localdomain
HOSTNAME=nas1.abc.local
# service network restart
为了方便实验,将防火墙关闭。
# service iptables stop
# chkconfig iptables off
同时关闭 selinux。
# vi /etc/sysconfig/selinux # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. #SELINUX=enforcing SELINUX=disabled # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted |
# ulimit -n 16384
# vi /etc/security/limits.conf
#在最后一行# End of file 之前,添加一行,设置内容如下:
……… * - nofile 16384 # End of file |
重新启动以便生效。
# reboot
3. Samba 服务器安装与配置
3.1. 安装Samba 服务器组件
3.1.1. 方法 1:通过 RPM 来进行安装
# cd /mnt/cdrom/Packages/ # ls samba* samba-3.6.9-151.el6.x86_64.rpm samba4-4.0.0-55.el6.rc4.x86_64.rpm samba4-client-4.0.0-55.el6.rc4.x86_64.rpm samba4-common-4.0.0-55.el6.rc4.x86_64.rpm samba4-dc-4.0.0-55.el6.rc4.x86_64.rpm samba4-dc-libs-4.0.0-55.el6.rc4.x86_64.rpm samba4-devel-4.0.0-55.el6.rc4.x86_64.rpm samba4-libs-4.0.0-55.el6.rc4.x86_64.rpm samba4-pidl-4.0.0-55.el6.rc4.x86_64.rpm samba4-python-4.0.0-55.el6.rc4.x86_64.rpm samba4-swat-4.0.0-55.el6.rc4.x86_64.rpm samba4-test-4.0.0-55.el6.rc4.x86_64.rpm samba4-winbind-4.0.0-55.el6.rc4.x86_64.rpm samba4-winbind-clients-4.0.0-55.el6.rc4.x86_64.rpm samba4-winbind-krb5-locator-4.0.0-55.el6.rc4.x86_64.rpm samba-client-3.6.9-151.el6.x86_64.rpm samba-common-3.6.9-151.el6.i686.rpm samba-common-3.6.9-151.el6.x86_64.rpm samba-winbind-3.6.9-151.el6.x86_64.rpm samba-winbind-clients-3.6.9-151.el6.i686.rpm samba-winbind-clients-3.6.9-151.el6.x86_64.rpm # rpm -Uvh samba-3.6.9-151.el6.x86_64.rpm \ > samba-common-3.6.9-151.el6.x86_64.rpm \ > samba-client-3.6.9-151.el6.x86_64.rpm \ > samba-winbind-3.6.9-151.el6.x86_64.rpm \ > samba-winbind-clients-3.6.9-151.el6.x86_64.rpm \ > libtalloc-2.0.7-2.el6.x86_64.rpm \ > libtdb-1.2.10-1.el6.x86_64.rpm Preparing... ########## [100%]1:libtdb ########## [ 14%] 2:libtalloc ########## [ 29%] 3:samba-winbind-clients ########## [ 43%] 4:samba-common ########## [ 57%] 5:samba-winbind ########## [ 71%] 6:samba ########## [ 86%] 7:samba-client ########## [100%]
3.1.2. 方法 2:通过 yum 来进行安装
通过 YUM 来解决包的相关性。
# mkdir /mnt/cdrom # mount /dev/cdrom /mnt/cdrom/ mount: block device /dev/sr0 is write-protected, mounting read-only # vi /etc/yum.repos.d/rhel-dvd.repo
创建新的文件,添加如下内容:
[rhel-dvd] name=Red Hat Enterprise Linux $releasever - $basearch - DVD baseurl=file:///mnt/cdrom/Server/ enabled=1 gpgcheck=1 gpgkey=file:///mnt/cdrom/RPM-GPG-KEY-redhat-release |
# yum list | grep samba samba.x86_64 3.6.9-151.el6 rhel-dvd samba-client.x86_64 3.6.9-151.el6 rhel-dvd samba-common.i686 3.6.9-151.el6 rhel-dvd samba-common.x86_64 3.6.9-151.el6 rhel-dvd samba-winbind.x86_64 3.6.9-151.el6 rhel-dvd samba-winbind-clients.i686 3.6.9-151.el6 rhel-dvd samba-winbind-clients.x86_64 3.6.9-151.el6 rhel-dvd samba4.x86_64 4.0.0-55.el6.rc4 rhel-dvd samba4-client.x86_64 4.0.0-55.el6.rc4 rhel-dvd samba4-common.x86_64 4.0.0-55.el6.rc4 rhel-dvd samba4-dc.x86_64 4.0.0-55.el6.rc4 rhel-dvd samba4-dc-libs.x86_64 4.0.0-55.el6.rc4 rhel-dvd samba4-devel.x86_64 4.0.0-55.el6.rc4 rhel-dvd samba4-libs.x86_64 4.0.0-55.el6.rc4 rhel-dvd samba4-pidl.x86_64 4.0.0-55.el6.rc4 rhel-dvd samba4-python.x86_64 4.0.0-55.el6.rc4 rhel-dvd samba4-swat.x86_64 4.0.0-55.el6.rc4 rhel-dvd samba4-test.x86_64 4.0.0-55.el6.rc4 rhel-dvd samba4-winbind.x86_64 4.0.0-55.el6.rc4 rhel-dvd samba4-winbind-clients.x86_64 4.0.0-55.el6.rc4 rhel-dvd samba4-winbind-krb5-locator.x86_64 4.0.0-55.el6.rc4 rhel-dvd sblim-cmpi-samba.i686 1.0-1.el6 rhel-dvd sblim-cmpi-samba.x86_64 1.0-1.el6 rhel-dvd # yum -y install samba samba-client samba-common
很方便地就安装完毕了
