第五单元 iSCSI远程块存储
一、iSCSI概念
iSCSI(Internet SCSI)支持从客户端(发起端)通过IP向远程服务器上的SCSI存储设备(目标)发送SCSI命令。iSCSI限定名称用于确定发起端和目
标,并采用iqn.yyyy-mm.{reverse domain}:label的格式。默认情况下,网络通信是至iSCSI目标上的端口3260/tcp的明文。
1.iSCSI发起端:需要访问原始SAN存储的客户端。
2.iSCSI目标:从iSCSI服务器提供的远程硬盘磁盘,或“目标门户”
3.iSCSI目标门户:通过网络向发起端提供目标的服务器。
4.IQN:“iSCSI限定名称”。每个发起端和目标需要唯一名称进行标识,最好的做法是使用一个在Internet上可能独一无二的名称。
二、iSCSI目标配置
1.安装iSCSI目标软件包:
# yum install -y targetcli
2.启动服务:
# systemctl enable target; systemctl start target
3.进入iSCSI目标交互式配置模式:
# targetcli
4.示例:
[root@server42 ~]# fdisk /dev/vdb
Welcome to fdisk (util-linux 2.23.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Device does not contain a recognized partition table
Building a new DOS disklabel with disk identifier 0x88535111.
Command (m for help): n
Partition type:
p primary (0 primary, 0 extended, 4 free)
e extended
Select (default p):
Using default response p
Partition number (1-4, default 1):
First sector (2048-20971519, default 2048):
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-20971519, default 20971519): +1G
Partition 1 of type Linux and of size 1 GiB is set
Command (m for help): p
Disk /dev/vdb: 10.7 GB, 10737418240 bytes, 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x88535111
Device Boot Start End Blocks Id System
/dev/vdb1 2048 2099199 1048576 83 Linux
Command (m for help): wq
The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.
[root@server42 ~]# partprobe
[root@server42 ~]# yum install targetcli -y
[root@server42 ~]# systemctl start target
[root@server42 ~]# systemctl status target
target.service - Restore LIO kernel target configuration
Loaded: loaded (/usr/lib/systemd/system/target.service; disabled)
Active: active (exited) since Tue 2017-05-02 04:04:07 EDT; 6s ago
Process: 2385 ExecStart=/usr/bin/targetctl restore (code=exited, status=0/SUCCESS)
Main PID: 2385 (code=exited, status=0/SUCCESS)
May 02 04:04:07 server42.example.com target[2385]: No saved config file at /...
May 02 04:04:07 server42.example.com systemd[1]: Started Restore LIO kernel ...
Hint: Some lines were ellipsized, use -l to show in full.
[root@server42 ~]# targetcli
Warning: Could not load preferences file /root/.targetcli/prefs.bin.
targetcli shell version 2.1.fb34
Copyright 2011-2013 by Datera, Inc and others.
For help on commands, type 'help'.
/> ls
o- / .................................................................... [...]
o- backstores ......................................................... [...]
| o- block ............................................. [Storage Objects: 0]
| o- fileio ............................................ [Storage Objects: 0]
| o- pscsi ............................................. [Storage Objects: 0]
| o- ramdisk ........................................... [Storage Objects: 0]
o- iscsi ....................................................... [Targets: 0]
o- loopback .................................................... [Targets: 0]
/> /backstores/block create westos:111 /dev/vdb1
Created block storage object westos:111 using /dev/vdb1.
/> /iscsi create iqn.2017-05.com.example:111
Created target iqn.2017-05.com.example:111.
Created TPG 1.
/> /iscsi/iqn.2017-05.com.example:111/tpg1/luns create /backstores/block/westos:111
Created LUN 0.
/> /iscsi/iqn.2017-05.com.example:111/tpg1/acls create iqn.2017-05.com.example:key1
Created Node ACL for iqn.2017-05.com.example:key1
Created mapped LUN 0.
/> /iscsi/iqn.2017-05.com.example:111/tpg1/portals create 172.25.42.11
Using default IP port 3260
Created network portal 172.25.42.11:3260.
/> exit
Global pref auto_save_on_exit=true
Last 10 configs saved in /etc/target/backup.
Configuration saved to /etc/target/saveconfig.json
三、Demo
/> ls
o- / ..................................................................... [...]
o- backstores .......................................................... [...]
| o- block .............................................. [Storage Objects: 0]
| o- fileio ............................................. [Storage Objects: 0]
| o- pscsi .............................................. [Storage Objects: 0]
| o- ramdisk ............................................ [Storage Objects: 0]
o- iscsi ........................................................ [Targets: 0]
o- loopback ..................................................... [Targets: 0]
/> /backstores/block create server0.disk1 /dev/iSCSI_vg/disk1_lv
Created block storage object server0.disk1 using /dev/iSCSI_vg/disk1_lv.
/> /iscsi create iqn.2014-12.com.example:server0
Created target iqn.2014-12.com.example:server0.
Created TPG 1.
www.westos.org
9/> /iscsi/iqn.2014-12.com.example:server0/tpg1/acls create iqn.2014-12.com.example:desktop0
Created Node ACL for iqn.2014-12.com.example:desktop0
/> /iscsi/iqn.2014-12.com.example:server0/tpg1/luns create /backstores/block/server0.disk1
Created LUN 0.
Created LUN 0->0 mapping in node ACL iqn.2014-12.com.example:desktop0
/> /iscsi/iqn.2014-12.com.example:server0/tpg1/portals create 172.25.0.11
Using default IP port 3260
Created network portal 172.25.0.11:3260.
/> exit
四、访问iSCSI存储
1.安装iSCSI发起端软件包:
# yum install -y iscsi-initiator-utils
2.在/etc/iscsi/initiatorname.iscsi中设置发起端的IQN:
InitiatorName=iqn.2014-12.com.example:desktop0
3.查找iSCSI服务器所提供的iSCSI目标(目标门户)
# iscsiadm -m discovery -t st -p 172.25.0.11
4.登录服务器上的一个或多个iscsi目标
# iscsiadm -m node -T iqn.2024-12.com.example:server0 -p
172.25.0.11 -l
5.此时,可以使用iSCSI磁盘,就好像它是本地连接硬盘驱动器。可以挂载现有文件系统。如果磁盘未格式化,可以通过fdisk进行分区,例如,通过文件系统格式化分区或作为LVM物理卷。
6.在/etc/fstab中永久挂载文件系统
1)使用blkid确定文件系统UUID并使用UUID挂载,而不是/dev/sd*设备名称。(每次引导时显示的设备名称都不同,具体取决于iSCSI设备通过网络进行响应的顺序。如果按设备名称挂载,这会导致使用错误的设备。)
2)在/etc/fstab中使用_netdev作为挂载选项。(这将确保客户端不会尝试挂载文件系统,直至启用联网。否则,在引导时系统将出错。)
3)确保iscsi服务在引导时启动。
7.示例:
[root@desktop42 ~]# yum search iscsi
Loaded plugins: langpacks
============================= N/S matched: iscsi ==============================
iscsi-initiator-utils.i686 : iSCSI daemon and utility programs
iscsi-initiator-utils.x86_64 : iSCSI daemon and utility programs
iscsi-initiator-utils-iscsiuio.x86_64 : Userspace configuration daemon required
: for some iSCSI hardware
libiscsi.i686 : iSCSI client library
libiscsi.x86_64 : iSCSI client library
Name and summary matches only, use "search all" for everything.
