Linux系统部署samba服务记录

Samba（Server Messages Block）是一种linux系统和windws系统之间依靠网络协议共享文件的服务程序，（Samba has provided secure, stable and fast file and print services for all clients using the SMB/CIFS protocol ），下面简单介绍在Centos 7部署记录（IP：192.168.1.19）

一、安装Samba

[root@localhost ~]# cat /etc/redhat-release 
CentOS Linux release 7.6.1810 (Core) 
[root@localhost ~]# yum install -y samba

二、配置防火墙和Selinux，否则windows无法访问，在生产环境一般防火墙都不会关闭

[root@localhost ~]# systemctl status firewalld        #一般情况下默认是开的，如果关闭，就启动一下
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2019-04-08 09:40:24 EDT; 2h 11min ago
     Docs: man:firewalld(1)
 Main PID: 4711 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─4711 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Apr 08 09:51:09 localhost.localdomain firewalld[4711]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POS...ame.
Apr 08 09:57:39 localhost.localdomain firewalld[4711]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOC...ame.
Apr 08 09:57:39 localhost.localdomain firewalld[4711]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C ...n?).
Apr 08 09:57:39 localhost.localdomain firewalld[4711]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POS...ame.
Apr 08 09:57:39 localhost.localdomain firewalld[4711]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOC...ame.
Apr 08 09:57:39 localhost.localdomain firewalld[4711]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C ...n?).
Apr 08 09:57:39 localhost.localdomain firewalld[4711]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POS...ame.
Apr 08 11:10:18 localhost.localdomain firewalld[4711]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOC...ame.
Apr 08 11:10:18 localhost.localdomain firewalld[4711]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C ...n?).
Apr 08 11:10:18 localhost.localdomain firewalld[4711]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POS...ame.
Hint: Some lines were ellipsized, use -l to show in full.

[root@localhost ~]# firewall-cmd --add-service samba --permanent
success

[root@localhost ~]# firewall-cmd --reload    #重启防火墙
success

[root@localhost ~]# firewall-cmd --list-all|grep samba    #确认是否加策略成功
  services: ssh dhcpv6-client samba

关闭Selinux，否则windows客户端连接不上samba
[root@localhost ~]# vim /etc/selinux/config
SELINUX=disabled

[root@localhost ~]# setenforce 0    
[root@localhost ~]# getenforce 
Permissive

三、Samba服务器的配置

[root@localhost samba]# cp /etc/samba/smb.conf /etc/samba/smb.conf_bak_20190426
[root@localhost samba]# cat /etc/samba/smb.conf
[global]                                    #全局配置
        workgroup = SAMBA
        security = user　　#安全验证的方式
#1、share 来访主机无需验证口令，比较方便，但是安全性较差，现在新版本限制使用，如果使用无法启动服务
#2、user 需要验证来访主机提供的口令才能访问
#3、使用独立的远程主机验证来验证提供的口令
#4、domain使用域控制器进行身份验证

        passdb backend = tdbsam
 
        printing = cups
        printcap name = cups
        load printers = yes
        cups options = raw
 
[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes
 
[printers]
        comment = All Printers
        path = /var/tmp
        printable = Yes
        create mask = 0600
        browseable = No
 
[print$]
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = @printadmin root
        force group = @printadmin
        create mask = 0664
        directory mask = 0775
[database]  #共享名称，也是文件夹的标识，配置了多少个，登陆的时候就会显示多少文件夹
        comment=do not modify it all will   #对该共享的描述，随意自己定义
        path=/home/database                 #该共享的路径
        public=no                           #是否对所有人共享
        writeable=yes                       #允许写入操作
！！！如果是拷贝配置的话，去掉汉字，否则smb服务无法启动   

[root@localhost samba]# systemctl restart smb  

4、访问方式一、任何人都可以匿名访问，可以增删改查

[root@localhost home]# chmod 777 database/

[root@localhost database]# vim /etc/samba/smb.conf
[global]
        workgroup = SAMBA
        security = user
        map to guest = Bad User
        passdb backend = tdbsam

        printing = cups
        printcap name = cups
        load printers = yes
        cups options = raw

[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes

[printers]
        comment = All Printers
        path = /var/tmp
        printable = Yes
        create mask = 0600
        browseable = No

[print$]
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = @printadmin root
        force group = @printadmin
        create mask = 0664
        directory mask = 0775
[database]
        comment=do not modify it all will
        path=/home/database
        public = yes
        writeable=yes
        guest ok = yes

 这中方法谨慎使用，因为存在很大的安全因素，如果别人不小心删除或者修改文件，我们就无法恢复了。

有的时候通过IP访问，时间久了或者其他原因很容易忘记，这时候配一个内网的DNS能够有效的解决这个二问题，下面演示如何配置DNS访问我们的服务器

1、先给服务器配置上DNS解析，假如用开发组来命名
[root@localhost ~]# vim /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.1.19 devops
~      
[root@localhost ~]# ping -c 4 devops
PING devops (192.168.1.19) 56(84) bytes of data.
64 bytes from devops (192.168.1.19): icmp_seq=1 ttl=64 time=0.045 ms
64 bytes from devops (192.168.1.19): icmp_seq=2 ttl=64 time=0.122 ms
64 bytes from devops (192.168.1.19): icmp_seq=3 ttl=64 time=0.125 ms
64 bytes from devops (192.168.1.19): icmp_seq=4 ttl=64 time=0.121 ms

--- devops ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3008ms
rtt min/avg/max/mdev = 0.045/0.103/0.125/0.034 ms
 
测试内网是没有问题，然后配置windows的hosts

C:WindowsSystem32driversetc        #我的电脑是在这个路径下

127.0.0.1       localhost
192.168.1.19 devops  #加上这个配置

　

测试OK，我们就可以通过 \devops 去访问我们的服务器

访问方式二、通过账号密码访问，在Centos7中，Samba服务默认的用户认证模式（user）

但是只有建立信息数据库之后才能使用用户口令认证模式，

pdbedit命令用于管理SMB服务程序的账户信息数据库，语法格式为 pdbedit [选项] 账户 

-a  -u   用户名	建立samba账户
-x  -u  用户名	删除samba账户
-L	列出账户列表
-Lv	列出账户详细信息的列表

这里我们通过root去访问，那你也可以用其他账号去访问
[root@localhost ~]# id root
uid=0(root) gid=0(root) groups=0(root)

[root@localhost ~]# pdbedit -a -u root
new password:
retype new password:
Unix username:        root
NT username:          
Account Flags:        [U          ]
User SID:             S-1-5-21-683895756-2385326933-4243325015-1000
Primary Group SID:    S-1-5-21-683895756-2385326933-4243325015-513
Full Name:            root
Home Directory:       \localhost
oot
HomeDir Drive:        
Logon Script:         
Profile Path:         \localhost
ootprofile
Domain:               LOCALHOST
Account desc:         
Workstations:         
Munged dial:          
Logon time:           0
Logoff time:          Wed, 06 Feb 2036 10:06:39 EST
Kickoff time:         Wed, 06 Feb 2036 10:06:39 EST
Password last set:    Mon, 08 Apr 2019 16:51:45 EDT
Password can change:  Mon, 08 Apr 2019 16:51:45 EDT
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF　

在使用用户名密码访问时，需将全局配置里面map to guest注释掉

# map to guest = Bad User

[root@localhost ~]# systemctl restart smb