实验准备: 准备两台机器,server0(172.25.0.11)和deskop0(172.25.0.12),要求在server0上实现samba共享,在desktop0上访问共享。
- 1、允许marketing组里的用户对该目录有读写权限,其他用户只读。
- 2、samba执行的工作组为mycompany。
- 3、用户brian输入marketing组,要求用户rob不属于marketing组。
- 4、共享组的目录为 /smbshare
- 5、将共享组挂载到desktop0机器的/mnt/brian目录下
说明:本实验不用特定的环境,自己搭建两台Linux机器就可独立完成
配置server(server0)端
1、安装相应的服务包
[root@server0 ~]# yum install samba -y
2、建立共享目录并对共享目录授权
[root@server0 ~]# mkdir /smbshare [root@server0 ~]# groupadd -r marketing [root@server0 ~]# chgrp marketing /smbshare/ [root@server0 ~]# chmod 2775 /smbshare/ [root@server0 ~]# ll -d /smbshare/ drwxrwsr-x. 2 root marketing 6 Apr 17 22:48 /smbshare/ 2775中的2代表在该目录下所有的目录或者文件夹继承组marketing的权限,允许root和marketing组只有只读的权限 设定selinux [root@server0 ~]# semanage fcontext -a -t 'samba_share_t' '/smbshare(/.*)?' [root@server0 ~]# restorecon -Rv /smbshare/ restorecon reset /smbshare context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:samba_share_t:s0
3、修改配置文件
[root@server0 ~]# vim /etc/samba/smb.conf
...
[global]
...
workgroup = mycompany --->更改工作组
...
[smbshare]
path = /smbshare
write list = @marketing -->用@来表示组
...
4、创建共享用户
[root@server0 ~]# useradd -s /sbin/nologin -G marketing brian [root@server0 ~]# useradd -s /sbin/nologin rob [root@server0 ~]# id brian uid=1001(brian) gid=1001(brian) groups=1001(brian),990(marketing) [root@server0 ~]# id rob uid=1002(rob) gid=1002(rob) groups=1002(rob) [root@server0 ~]#
5、将用户加入samba数据库中并设定密码
smbpasswd需要 samba-client的包支持 [root@server0 ~]# yum install samba-client -y [root@server0 ~]# smbpasswd -a brian New SMB password: -->redhat Retype new SMB password: Added user brian. [root@server0 ~]# smbpasswd -a rob New SMB password: -->redhat Retype new SMB password: Added user rob.
6、启动服务并设置防火墙
[root@server0 ~]# systemctl start smb nmb [root@server0 ~]# systemctl enable smb nmb ln -s '/usr/lib/systemd/system/smb.service' '/etc/systemd/system/multi-user.target.wants/smb.service' ln -s '/usr/lib/systemd/system/nmb.service' '/etc/systemd/system/multi-user.target.wants/nmb.service' [root@server0 ~]# firewall-cmd --permanent --add-service=samba success [root@server0 ~]# firewall-cmd --reload success [root@server0 ~]# firewall-cmd --list-all public (default, active) interfaces: eth0 sources: services: dhcpv6-client samba ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:
server端配置到此结束
配置client(desktop0)端
1、安装工具包
[root@desktop0 ~]# yum install cifs-utils
2、创建相应的挂载点并挂载目录
[root@desktop0 ~]# mkdir -p /mnt/brian [root@desktop0 ~]# mount -o username=brian //172.25.0.11/smbshare /mnt/brian/ Password for brian@//172.25.0.11/smbshare: ****** ---> redhat [root@desktop0 ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/sda1 10G 3.1G 7.0G 31% / devtmpfs 223M 0 223M 0% /dev tmpfs 238M 0 238M 0% /dev/shm tmpfs 238M 8.8M 230M 4% /run tmpfs 238M 0 238M 0% /sys/fs/cgroup //172.25.0.11/smbshare 10G 3.1G 7.0G 31% /mnt/brian
3、测试用户权限
brian用户
[root@desktop0 ~]# echo "Hello World" >> /mnt/brian/test.txt [root@desktop0 ~]# cat !$ cat /mnt/brian/test.txt Hello World 文件创建成功 [root@desktop0 ~]# ll !$ ll /mnt/brian/test.txt -rw-r--r--. 1 1001 990 12 Apr 17 23:12 /mnt/brian/test.txt 此处出现1001和990的意思是本机没有1001和990这两个id,但是服务器上有,可以查看服务器上文件的所属组和用户 [root@server0 ~]# ll /smbshare/test.txt -rw-r--r--. 1 brian marketing 12 Apr 17 23:12 /smbshare/test.txt 可以看到desktop0机器上,root用户创建的文件被改为了brian用户maretketing的权限
rob用户
[root@desktop0 ~]# mount -o username=rob //server0/smbshare /mnt/rob/ Password for rob@//server0/smbshare: ****** ---> redhat [root@desktop0 ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/sda1 10G 3.1G 7.0G 31% / devtmpfs 223M 0 223M 0% /dev tmpfs 238M 0 238M 0% /dev/shm tmpfs 238M 8.8M 230M 4% /run tmpfs 238M 0 238M 0% /sys/fs/cgroup //172.25.0.11/smbshare 10G 3.1G 7.0G 31% /mnt/brian //server0/smbshare 10G 3.1G 7.0G 31% /mnt/rob
创建文件失败
[root@desktop0 ~]# touch /mnt/rob/test.txt touch: cannot touch ‘/mnt/rob/test.txt’: Permission denied
因为设定只允许marketing组的用户有写的权限,而rob不属于marketing组,所以无法创建
本实验到此结束
附:
rhce考试需要做的事
列出server0上的smb共享
smbclient需要samba-client包的支持 [root@desktop0 ~]# yum install samba-client -y 用brian用户列出server0机器的samba共享 [root@desktop0 ~]# smbclient -L //server0 -U brian Enter brian's password: Domain=[MYCOMPANY] OS=[Unix] Server=[Samba 4.1.1] Sharename Type Comment --------- ---- ------- smbshare Disk IPC$ IPC IPC Service (Samba Server Version 4.1.1) brian Disk Home Directories Domain=[MYCOMPANY] OS=[Unix] Server=[Samba 4.1.1] Server Comment --------- ------- LOCALHOST Samba Server Version 4.1.1 Workgroup Master --------- ------- MYCOMPANY LOCALHOST
但是考试时上述命令不会被记录,所以上述操作不会被评分,需要通过命令工具访问
[root@desktop0 ~]# smbclient //server0/smbshare -U brian Enter brian's password: Domain=[MYCOMPANY] OS=[Unix] Server=[Samba 4.1.1] smb: > ls . D 0 Wed Apr 17 23:26:57 2019 .. D 0 Thu Apr 18 07:40:37 2019 40913 blocks of size 262144. 28330 blocks available smb: > ? ? allinfo altname archive backup blocksize cancel case_sensitive cd chmod chown close del dir du echo exit get getfacl geteas hardlink help history iosize lcd link lock lowercase ls l mask md mget mkdir more mput newer notify open posix posix_encrypt posix_open posix_mkdir posix_rmdir posix_unlink print prompt put pwd q queue quit readlink rd recurse reget rename reput rm rmdir showacls setea setmode stat symlink tar tarmode timeout translate unlock volume vuid wdel logon listconnect showconnect tcon tdis tid logoff .. ! smb: > quit