[root@desktop42 ~]# yum install iscsi-initiator-utils.x86_64 -y
Loaded plugins: langpacks
Package iscsi-initiator-utils-6.2.0.873-21.el7.x86_64 already installed and latest version
Nothing to do
[root@desktop42 ~]# vim /etc/iscsi/initiatorname.iscsi
[root@desktop42 ~]# cat /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.2017-05.com.example:key1
[root@desktop42 ~]# systemctl restart iscsi
[root@desktop42 ~]# iscsiadm -m discovery -t st -p 172.25.42.11
172.25.42.11:3260,1 iqn.2017-05.com.example:111
[root@desktop42 ~]# iscsiadm -m node -T iqn.2017-05.com.example:111 -p 172.25.42.11 -l
Logging in to [iface: default, target: iqn.2017-05.com.example:111, portal: 172.25.42.11,3260] (multiple)
Login to [iface: default, target: iqn.2017-05.com.example:111, portal: 172.25.42.11,3260] successful.
[root@desktop42 ~]# fdisk -l
Disk /dev/vda: 10.7 GB, 10737418240 bytes, 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x00013f3e
Device Boot Start End Blocks Id System
/dev/vda1 * 2048 20970332 10484142+ 83 Linux
Disk /dev/vdb: 10.7 GB, 10737418240 bytes, 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/sda: 1073 MB, 1073741824 bytes, 2097152 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 4194304 bytes
[root@desktop42 ~]# fdisk /dev/sda
Welcome to fdisk (util-linux 2.23.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Device does not contain a recognized partition table
Building a new DOS disklabel with disk identifier 0x0eb780c0.
Command (m for help): n
Partition type:
p primary (0 primary, 0 extended, 4 free)
e extended
Select (default p):
Using default response p
Partition number (1-4, default 1):
First sector (8192-2097151, default 8192):
Using default value 8192
Last sector, +sectors or +size{K,M,G} (8192-2097151, default 2097151):
Using default value 2097151
Partition 1 of type Linux and of size 1020 MiB is set
Command (m for help): wq
The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.
[root@desktop42 ~]# mkfs.xfs /dev/sda1
meta-data=/dev/sda1 isize=256 agcount=8, agsize=32640 blks
= sectsz=512 attr=2, projid32bit=1
= crc=0
data = bsize=4096 blocks=261120, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0 ftype=0
log =internal log bsize=4096 blocks=853, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
[root@desktop42 ~]# mount /dev/sda1 /mnt/
[root@desktop42 ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/vda1 10473900 3170048 7303852 31% /
devtmpfs 493408 0 493408 0% /dev
tmpfs 508996 80 508916 1% /dev/shm
tmpfs 508996 13388 495608 3% /run
tmpfs 508996 0 508996 0% /sys/fs/cgroup
/dev/sda1 1041068 33056 1008012 4% /mnt
[root@desktop42 ~]# cd /mnt/
[root@desktop42 mnt]# ls
[root@desktop42 mnt]# touch file
[root@desktop42 mnt]# ls
file
[root@desktop42 mnt]# cd
[root@desktop42 ~]# umount /mnt/
[root@desktop42 ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/vda1 10473900 3169992 7303908 31% /
devtmpfs 493408 0 493408 0% /dev
tmpfs 508996 80 508916 1% /dev/shm
tmpfs 508996 13388 495608 3% /run
tmpfs 508996 0 508996 0% /sys/fs/cgroup
[root@desktop42 ~]# blkid
/dev/vda1: UUID="9bf6b9f7-92ad-441b-848e-0257cbb883d1" TYPE="xfs"
/dev/sda1: UUID="2397cdcb-a0e6-4b3e-b478-6554a966976f" TYPE="xfs"
[root@desktop42 ~]# vim /etc/fstab
UUID="2397cdcb-a0e6-4b3e-b478-6554a966976f" /mnt xfs defaults 1 1
[root@desktop42 ~]# mount -a
[root@desktop42 ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/vda1 10473900 3170016 7303884 31% /
devtmpfs 493408 0 493408 0% /dev
tmpfs 508996 80 508916 1% /dev/shm
tmpfs 508996 13392 495604 3% /run
tmpfs 508996 0 508996 0% /sys/fs/cgroup
/dev/sda1 1041068 33056 1008012 4% /mnt
[root@desktop42 ~]# vim /etc/fstab
/dev/sda1 /mnt xfs defaults,_netdev 0 0
[root@desktop42 ~]# umount /mnt/
[root@desktop42 ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/vda1 10473900 3173828 7300072 31% /
devtmpfs 493408 0 493408 0% /dev
tmpfs 508996 80 508916 1% /dev/shm
tmpfs 508996 13392 495604 3% /run
tmpfs 508996 0 508996 0% /sys/fs/cgroup
[root@desktop42 ~]# mount -a
[root@desktop42 ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/vda1 10473900 3173828 7300072 31% /
devtmpfs 493408 0 493408 0% /dev
tmpfs 508996 80 508916 1% /dev/shm
tmpfs 508996 13396 495600 3% /run
tmpfs 508996 0 508996 0% /sys/fs/cgroup
/dev/sda1 1041068 33056 1008012 4% /mnt
五、中断使用iSCSI目标
1.确保没有使用目标所提供的任何设备。
2.确保从/etc/fstab等位置中删除使用目标的所有永久挂载。
3.登出iSCSI目标,以暂时断开连接。
# iscsiadm -m node -T iqn.2010-09.com.example:rdisks.demo -p 192.168.0.254 -u
4.删除iSCSI目标的本地记录,以永久断开连接。
# iscsiadm -m node -T iqn.2010-09.com.example:rdisks.demo -p 192.168.0.254 -o delete
5.示例:
[root@desktop42 ~]# umount /mnt/
[root@desktop42 ~]# vim /etc/fstab
[root@desktop42 ~]# mount -a
[root@desktop42 ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/vda1 10473900 3173828 7300072 31% /
devtmpfs 493408 0 493408 0% /dev
tmpfs 508996 80 508916 1% /dev/shm
tmpfs 508996 13392 495604 3% /run
tmpfs 508996 0 508996 0% /sys/fs/cgroup
[root@desktop42 ~]# fdisk -l
Disk /dev/vda: 10.7 GB, 10737418240 bytes, 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x00013f3e
Device Boot Start End Blocks Id System
/dev/vda1 * 2048 20970332 10484142+ 83 Linux
Disk /dev/vdb: 10.7 GB, 10737418240 bytes, 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/sda: 1073 MB, 1073741824 bytes, 2097152 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 4194304 bytes
Disk label type: dos
Disk identifier: 0x0eb780c0
Device Boot Start End Blocks Id System
/dev/sda1 8192 2097151 1044480 83 Linux
[root@desktop42 ~]# iscsiadm -m discovery -t st -p 172.25.42.11
172.25.42.11:3260,1 iqn.2017-05.com.example:111
[root@desktop42 ~]# iscsiadm -m node -T iqn.2017-05.com.example:111 -p 172.25.42.11 -u
Logging out of session [sid: 1, target: iqn.2017-05.com.example:111, portal: 172.25.42.11,3260]
Logout of [sid: 1, target: iqn.2017-05.com.example:111, portal: 172.25.42.11,3260] successful.
[root@desktop42 ~]# fdisk -l
Disk /dev/vda: 10.7 GB, 10737418240 bytes, 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x00013f3e
Device Boot Start End Blocks Id System
/dev/vda1 * 2048 20970332 10484142+ 83 Linux
Disk /dev/vdb: 10.7 GB, 10737418240 bytes, 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
[root@desktop42 ~]# systemctl restart iscsi
[root@desktop42 ~]# fdisk -l
Disk /dev/vda: 10.7 GB, 10737418240 bytes, 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x00013f3e
Device Boot Start End Blocks Id System
/dev/vda1 * 2048 20970332 10484142+ 83 Linux
Disk /dev/vdb: 10.7 GB, 10737418240 bytes, 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/sda: 1073 MB, 1073741824 bytes, 2097152 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 4194304 bytes
Disk label type: dos
Disk identifier: 0x0eb780c0
Device Boot Start End Blocks Id System
/dev/sda1 8192 2097151 1044480 83 Linux
[root@desktop42 ~]# iscsiadm -m node -T iqn.2017-05.com.example:111 -p 172.25.42.11 -u
Logging out of session [sid: 2, target: iqn.2017-05.com.example:111, portal: 172.25.42.11,3260]
Logout of [sid: 2, target: iqn.2017-05.com.example:111, portal: 172.25.42.11,3260] successful.