3.2. 考察Samba 服务器配置文件
# rpm -qc samba
/etc/logrotate.d/samba
/etc/pam.d/samba
/etc/samba/smbusers
# rpm -qc samba-common
/etc/samba/lmhosts
/etc/samba/smb.conf
/etc/sysconfig/samba
# rpm -qc samba-client
无输出
4. 不同场景 Samba 配置
4.1. 最简单的一个例子,匿名用户可读
# cd /etc/samba
备份原来的配置文件
# cp smb.conf smb.conf.origin
然后我们来重新创建一个 smb.conf 文件;
#vi smb.conf
//将所有原来的信息删除
//tip: 在 vi 的命令模式下键入 dG 将全部信息删除
[global] workgroup = LinuxLab netbios name = linuxsrv server string = Linux Samba Server TestServer security = share [sharedoc] path = /usr/share/doc readonly = yes browseable = yes guest ok = yes |
# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
(16384)
Processing section "[sharedoc]"
WARNING: The security=share option is deprecated
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
[global]
workgroup = LINUXLAB
netbios name = LINUXSRV
server string = Linux Samba Server TestServer
security = SHARE
idmap config * : backend = tdb
[sharedoc]
path = /usr/share/doc
guest ok = Yes
重新启动服务以便生效
# service smb restart
在 Linux 检查是否生效
# smbclient -L localhost
WARNING: The security=share option is deprecated
Enter root's password: 直接回车
Domain=[LINUXLAB] OS=[Unix] Server=[Samba 3.6.9-151.el6]
Sharename Type Comment
--------- ---- -------
sharedoc Disk
IPC$ IPC IPC Service (Linux Samba Server
TestServer)
Domain=[LINUXLAB] OS=[Unix] Server=[Samba 3.6.9-151.el6]
Server Comment
--------- -------
Workgroup Master
--------- -------
在 Windows 环境下也进行检查
创建本地用户账号
# useradd user1
# passwd user1
添加 user1 的 samba 账号
# cd /etc/samba/
# smbpasswd -a user1
New SMB password: 输入密码
Retype new SMB password: 再次输入密码
Added user user1.
新添加的用户存在smbpasswd账户文件中,但是在redhat6.5版本里用find命令找到的smbpasswd文件,里面没有内容;所以暂时先不用管。
创建共享目录
# mkdir -p /var/samba/user1
# chown user1:user1 /var/samba/user1
修改 samba 配置文件
[root@labsrv samba]# vi /etc/samba/smb.conf
[global] workgroup = LinuxLab netbios name = linuxsrv server string = Linux Samba Server TestServer passdb backend = smbpasswd log file = /var/log/samba/%m.log max log size = 50 security = user unix charset = CP936 dos charset = CP936 display charset = CP936 [sharedoc] path = /usr/share/doc readonly = yes browseable = yes guest ok = yes [user1] comment = User1's Service path = /var/samba/user1 valid users = user1 public = no writable = yes |
其中 security = user 修改安全级别
设置 unix、dos 及显示的字符集,以便正确显示中文
// 测试配置文件
[root@labsrv samba]# testparm
// 重新启动服务
[root@labsrv samba]# service smb restart
[root@labsrv samba]# smbclient -L localhost
// 同时在 Windows 平台上使用 user1 的身份访问共享文件夹,进行检查
4.3. 为指定的多个用户配置共享
创建本地账户
# useradd user2
# useradd user3
创建 Samba 账户
# smbpasswd –a user2
# smbpasswd –a user3
创建本地共享
# mkdir -p /var/samba/user2-3
修改权限
# chmod 707 /var/samba/user2-3
修改配置文件
# vi /etc/samba/smb.conf
在文件的尾部添加以下内容
[user2-3] comment = User1's and User3's Service path = /var/samba/user2-3 valid users = user2 user3 public = no writable = yes |
测试配置文件
# testparm
// 重新启动服务