[root@desktop42 ~]# iscsiadm -m node -T iqn.2017-05.com.example:111 -p 172.25.42.11 -o delete
[root@desktop42 ~]# fdisk -l
Disk /dev/vda: 10.7 GB, 10737418240 bytes, 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x00013f3e
Device Boot Start End Blocks Id System
/dev/vda1 * 2048 20970332 10484142+ 83 Linux
Disk /dev/vdb: 10.7 GB, 10737418240 bytes, 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
[root@desktop42 ~]# systemctl restart iscsi
[root@desktop42 ~]# fdisk -l
Disk /dev/vda: 10.7 GB, 10737418240 bytes, 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x00013f3e
Device Boot Start End Blocks Id System
/dev/vda1 * 2048 20970332 10484142+ 83 Linux
Disk /dev/vdb: 10.7 GB, 10737418240 bytes, 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
[root@desktop42 ~]#
[root@server42 ~]# targetcli
targetcli shell version 2.1.fb34
Copyright 2011-2013 by Datera, Inc and others.
For help on commands, type 'help'.
/> clearconfig confirm=True
All configuration cleared
/> ls
o- / .................................................................... [...]
o- backstores ......................................................... [...]
| o- block ............................................. [Storage Objects: 0]
| o- fileio ............................................ [Storage Objects: 0]
| o- pscsi ............................................. [Storage Objects: 0]
| o- ramdisk ........................................... [Storage Objects: 0]
o- iscsi ....................................................... [Targets: 0]
o- loopback .................................................... [Targets: 0]
/> exit
Global pref auto_save_on_exit=true
Last 10 configs saved in /etc/target/backup.
Configuration saved to /etc/target/saveconfig.json
[root@server42 ~]#
第六单元 NFS文件的存储
一、NFS概念
网络文件系统(NFS)是Unix系统和网络附加存储文件管理器常用的网络文件系统,允许多个客户端通过网络共享文件访问。它可用于提供对共享二进制目录的访问,也可用于允许用户在同一工作组中从不同客户端访问其文件。
NFS协议有多个版本:Linux支持版本4、版本3和版本2, 而大多数系统管理员熟悉的是NFSv3。默认情况下,该协议并不安全,但是更新的版本(如NFSv4)提供了对更安全的身份验证的支持,甚至可以通过kerberos进行加密。
二、NFS服务器配置
1.若要配置基本NFS服务器,您应该安装nfs-utils软件包。然后,您应该编辑/etc/exports以列出您希望通过网络与客户端系统共享的文件系统,并指出哪些客户端对导出具有何种访问权限。例如:
/var/ftp/pub 192.168.0.0/24(ro,sync)
2.将目录/var/ftp/pub导出至192.168.0.0/24网络上的所有主机(对目录具有只读权限)。
3./export/homes *.example.com(rw,sync)
4.将目录/export/homes导出至exmaple.com中的所有主机(对目录具有读写权限)。
5.当NFS服务器运行时,每次您编辑/etc/exports后,都应通过在保存更改后执行exportfs -r来确保应用这些更改。您可以使用exportfs -v显示所有导出。
6.NFSv4还导出pseudo-root(所有导出的文件系统的root)。如果客户端挂载nfs-server:/ ,这将在NFS服务器上的/下面相对于其位置挂载所有导出文件系统。这对于浏览从客户端的服务器导出的所有文件系统有用。您仍可单独挂载文件系统。
7.默认情况下,NFS服务器将NFS客户端上的root视为用户nfsnobody。即,如果root尝试访问挂载的导出中的文件,服务器会将其视作用户nfsnobody访问。在NFS导出被无磁盘客户端用作/和root需要被视作root的情况中,这种安全措施存在隐患。若要禁用此保护,服务器需要将no_root_squash添加到在/etc/exports中导出设置的选项列表:
/exports/root 192.168.0.1(rw,no_root_squash)
8.对于NFSv4,必须在服务器上打开端口2049/TCP(对于nfsd)。对于NFSv3和更早版本,必须为rpcbind、rpc.mountd、lockd和rpc.rquotad打开更多端口,而在“随机”选择的端口上启动其中许多服务这一事实又增加了复杂性。此外,NFSv2和NFSv3支持UDP传输,还要求打开相应的端口
9.示例:
[root@localhost ~]# yum install nfs-utils -y
Loaded plugins: langpacks
Package 1:nfs-utils-1.3.0-0.el7.x86_64 already installed and latest version
Nothing to do
[root@localhost ~]# systemctl restart nfs
[root@localhost ~]# firewall-cmd --permanent --add-service=nfs
success
[root@localhost ~]# firewall-cmd --permanent --add-service=rpc-bind
success
[root@localhost ~]# firewall-cmd --permanent --add-service=mountd
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client mountd nfs rpc-bind samba ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@foundation42 westos]# showmount -e 172.25.254.142
Export list for 172.25.254.142:
[root@localhost ~]# vim /etc/exports
1 /westos 172.25.254.0/24(ro) #将目录/westos导出至172.25.254.0/24网络上的所有主机,对目录具有只读权限
[root@localhost ~]# exportfs -rv #-r,确保应用更改。-v,显示所有导出。
exporting 172.25.254.0/24:/westos
[root@foundation42 westos]# showmount -e 172.25.254.142
Export list for 172.25.254.142:
/westos 172.25.254.0/24
[root@foundation42 westos]# mount 172.25.254.142:/westos/ /mnt/
[root@foundation42 westos]# cd /mnt/
[root@foundation42 mnt]# ls
westosfile
[root@foundation42 mnt]# touch file
touch: cannot touch ‘file’: Read-only file system
[root@localhost ~]# vim /etc/exports
1 /westos 172.25.254.0/24(rw)
[root@localhost ~]# exportfs -rv
exporting 172.25.254.0/24:/westos
[root@foundation42 mnt]# touch file
[root@foundation42 mnt]# ls
file westosfile
[root@foundation42 mnt]# ll
total 0
-rw-r--r-- 1 nfsnobody nfsnobody 0 May 2 13:43 file
-rw-r--r-- 1 root root 0 May 2 10:02 westosfile
[root@localhost ~]# vim /etc/exports
1 /westos 172.25.254.0/24(rw,no_root_squash)
[root@localhost ~]# exportfs -rv
exporting 172.25.254.0/24:/westos
[root@foundation42 mnt]# touch file1
[root@foundation42 mnt]# ll
total 0
-rw-r--r-- 1 nfsnobody nfsnobody 0 May 2 13:43 file
-rw-r--r-- 1 root root 0 May 2 13:59 file1
-rw-r--r-- 1 root root 0 May 2 10:02 westosfile
[root@foundation42 mnt]#
三、Demo
1.启动NFS服务:
# systemctl start nfs-server ; systemctl enable nfs-server
2.创建共享目录并设置权限:
# mkdir /nfsshare ; chown nfsnobody /nfsshare
3.编辑/etc/exports。例如:
/nfsshare/read 172.25.0.0/24(ro,sync)
/nfsshare/write 172.25.0.0/24(rw,sync) 127.0.0.1(rw,sync)
4.从客户端查看并挂载NFS pseudo-root共享:
[root@desktop0 ~]# showmount -e server0
[root@desktop0 ~]# mkdir /mnt/nfsshare
[root@desktop0 ~]# mount -t nfs server0.example.com:/ /mnt/nfsshare
5.永久挂载NFS文件系统:
1)将相应的行添加至/etc/fstab:
nfsserver:/nfsshare /mnt/nfsshare nfs defaults 0 0
2)客户端NFS挂载选项
rw:挂载可读写的文件系统
ro:挂载只读文件系统
vers=4:尝试只使用指定的NFS版本进行挂载。如果服务器不支持该版本,则挂载请求失败
soft:如果NFS请求超时,三次尝试后返回错误。权衡数据完整性与提高客户端响应性。(默认行为hard,将无限期地重试)。
四、保护NFS输出
Demo:
在serverx和desktopx上运行脚本,加入kerberos认证域:
# lab nfskrb5 setup
安装kerberos服务所需的keytab:(以下操作都在server0上进行)
# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/server0.keytab
激活NFS v4.2版本,可以输出selinux标签,编辑/etc/sysconfig/nfs修改如下选项:
RPCNFSDARGS="-V 4.2"
启动nfs-secure-server服务:
# systemctl start nfs-secure-server; systemctl enable nfs-secure-server
配置NFS输出:
# mkdir /securenfs
# echo '/securenfs desktop0(sec=krb5p,rw)' >> /etc/exports
# exportfs -r
安装kerberos服务所需keytab:(以下操作都在dekstop0进行)
# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/desktop0.keytab
启动nfs-secure服务:
# systemctl start nfs-secure; systemctl enable nfs-secure
配置客户端挂载:
# mkdir /mnt/secureshare
# echo 'server0:/securenfs /mnt/secureshare
/etc/fstab
nfs defaults,v4.2,sec=krb5p 0 0' >>
# mount -a
示例:
[kiosk@foundation42 Desktop]$ ssh root@172.25.42.11
root@172.25.42.11's password:
[root@localhost ~]# hostnamectl set-hostname server42.example.com
[root@localhost ~]# vim /etc/yum.repos.d/rhel_dvd.repo
[root@localhost ~]# yum clean all
Loaded plugins: langpacks
Cleaning repos: rhel_dvd
Cleaning up everything
[root@localhost ~]# exit
logout
Connection to 172.25.42.11 closed.
[kiosk@foundation42 Desktop]$ ssh root@172.25.42.11 -X
root@172.25.42.11's password:
Last login: Tue May 2 02:34:45 2017 from 172.25.42.250
/usr/bin/xauth: file /root/.Xauthority does not exist
(process:1741): dconf-WARNING **: failed to commit changes to dconf: Could not connect: Connection refused
[root@server42 ~]# cd /mnt/
[root@server42 mnt]# vim auth-config.sh
[root@server42 mnt]# cat /mnt/auth-config.sh
#!/bin/bash
echo install packages...
yum install sssd krb5-workstation -y &> /dev/null
echo configure...
authconfig
--enableldap
--enablekrb5
--disableldapauth
--enableldaptls
--ldaploadcacert="http://172.25.254.254/pub/example-ca.crt"
--ldapserver="classroom.example.com"
--ldapbasedn="dc=example,dc=com"
--krb5realm="EXAMPLE.COM"
--krb5adminserver="classroom.example.com"
--krb5kdc="classroom.example.com"
--update && echo success!!
[root@server42 mnt]# sh auth-config.sh
install packages...
configure...
success!!
[root@server42 mnt]# id ldapuser1
uid=1701(ldapuser1) gid=1701(ldapuser1) groups=1701(ldapuser1)
[root@server42 mnt]# scp /mnt/auth-config.sh root@172.25.42.10:/mnt/
The authenticity of host '172.25.42.10 (172.25.42.10)' can't be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.25.42.10' (ECDSA) to the list of known hosts.
root@172.25.42.10's password:
auth-config.sh 100% 457 0.5KB/s 00:00
[root@server42 mnt]# yum install nfs-utils -y
Loaded plugins: langpacks
Package 1:nfs-utils-1.3.0-0.el7.x86_64 already installed and latest version
Nothing to do
[root@server42 mnt]# systemctl stop firewalld.service
[root@server42 mnt]# mkdir /westos
[root@server42 mnt]# touch /westos/file
[root@server42 mnt]# vim /etc/exports
1 /westos *(rw)
[root@server42 mnt]# systemctl start nfs
[root@server42 mnt]# exportfs -rv
exporting 172.25.42.0/24:/westos
[root@server42 mnt]# vim /etc/sysconfig/nfs
13 RPCNFSDARGS="-V 4.2"
[root@server42 mnt]# systemctl restart nfs
[root@server42 mnt]# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/server42.keytab
--2017-05-02 03:00:54-- http://classroom.example.com/pub/keytabs/server42.keytab
Resolving classroom.example.com (classroom.example.com)... 172.25.254.254
Connecting to classroom.example.com (classroom.example.com)|172.25.254.254|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1258 (1.2K)
Saving to: ‘/etc/krb5.keytab’
100%[=====================================>] 1,258 --.-K/s in 0s
2017-05-02 03:00:54 (166 MB/s) - ‘/etc/krb5.keytab’ saved [1258/1258]
[root@server42 mnt]# systemctl status nfs-secure-server
nfs-secure-server.service - Secure NFS Server
Loaded: loaded (/usr/lib/systemd/system/nfs-secure-server.service; disabled)
Active: inactive (dead)
[root@server42 mnt]# systemctl start nfs-secure-server
[root@server42 mnt]# vim /etc/exports
1 /westos *(sec=krb5p,rw)
[root@server42 mnt]# exportfs -rv
exporting 172.25.42.0/24:/westos
[root@server42 mnt]# systemctl restart nfs-secure-server.service
[root@server42 mnt]# systemctl status nfs-secure-server.service
nfs-secure-server.service - Secure NFS Server
Loaded: loaded (/usr/lib/systemd/system/nfs-secure-server.service; disabled)
Active: active (running) since Tue 2017-05-02 03:06:53 EDT; 2min 10s ago
Process: 2644 ExecStart=/usr/sbin/rpc.svcgssd $RPCSVCGSSDARGS (code=exited, status=0/SUCCESS)
Main PID: 2645 (rpc.svcgssd)
CGroup: /system.slice/nfs-secure-server.service
└─2645 /usr/sbin/rpc.svcgssd
May 02 03:06:53 server42.example.com systemd[1]: Starting Secure NFS Server...
May 02 03:06:53 server42.example.com systemd[1]: Started Secure NFS Server.
Hint: Some lines were ellipsized, use -l to show in full.
[kiosk@foundation42 Desktop]$ ssh root@172.25.42.10
root@172.25.42.10's password:
[root@localhost ~]# hostnamectl set-hostname desktop42.example.com
[root@localhost ~]# vim /etc/yum.repos.d/rhel_dvd.repo
[root@localhost ~]# yum clean all
Loaded plugins: langpacks
Cleaning repos: rhel_dvd
Cleaning up everything
[root@localhost ~]# exit
logout
Connection to 172.25.42.10 closed.
[kiosk@foundation42 Desktop]$ ssh root@172.25.42.10 -X
root@172.25.42.10's password:
Last login: Tue May 2 02:33:42 2017 from 172.25.42.250
/usr/bin/xauth: file /root/.Xauthority does not exist
[root@desktop42 ~]# cd /mnt/
[root@desktop42 mnt]# ls
auth-config.sh
[root@desktop42 mnt]# sh auth-config.sh
install packages...
configure...
success!!