# service smb restart
# smbclient -L localhost
// 同时在 Windows 平台上使用 user1 的身份访问共享文件夹,进行检查
4.4. 为指定的组配置共享
查看用户的组的信息
# id user2
uid=501(user2) gid=501(user2) groups=501(user2)
# id user3
uid=502(user3) gid=502(user3) groups=502(user3)
创建一个用户 staff,并且将 user2、user3 添加到 staff 组中。
# useradd staff
# usermod -a -G staff user2
# usermod -a -G staff user3
# id user2
uid=501(user2) gid=501(user2) groups=501(user2),503(staff)
# id user3
uid=502(user3) gid=502(user3) groups=502(user3),503(staff)
创建准备共享的目录,并设置相应的许可
# mkdir -p /var/samba/staff/
# ll -d /var/samba/staff/
drwxr-xr-x 2 root root 4096 Aug 1 19:45 /var/samba/staff/
# chown staff:staff /var/samba/staff/
# chmod 770 /var/samba/staff/
# ll -d /var/samba/staff/
drwxrwx--- 2 staff staff 4096 Aug 1 20:00 /var/samba/staff/
# vi /etc/samba/smb.conf
// 在配置文件末尾添加如下内容
[staff] comment = Public Stuff path = /var/samba/staff public = no writable = yes write list = @staff valid users = @staff |
测试配置文件
# testparm
// 重新启动服务
# service smb restart
# smbclient -L localhost -U user3
Enter user3's password: 输入 user3 的密码
Domain=[LINUXLAB] OS=[Unix] Server=[Samba 3.6.9-151.el6]
Sharename Type Comment
--------- ---- -------
sharedoc Disk
user1 Disk User1's Service
user2-3 Disk User1's and User3's Service
staff Disk Public Stuff
IPC$ IPC IPC Service (Linux Samba Server TestServer)
Domain=[LINUXLAB] OS=[Unix] Server=[Samba 3.6.9-151.el6]
Server Comment
--------- -------
Workgroup Master
--------- -------
同时,在 Windows 平台上使用 user3 的身份访问共享文件夹,进行检查
4.5. 将 Windows 2003 的服务器作为验证服务器
说明:这是一种旧的解决方案,有案全隐患,目前不推荐。
实验拓扑如下图所示。
注意:
Samba 的客户机不能是图中的 Windows 2003 的计算机。
根据自己的实验环境的主机名及 IP 地址来进行实验,不要生搬硬套。
在 Windows 2003 上创建新的账户
用户名:yunhe
密码:可以自行设定
创建本地用户账号
# useradd yunhe
创建共享目录,并且设置权限
# mkdir -p /var/samba/msshare
# chown yunhe:yunhe /var/samba/msshare/
# chmod 770 /var/samba/msshare/
# ll -d /var/samba/msshare/
drwxrwx--- 2 yunhe yunhe 4096 Aug 1 20:15 /var/samba/msshare/
# cd /etc/samba/
# cp smb.conf smb.conf.bak2014
修改 samba 配置文件,删除原有配置内容,设置配置如下:
# vi /etc/samba/smb.conf
[global] workgroup = LinuxLab netbios name = linuxsrv server string = Linux Samba Server TestServer log file = /var/log/samba/%m.log max log size = 50 security = server password server = ZZTMG unix charset = CP936 dos charset = CP936 display charset = CP936 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 [sharedoc] path = /usr/share/doc readonly = yes browseable = yes guest ok = yes [msshare] path = /var/samba/msshare valid users = yunhe public = no writable = yes |
其中:
security = server 修改安全级别
password server = ZZMTG 指定一台 Windows 的计算机为验证服务器的 netbios 名
测试配置文件
# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[sharedoc]"
Processing section "[msshare]"
WARNING: The security=server option is deprecated
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
[global]
dos charset = CP936
unix charset = CP936
display charset = CP936
workgroup = LINUXLAB
netbios name = LINUXSRV
server string = Linux Samba Server TestServer
security = SERVER
password server = ZZTMG
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
idmap config * : backend = tdb
[sharedoc]
path = /usr/share/doc
guest ok = Yes
[msshare]
path = /var/samba/msshare
valid users = yunhe
read only = No
重新启动服务
# service smb restart
在 Linux 服务器上进行测试