[root@desktop42 mnt]# id ldapuser1
uid=1701(ldapuser1) gid=1701(ldapuser1) groups=1701(ldapuser1)
[root@desktop42 mnt]# cd
[root@desktop42 ~]# mount 172.25.42.11:/westos /mnt
mount.nfs: an incorrect mount option was specified
[root@desktop42 ~]# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/desktop42.keytab
--2017-05-02 03:04:47-- http://classroom.example.com/pub/keytabs/desktop42.keytab
Resolving classroom.example.com (classroom.example.com)... 172.25.254.254
Connecting to classroom.example.com (classroom.example.com)|172.25.254.254|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1274 (1.2K)
Saving to: ‘/etc/krb5.keytab’
100%[=====================================>] 1,274 --.-K/s in 0s
2017-05-02 03:04:47 (158 MB/s) - ‘/etc/krb5.keytab’ saved [1274/1274]
[root@desktop42 ~]# systemctl start nfs-secure
[root@desktop42 ~]# mount 172.25.42.11:/westos /mnt
mount.nfs: access denied by server while mounting 172.25.42.11:/westos
[root@desktop42 ~]# systemctl status nfs-secure.service
nfs-secure.service - Secure NFS
Loaded: loaded (/usr/lib/systemd/system/nfs-secure.service; disabled)
Active: active (running) since Tue 2017-05-02 03:10:34 EDT; 4min 32s ago
Process: 1680 ExecStart=/usr/sbin/rpc.gssd $RPCGSSDARGS (code=exited, status=0/SUCCESS)
Main PID: 1681 (rpc.gssd)
CGroup: /system.slice/nfs-secure.service
└─1681 /usr/sbin/rpc.gssd
May 02 03:10:34 desktop42.example.com systemd[1]: Starting Secure NFS...
May 02 03:10:34 desktop42.example.com systemd[1]: Started Secure NFS.
May 02 03:10:42 desktop42.example.com rpc.gssd[1681]: ERROR: unable to resol...
May 02 03:10:42 desktop42.example.com rpc.gssd[1681]: ERROR: failed to read ...
Hint: Some lines were ellipsized, use -l to show in full.
[root@desktop42 ~]# vim /etc/hosts
[root@desktop42 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.25.254.254 classroom.example.com
172.25.254.254 content.example.com
172.25.42.10 desktop42.example.com
172.25.42.11 server42.example.com
[root@desktop42 ~]# systemctl status nfs-secure.service
nfs-secure.service - Secure NFS
Loaded: loaded (/usr/lib/systemd/system/nfs-secure.service; enabled)
Active: active (running) since Tue 2017-05-02 03:32:35 EDT; 11min ago
Process: 1951 ExecStart=/usr/sbin/rpc.gssd $RPCGSSDARGS (code=exited, status=0/SUCCESS)
Main PID: 1952 (rpc.gssd)
CGroup: /system.slice/nfs-secure.service
└─1952 /usr/sbin/rpc.gssd
May 02 03:32:35 desktop42.example.com systemd[1]: Starting Secure NFS...
May 02 03:32:35 desktop42.example.com systemd[1]: Started Secure NFS.
[root@desktop42 ~]# mount -o vers=4.2,sec=krb5p 172.25.42.11:/westos /mnt
[root@desktop42 ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/vda1 10473900 3169228 7304672 31% /
devtmpfs 493408 0 493408 0% /dev
tmpfs 508996 80 508916 1% /dev/shm
tmpfs 508996 13380 495616 3% /run
tmpfs 508996 0 508996 0% /sys/fs/cgroup
172.25.42.11:/westos 10473984 3168512 7305472 31% /mnt
[root@desktop42 ~]#
第七单元 CIFS文件的存储
一、SMB文件共享
1.通用Internet文件系统(CIFS)也称为服务器信息块(SMB),是适用于Microsoft Windows服务器和客户端的标准文件和打印机共享系统。Samba服务可用于将Linux文件系统作为CIFS/SMB网络文件共享进行共享,并将Linux打印机作为CIFS/SMB打印机共享进行共享。Samba服务的组成部分:
1)软件包:
Samba-common – Samba的支持文件
Samba-client – 客户端应用程序
Samba – 服务器应用程序
2)服务名称:smb nmb
3)服务端口: 通常使用TCP/445进行所有连接。还使用UDP137、UDP138和TCP/139进行向后兼容
4)主配置文件:/etc/samba/smb.conf
2./etc/samba/smb.conf: [global]部分
1)workgroup 用于指定Windows工作组或网络域名。
2)hosts allow hosts allow是用逗号、空格或制表符分隔的允许访问服务的主机集合。如果在[global]部分中指定, 将适用于所有服务,无论单个服务是否具有不同的设置。 您可以按名称或IP号指定主机。例如,您可以使用allow hosts = 192.168.0. 表示允许一个网络。
3)安全性
该选项影响客户端如何响应Samba,并且在smb.conf文件中是最重要的设置之一。
security = user 客户端必须通过有效的用户名和密码登录。
security = domain 只有当计算机已添加到NT域时才能正常工作。它要求将
encrypted passwords 参数设置为yes。在该模式中,Samba通过将用户名/密码传递至Windows NT主域控制器或备份域控 制器来进行验证,与Windows NT Server采用的方式完全一样。请注意,有效的UNIX用户以及域控制 器上的账户必须仍然存在,以允许Samba具有有效的UNIX账户,可用以映射文件访问。您必须设置 passwd server参数,为Samba提供服务器,以验证密码。
security = server Samba将通过将用户名/密码传递至另一个SMB服务器来尝试进行验证。您必须设置password server参数, 为samba提供服务器, 以验证密码。
security = ads Samba在ADS realm中作为域成员。如要在该模式下操作,运行Samba的计算机需要安装并配置Kerberos,并且需要使用net实用程序将Samba加入ADS realm。
3./etc/samba/smb.conf:其他部分
1)[homes]
此共享(默认情况下启用)是一个特别共享,通过CIFS使用户的主目录可。它包括browseable= no, 因此在用户进行身份验证之前,将不会显示为可用共享。共享名称可以指定为homes(在这种情况下, Samba服务器会将其转换为用户的主目录路径)或username。
2)[printers]
默认情况下也可用,将共享当前可用的打印机 。
3)[share]
如果您想要设置其他共享,请将共享名称放置在括号中,如上所示。共享需要至少一个path参数。
4.示例:
[root@desktop62 ~]# yum search samba
[root@desktop62 ~]# yum install samba-client.x86_64 -y
[root@desktop62 ~]# yum install samba-common.x86_64 -y
[root@desktop62 ~]# yum install samba.x86_64 -y
[root@desktop62 ~]# systemctl start smb
[root@desktop62 ~]# systemctl status smb
smb.service - Samba SMB Daemon
Loaded: loaded (/usr/lib/systemd/system/smb.service; disabled)
Active: active (running) since Tue 2017-05-02 08:54:51 EDT; 5s ago
Main PID: 2943 (smbd)
Status: "smbd: ready to serve connections..."
CGroup: /system.slice/smb.service
├─2943 /usr/sbin/smbd
└─2944 /usr/sbin/smbd
May 02 08:54:51 desktop62.example.com smbd[2943]: [2017/05/02 08:54:51.686451...
May 02 08:54:51 desktop62.example.com systemd[1]: Started Samba SMB Daemon.
Hint: Some lines were ellipsized, use -l to show in full.
[root@desktop62 ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@desktop62 ~]# firewall-cmd --permanent --add-service=samba
success
[root@desktop62 ~]# firewall-cmd --reload
success
[root@desktop62 ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client samba ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@desktop62 ~]# smbclient -L //172.25.254.63
Enter root's password:
Anonymous login successful
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
Anonymous login successful
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@desktop62 ~]# vim /etc/samba/smb.conf
89 workgroup = WESTOS
[root@desktop62 ~]# systemctl restart smb.service
[root@desktop62 ~]# smbclient -L //172.25.254.63
Enter root's password:
Anonymous login successful
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
Anonymous login successful
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@desktop62 ~]# ls -ld /westos
ls: cannot access /westos: No such file or directory
[root@desktop62 ~]# mkdir /westos
[root@desktop62 ~]# vim /etc/samba/smb.conf
321 [TEST]
322 comment = WESTOS DIRECTORY
323 path = /westos
[root@desktop62 ~]# systemctl restart smb.service
[root@desktop62 ~]# smbclient -L //172.25.254.63
Enter root's password:
Anonymous login successful
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
TEST Disk WESTOS DIRECTORY
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
Anonymous login successful
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@desktop62 ~]# vim /etc/samba/smb.conf
90 server string = SAMBA
[root@desktop62 ~]# systemctl restart smb.service
[root@desktop62 ~]# smbclient -L //172.25.254.63
Enter root's password:
Anonymous login successful
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
TEST Disk WESTOS DIRECTORY
IPC$ IPC IPC Service (SAMBA)
Anonymous login successful
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@desktop62 ~]# vim /etc/samba/smb.conf
96 hosts allow = 127.
[root@desktop62 ~]# systemctl restart smb.service
[root@desktop62 ~]# smbclient -L //172.25.254.63
Enter root's password:
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
[root@desktop62 ~]# vim /etc/samba/smb.conf
96 hosts allow = 127. 172.25.254.63
[root@desktop62 ~]# systemctl restart smb.service
[root@desktop62 ~]# smbclient -L //172.25.254.63
Enter root's password:
Anonymous login successful
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
TEST Disk WESTOS DIRECTORY
IPC$ IPC IPC Service (SAMBA)
Anonymous login successful
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@desktop62 ~]# vim /etc/samba/smb.conf
96 hosts deny = 127. 172.25.254.63
[root@desktop62 ~]# systemctl restart smb.service
[root@desktop62 ~]# smbclient -L //172.25.254.63
Enter root's password:
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
[root@desktop62 ~]# vim /etc/samba/smb.conf
96 ; hosts deny = 127. 172.25.254.63
[root@desktop62 ~]# systemctl restart smb.service
[root@desktop62 ~]# smbclient -L //172.25.254.63
Enter root's password:
Anonymous login successful
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
TEST Disk WESTOS DIRECTORY
IPC$ IPC IPC Service (SAMBA)
Anonymous login successful
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@desktop62 ~]#
[root@desktop62 ~]# mount //172.25.254.63/TEST /mnt/ -o username=westos,password=westos
[root@desktop62 ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/vda1 10473900 6809552 3664348 66% /
devtmpfs 493408 0 493408 0% /dev
tmpfs 508996 140 508856 1% /dev/shm
tmpfs 508996 13396 495600 3% /run
tmpfs 508996 0 508996 0% /sys/fs/cgroup
/dev/loop0 3654720 3654720 0 100% /rhel7.0
//172.25.254.63/TEST 10473900 6809552 3664348 66% /mnt
[root@desktop62 ~]# ls /mnt/
file
[root@desktop62 ~]# touch /mnt/file1
touch: cannot touch ‘/mnt/file1’: Permission denied
[root@desktop62 ~]# vim /etc/samba/smb.conf
326 writable = yes
[root@desktop62 ~]# systemctl restart smb.service
[root@desktop62 ~]# rm -fr /mnt/file
rm: cannot remove ‘/mnt/file’: Permission denied
[root@desktop62 ~]# ls -ld /westos/
drwxr-xr-x. 2 root root 17 May 2 09:07 /westos/
[root@desktop62 ~]# chmod 777 /westos/
[root@desktop62 ~]# touch /mnt/file1
[root@desktop62 ~]# ls /mnt/
file file1
[root@desktop62 ~]# rm -fr /mnt/file
[root@desktop62 ~]# ls /mnt/
file1
[root@desktop62 ~]# vim /etc/samba/smb.conf
323 [TEST]
324 comment = WESTOS DIRECTORY
325 path = /westos
326 ; writable = yes
327 write list = westos
[root@desktop62 ~]# systemctl restart smb.service
[root@desktop62 ~]# touch /mnt/file2
[root@desktop62 ~]# ls /mnt/
file1 file2
[root@desktop62 ~]# umount /mnt/
[root@desktop62 ~]# mount //172.25.254.63/TEST /mnt/ -o username=linux,password=linux
[root@desktop62 ~]# ls /mnt/
file1 file2
[root@desktop62 ~]# touch /mnt/file3
touch: cannot touch ‘/mnt/file3’: Permission denied
[root@desktop62 ~]# rm -fr /mnt/file
[root@desktop62 ~]# ls /mnt/
file1 file2
[root@desktop62 ~]# rm -fr /mnt/file1
rm: cannot remove ‘/mnt/file1’: Read-only file system
[root@desktop62 ~]# ls /mnt/
file1 file2
[root@desktop62 ~]# vim /etc/samba/smb.conf
323 [TEST]
324 comment = WESTOS DIRECTORY
325 path = /westos
326 ; writable = yes
327 write list = @westos
[root@desktop62 ~]# systemctl restart smb.service
[root@desktop62 ~]# usermod -G westos linux
[root@desktop62 ~]# touch /mnt/file3
[root@desktop62 ~]# ls /mnt/
file1 file2 file3
[root@desktop62 ~]# rm -fr /mnt/file1
[root@desktop62 ~]# ls /mnt/
file2 file3
[root@desktop62 ~]# vim /etc/samba/smb.conf
323 [TEST]
324 comment = WESTOS DIRECTORY
325 path = /westos
326 ; writable = yes
327 write list = @westos
328 valid users = westos
[root@desktop62 ~]# umount /mnt/
[root@desktop62 ~]# systemctl restart smb.service
[root@desktop62 ~]# smbclient //172.25.254.63/TEST -U westos
Enter westos's password:
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
smb: > ls
. D 0 Tue May 2 09:52:57 2017
.. D 0 Tue May 2 09:03:42 2017
file2 N 0 Tue May 2 09:49:42 2017
file3 N 0 Tue May 2 09:52:44 2017
40913 blocks of size 262144. 14298 blocks available
smb: > quit
[root@desktop62 ~]# smbclient //172.25.254.63/TEST -U linux
Enter linux's password:
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
tree connect failed: NT_STATUS_ACCESS_DENIED
[root@desktop62 ~]# vim /etc/samba/smb.conf
323 [TEST]
324 comment = WESTOS DIRECTORY
325 path = /westos
326 ; writable = yes
327 write list = @westos
328 valid users = +westos
[root@desktop62 ~]# systemctl restart smb.service
[root@desktop62 ~]# smbclient //172.25.254.63/TEST -U linux
Enter linux's password:
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
smb: > ls
. D 0 Tue May 2 09:52:57 2017
.. D 0 Tue May 2 09:03:42 2017
file2 N 0 Tue May 2 09:49:42 2017
file3 N 0 Tue May 2 09:52:44 2017
40913 blocks of size 262144. 14297 blocks available
smb: > quit
[root@desktop62 ~]# vim /etc/samba/smb.conf
323 [TEST]
324 comment = WESTOS DIRECTORY
325 path = /westos
326 ; writable = yes
327 write list = @westos
328 ; valid users = +westos
329 browseable = yes
[root@desktop62 ~]# systemctl restart smb.service
[root@desktop62 ~]# smbclient -L //172.25.254.63/TEST -U linux
Enter linux's password:
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
TEST Disk WESTOS DIRECTORY
IPC$ IPC IPC Service (SAMBA)
linux Disk Home Directories
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@desktop62 ~]# vim /etc/samba/smb.conf
323 [TEST]
324 comment = WESTOS DIRECTORY
325 path = /westos
326 ; writable = yes
327 write list = @westos
328 ; valid users = +westos
329 browseable = no
[root@desktop62 ~]# systemctl restart smb.service
[root@desktop62 ~]# smbclient -L //172.25.254.63/TEST -U linux
Enter linux's password:
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (SAMBA)
linux Disk Home Directories
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@desktop62 ~]# smbclient //172.25.254.63/TEST -U linux
Enter linux's password:
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
smb: > ls
. D 0 Tue May 2 09:52:57 2017
.. D 0 Tue May 2 09:03:42 2017
file2 N 0 Tue May 2 09:49:42 2017
file3 N 0 Tue May 2 09:52:44 2017
40913 blocks of size 262144. 14297 blocks available