# smbclient -L localhost -U yunhe
WARNING: The security=server option is deprecated
Enter yunhe's password: 输入在 Windows 2003 上账户的密码
Anonymous login successful
Domain=[LINUXLAB] OS=[Unix] Server=[Samba 3.6.9-151.el6]
Sharename Type Comment
--------- ---- -------
sharedoc Disk
msshare Disk
IPC$ IPC IPC Service (Linux Samba Server
TestServer)
Anonymous login successful
Domain=[LINUXLAB] OS=[Unix] Server=[Samba 3.6.9-151.el6]
Server Comment
--------- -------
Workgroup Master
在 Windows 平台上进行检查。
注意:不能在验证服务器即图中的 ZZTMG 上进行检查;在 Windows XP、Windows 2003 通过测试;在 Windows 2008R、Windows 8 上提示用户身份验证失败,提示“未知的用户或错误密码”
解决办法:
降低操作系统 SMB 身份验证级别,下面以 Windows 7 为例。
这样,就可以访问共享文件夹了。
4.6. 将 Windows 2003 的域控制器作为验证服务器
实验拓扑如下图所示。
注意:
根据自己的实验环境的域名、主机名及 IP 地址来进行实验,不要生搬硬套。
不管域级别是 Windows 2000 混合模式、 Windows 2000 本地模式还是 Windows
2003 模式,均通过实验
在 Windows 2003 的域控制器上创建 Samba 的计算机账户
计算机名:NAS1,其他保持默认选项
在 Windows 2003 的域控制器上创建新的账户
用户名:domainjack
密码:可以自行设定
在 Linux 上创建本地用户账号
# useradd domainjack
创建共享目录及设置许可
# mkdir /var/samba/msdomain
# chown domainjack:domainjack /var/samba/msdomain/
# chmod 770 /var/samba/msdomain/
修改 samba 配置文件
# vi /etc/samba/smb.conf
将原有配置全部删除,使用以下配置
[global] netbios name = NAS1 与域中的计算机账户名同名 server string = Linux Samba Server Test log file = /var/log/samba/%m.log max log size = 50 security = domain workgroup = YUNHEDATA 与 Wdinwos 2003 域的 NetBIOS 名相同 unix charset = CP936 dos charset = CP936 display charset = CP936 [sharedoc] path = /usr/share/doc readonly = yes browseable = yes guest ok = yes [msdomain] 测试的共享文件夹 path = /var/samba/msdomain valid users = domainjack public = no writable = yes |
将 NAS1 加入域, 本示例中 Windows 200 域的 administrator 的密码为 password
# net rpc join -U Administrator%password
Joined domain YUNHEDATA.
测试配置文件
# testparm
修改 lmhost 文件,保证 linux 主机能够正确解析域控制器的 NetBIOS 名
# vi /etc/samba/lmhosts
// 添加如下内容
192.168.1.11 ZZDC1
重新启动服务
# service smb restart
在 Linux 服务器上进行测试
# smbclient -L localhost -U domainjack
Enter domainjack's password: 输入域用户 domainjack 的密码
Domain=[YUNHEDATA] OS=[Unix] Server=[Samba 3.6.9-151.el6]
Sharename Type Comment
--------- ---- -------
sharedoc Disk
msdomain Disk
IPC$ IPC IPC Service (Linux Samba Server Test)
Domain=[YUNHEDATA] OS=[Unix] Server=[Samba 3.6.9-151.el6]
Server Comment
--------- -------
Workgroup Master
--------- -------
在 Windows 平台上进行检查
说明: 不论是在域控制器上还是在非域控制器的客户机都通过测试
5. 排错
5.1. Testparm 时出现 rlimit_max 警告
# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
# ulimit -n 16384
# vi /etc/security/limits.conf
#在最后加入以下内容
* - nofile 16384
5.2. 无法写入文件
用于访问共享文件,需要过两关:
1、共享许可是否足够
2、Linux 文件许可是否足够
chmod 770 /var/samba/staff/
5.3. 警告信息
WARNING: The security=server option is deprecated
Server security mode was previously used when Samba was not capable
of acting as a domain member server.
It is highly recommended to not use this mode since there are numerous
security drawbacks.
5.4. 如何在不注销 Windows 的情况下清除共享会话
C:\Users\chentao>net use * /del /y
You have these remote connections:
\\192.168.1.241\user2-3
\\192.168.1.241\IPC$
Continuing will cancel the connections.
Do you want to continue this operation? (Y/N) [N]: y
The command completed successfully.
windows的会话记录有时候特别顽固,我们不妨多清除几次。
5.5 正确输入密码进入不了共享文件
很有可能没有测试,用testparm和smbclient -L localhost 命令后就可以了。
到此,简单的Samba服务器搭建完成。