smb: > quit
[root@desktop62 ~]# ll -d /westos/
drwxrwxrwx. 2 root root 30 May 2 09:52 /westos/
[root@desktop62 ~]# chmod 755 /westos/
[root@desktop62 ~]# vim /etc/samba/smb.conf
323 [TEST]
324 comment = WESTOS DIRECTORY
325 path = /westos
326 ; writable = yes
327 write list = @westos
328 ; valid users = +westos
329 browseable = no
330 admin users = westos
[root@desktop62 ~]# systemctl restart smb.service
[root@desktop62 ~]# smbclient //172.25.254.63/TEST -U westos
Enter westos's password:
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
smb: > ls
. D 0 Tue May 2 09:52:57 2017
.. D 0 Tue May 2 09:03:42 2017
file2 N 0 Tue May 2 09:49:42 2017
file3 N 0 Tue May 2 09:52:44 2017
40913 blocks of size 262144. 14297 blocks available
smb: > !ls
anaconda-ks.cfg Documents Music Public Videos
Desktop Downloads Pictures Templates
smb: > put anaconda-ks.cfg
putting file anaconda-ks.cfg as anaconda-ks.cfg (8416.2 kb/s) (average 8417.0 kb/s)
smb: > quit
[root@desktop62 ~]# ls -l /westos/
total 12
-rwxr--r--. 1 root westos 8619 May 2 10:01 anaconda-ks.cfg
-rw-r--r--. 1 westos westos 0 May 2 09:49 file2
-rw-r--r--. 1 linux linux 0 May 2 09:52 file3
[root@desktop62 ~]# smbclient //172.25.254.63/TEST
Enter root's password:
Anonymous login successful
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
tree connect failed: NT_STATUS_ACCESS_DENIED
[root@desktop62 ~]# vim /etc/samba/smb.conf
125 map to guest = bad user
323 [TEST]
324 comment = WESTOS DIRECTORY
325 path = /westos
326 ; writable = yes
327 write list = @westos
328 ; valid users = +westos
329 browseable = no
330 admin users = westos
331 guest ok = yes
[root@desktop62 ~]# systemctl restart smb.service
[root@desktop62 ~]# smbclient //172.25.254.63/TEST
Enter root's password:
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
smb: > ls
. D 0 Tue May 2 10:01:45 2017
.. D 0 Tue May 2 09:03:42 2017
file2 N 0 Tue May 2 09:49:42 2017
file3 N 0 Tue May 2 09:52:44 2017
anaconda-ks.cfg A 8619 Tue May 2 10:01:45 2017
40913 blocks of size 262144. 14297 blocks available
smb: > quit
[root@desktop62 ~]#
二、SMB用户
1.useradd
security = user需要UNIX和Samba账户信息。添加用户(最好使用与Samba账户一样的名称),或 在/etc/samba/smbusers中放置条目(有一些示例)。如果您创建仅Samba用户,请将UNIX密码设置为/sbin/nologin。
[root@serverX ~]# useradd -s /sbin/nologin wxh
2.smbpasswd
如果您没有Samba密码服务器,则必须在本地计算机上创建身份验证数据。使用smbpasswd创建 Samba账户和密码。
如果smbpasswd只传递一个用户名而不带任何选项,它将尝试更改账户密码。传递-a选项将添加账户 并设置密码。
[root@serverX ~]# smbpasswd -a wxh
New SMB password: westos
Retype new SMB password: westos
Added user wxh.
3.示例:
[root@desktop62 ~]# useradd westos
[root@desktop62 ~]# useradd linux
[root@desktop62 ~]# usermod -s /sbin/nologin westos
[root@desktop62 ~]# usermod -s /sbin/nologin linux
[root@desktop62 ~]# pdbedit -L
[root@desktop62 ~]# smbpasswd -a westos
New SMB password:
Retype new SMB password:
Added user westos.
[root@desktop62 ~]# smbpasswd -a linux
New SMB password:
Retype new SMB password:
Added user linux.
[root@desktop62 ~]# pdbedit -L
westos:1001:
linux:1002:
[root@desktop62 ~]# smbclient //172.25.254.63/TEST -U westos
Enter westos's password:
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
smb: > ls
NT_STATUS_ACCESS_DENIED listing *
smb: > quit
[root@desktop62 ~]# smbclient -L //172.25.254.63/TEST -U westos
Enter westos's password:
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
TEST Disk WESTOS DIRECTORY
IPC$ IPC IPC Service (SAMBA)
westos Disk Home Directories
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@desktop62 ~]# smbclient -L //172.25.254.63/TEST -U linux
Enter linux's password:
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
TEST Disk WESTOS DIRECTORY
IPC$ IPC IPC Service (SAMBA)
linux Disk Home Directories
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@desktop62 ~]# smbpasswd -a user1
New SMB password:
Retype new SMB password:
Failed to add entry for user user1.
[root@desktop62 ~]# pdbedit -L
westos:1001:
linux:1002:
[root@desktop62 ~]#
三、保护SMB
1.samba_enable_home_dirs和use_samba_home_dirs SELinux布尔值
samba_enable_home_dirs布尔值允许本地Linux主目录作为CIFS文件共享导出至其他系统。另一方面 use_samba_home_dirs布尔值允许挂载远程CIFS文件共享并将其用作本地Linux主目录。
# setsebool -P samba_enable_home_dirs on
samba_share_t
用于共享用户自定义samba共享
# chcon -R -t samba_share_t /smbshare
或 # semanage fcontext -a -t samba_share_t '/smbshare(/.*)?'
# restorecon -vvFR /smbshare
samba_export_all_ro 和 samba_export_all_rw
用于共享系统目录
# setsebool -P samba_export_all_ro on
# setsebool -P samba_export_all_rw on
2.示例:
[root@desktop62 ~]# smbclient //172.25.254.63/westos -U westos
Enter westos's password:
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
smb: > ls
NT_STATUS_ACCESS_DENIED listing *
smb: > quit
[root@desktop62 ~]# getsebool -a | grep samba
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_portmapper --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_use_samba --> off
use_samba_home_dirs --> off
virt_sandbox_use_samba --> off
virt_use_samba --> off
[root@desktop62 ~]# setsebool -P samba_enable_home_dirs=on
[root@desktop62 ~]# getsebool -a | grep samba
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> on
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_portmapper --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_use_samba --> off
use_samba_home_dirs --> off
virt_sandbox_use_samba --> off
virt_use_samba --> off
[root@desktop62 ~]# smbclient //172.25.254.63/westos -U westos
Enter westos's password:
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
smb: > ls
. D 0 Tue May 2 09:18:40 2017
.. D 0 Tue May 2 09:18:50 2017
.bash_logout H 18 Wed Jan 29 07:45:18 2014
.bash_profile H 193 Wed Jan 29 07:45:18 2014
.bashrc H 231 Wed Jan 29 07:45:18 2014
.mozilla DH 0 Thu Jul 10 18:29:32 2014
.config DH 0 Thu Jul 10 19:06:52 2014
40913 blocks of size 262144. 14313 blocks available
smb: > quit
[root@desktop62 ~]# smbclient //172.25.254.63/TEST -U westos
Enter westos's password:
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
smb: > ls
NT_STATUS_ACCESS_DENIED listing *
smb: > quit
[root@desktop62 ~]# ls -Zd /westos/
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /westos/
[root@desktop62 ~]# semanage fcontext -a -t samba_share_t '/westos(/.*)?'
[root@desktop62 ~]# restorecon -RvvF /westos/
restorecon reset /westos context unconfined_u:object_r:default_t:s0->system_u:object_r:samba_share_t:s0
restorecon reset /westos/file context unconfined_u:object_r:default_t:s0->system_u:object_r:samba_share_t:s0
[root@desktop62 ~]# smbclient //172.25.254.63/TEST -U westos
Enter westos's password:
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
smb: > ls
. D 0 Tue May 2 09:07:26 2017
.. D 0 Tue May 2 09:03:42 2017
file N 0 Tue May 2 09:07:26 2017
40913 blocks of size 262144. 14314 blocks available
smb: > quit
[root@desktop62 ~]#
四、访问CIFS共享
连接到CIFS文件共享的四个基本方法:
1.图形访问CIFS共享
转至 “网络” --> “连接服务器”。填写以下字段:
Server Address : 172.25.0.11
Userame: wxh
Password: westos
2.命令行FTP方式访问CIFS共享:
[root@server0 ~]# smbclient -L server0.example.com -U wxh
Enter wxh's password: westos
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
[root@server0 ~]# smbclient //server0.example.com/smbshare -U wxh
Enter wxh's password: westos
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
smb: > ls
. D 0 Thu Dec 18 17:27:27 2014
.. D 0 Thu Dec 18 11:37:20 2014
testfile
N
12 Thu Dec 18 11:38:03 2014
3.手动挂载CIFS共享
[root@server0 ~]# mount -o username=wxh //server0.example.com/smbshare /mnt/wxh
4.永久挂载CIFS共享
将以下行添加到/etc/fstab:
//server0.example.com/smbshare /mnt/wxh
cifs
credentials=/root/userpasswd 0 0
创建/root/userpasswd:
user=wxh
pass=westos
五、Practice: ( 15 minutes )
configure a SMB share on the serverX system according to the following requirements:
share the newly create directory /smbshare with SMB.
members of the auxiliary group marketing have read and write permissions on the share.
all users that are not member of the marketing group have read permission.
the samba server is the mycompany workgroup and the share name is smbshare.
create the samba-only user brian, who is part of marketing team, with the password redhat.
create the new samba-only user rob with the password redhat, who is not part of the marketing team.
successfully grade the setup on the serverX system with lab smbshare grade.
六、SMB多用户挂载
Demo: (desktopX)
安装cifs-utils软件包,它包含了cifscreds命令:
# yum install -y cifs-utils
创建smb多用户挂载目录:
# mkdir /mnt/multiuser
建立smb认证文件:
# echo 'username=brian' > /root/smb-multiuser.txt
# echo 'password=redhat' > /root/smb-multiuser.txt
编辑/etc/fstab,永久挂载smb共享:
//server0/smbshare /mnt/multiuser cifs credentials=/root/smb-multiuser.txt,multiuser,
sec=ntlmssp 0 0
# mount -a
# su - brian
$ touch /mnt/multiuser/test.txt
touch: cannot touch ‘/mnt/multiuser/brian.txt’: Permission denied
$ cifscreds add server0
Password: redhat
$ echo "multiuser" > /mnt/multiuser/brian.txt
$ cat /mnt/multiuser/brian.txt
multiuser
$ exit
# su - rob
$ cifscreds add server0
Password: redhat
$ echo "multiuser" > /mnt/multiuser/rob.txt
-bash: /mnt/multiuser/rob.txt: Permission denied
$ cat /mnt/multiuser/brian.txt
multiuser
示例:
[root@localhost ~]# vim /etc/samba/smb.conf
322 [TEST]
323 comment = westos directory
324 path = /westos
325 writable = yes
[root@localhost ~]# chmod 777 /westos/
[root@localhost ~]# systemctl restart smb.service
[root@foundation42 Desktop]# cd /
[root@foundation42 /]# mkdir /westos
[root@foundation42 /]# mount //172.25.254.142/TEST /westos/ -o username=westos,password=westos
[root@foundation42 /]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda5 255713288 18117768 237595520 8% /
devtmpfs 1813796 0 1813796 0% /dev
tmpfs 1826872 452 1826420 1% /dev/shm
tmpfs 1826872 9032 1817840 1% /run
tmpfs 1826872 0 1826872 0% /sys/fs/cgroup
/dev/sda2 198380 134004 64376 68% /boot
tmpfs 365376 16 365360 1% /run/user/1000
tmpfs 365376 0 365376 0% /run/user/0
//172.25.254.142/TEST 10473900 3166708 7307192 31% /westos
[root@foundation42 /]# useradd hello
[root@foundation42 /]# su hello
[hello@foundation42 /]$ cd westos/
[hello@foundation42 westos]$ ls
anaconda-ks.cfg westosfile
[hello@foundation42 westos]$ rm -fr anaconda-ks.cfg
[hello@foundation42 westos]$ ls
westosfile
[hello@foundation42 westos]$ exit
exit
[root@foundation42 yum.repos.d]# yum install cifs-utils -y
[root@foundation42 yum.repos.d]# vim /root/smbpassfile
[root@foundation42 yum.repos.d]# cat /root/smbpassfile
username=westos
password=westos
[root@foundation42 yum.repos.d]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda5 255713288 18138096 237575192 8% /
devtmpfs 1813796 0 1813796 0% /dev
tmpfs 1826872 452 1826420 1% /dev/shm
tmpfs 1826872 9032 1817840 1% /run
tmpfs 1826872 0 1826872 0% /sys/fs/cgroup
/dev/sda2 198380 134004 64376 68% /boot
tmpfs 365376 16 365360 1% /run/user/1000
tmpfs 365376 0 365376 0% /run/user/0
[root@foundation42 yum.repos.d]# mount //172.25.254.142/TEST /westos/ -o username=westos,password=westos
[root@foundation42 yum.repos.d]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda5 255713288 18137520 237575768 8% /
devtmpfs 1813796 0 1813796 0% /dev
tmpfs 1826872 452 1826420 1% /dev/shm
tmpfs 1826872 9032 1817840 1% /run
tmpfs 1826872 0 1826872 0% /sys/fs/cgroup
/dev/sda2 198380 134004 64376 68% /boot
tmpfs 365376 16 365360 1% /run/user/1000
tmpfs 365376 0 365376 0% /run/user/0
//172.25.254.142/TEST 10473900 3166712 7307188 31% /westos
[root@foundation42 westos]# mount //172.25.254.142/TEST /westos -o credentials=/root/smbpassfile,multiuser,sec=ntlmssp
[root@foundation42 westos]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda5 255713288 18137436 237575852 8% /
devtmpfs 1813796 0 1813796 0% /dev
tmpfs 1826872 452 1826420 1% /dev/shm
tmpfs 1826872 9032 1817840 1% /run
tmpfs 1826872 0 1826872 0% /sys/fs/cgroup
/dev/sda2 198380 134004 64376 68% /boot
tmpfs 365376 16 365360 1% /run/user/1000
tmpfs 365376 0 365376 0% /run/user/0
//172.25.254.142/TEST 10473900 3166692 7307208 31% /westos
[root@foundation42 westos]# su - hello
Last login: Tue May 2 12:02:21 CST 2017 on pts/0
[hello@foundation42 ~]$ cd /westos
[hello@foundation42 westos]$ ls
ls: reading directory .: Permission denied
[hello@foundation42 westos]$ exit
logout
[root@foundation42 westos]# su - westos
su: user westos does not exist
[root@foundation42 westos]# useradd westos
[root@foundation42 westos]# su - westos
[westos@foundation42 ~]$ cd /westos
[westos@foundation42 westos]$ ls
ls: reading directory .: Permission denied
[westos@foundation42 westos]$ cifscreds add 172.25.254.142
Password:
[westos@foundation42 westos]$ ls
westosfile
[westos@foundation42 westos]$ touch file
[westos@foundation42 westos]$ ls
file westosfile
[westos@foundation42 westos]$ exit
logout
[root@foundation42 westos]# su - hello
Last login: Tue May 2 12:08:48 CST 2017 on pts/0
[hello@foundation42 ~]$ cd /westos
[hello@foundation42 westos]$ ls
ls: reading directory .: Permission denied
[hello@foundation42 westos]$ cifscreds add 172.25.254.142
Password:
[hello@foundation42 westos]$
[hello@foundation42 westos]$ ls
ls: reading directory .: Permission denied
[hello@foundation42 westos]$ exit
logout
[root@foundation42 westos]# ls
file westosfile
[root@foundation42 westos]# rm -fr file
[root@foundation42 westos]# ls
westosfile
[root@foundation42 westos]#