linux系统cifs通用网络文件系统
CIFS介绍
CIFS使程序可以访问远程Internet计算机上的文件并要求此计算机提供服务。CIFS 使用客户/服务器模式。客户程序请求远在服务器上的服务器程序为它提供服务。服务器获得请求并返回响应。CIFS是公共的或开放的SMB协议版本,并由Microsoft使用。SMB协议在局域网上用于服务器文件访问和打印的协议。像SMB协议一样,CIFS在高层运行,而不像TCP/IP协议那样运行在底层。CIFS可以看做是应用程序协议如文件传输协议和超文本传输协议的一个实现。samba介绍
服务端口:通常使用 TCP/445 进行所有连接。还使用 UDP137、UDP138和TCP/139进行向后兼容
安装环境
配置网络与yum源
desktop虚拟机:hostnamectl set-hostname client.example.com
server虚拟机:hostnamectl set-hostname server.example.com
[[email protected] ~]# yum search samba #查找samba安装包
[[email protected] ~]# yum install samba samba-client samba-common -y #安装samba相关软件
samba-client --客户端应用程序
samba-common --samba的支持文件
[[email protected] ~]# systemctl start smb #开启samba服务
[[email protected] ~]# systemctl enable smb #开机自启
ln -s '/usr/lib/systemd/system/smb.service' '/etc/systemd/system/multi-user.target.wants/smb.service'
[[email protected] ~]# systemctl stop firewalld #关闭火墙
[[email protected] ~]# systemctl disable firewalld #永久关闭火墙
rm '/etc/systemd/system/basic.target.wants/firewalld.service'
rm '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service'
[[email protected] ~]# netstat -antlupe |grep smb #查看samba端口(445,139)
客户端:
[[email protected] ~]# yum install samba-client -y #安装客户端samba软件
[[email protected] ~]# smbclient -L //172.25.254.202 #匿名登陆(没有设置密码,直接登陆)
添加smb用户
服务端:
[[email protected] ~]# smbpasswd -a student #添加samba用户,用户必须存在
New SMB password:
Retype new SMB password:
Added user student.
[[email protected] ~]# smbpasswd -a westos #不存在的用户添加samba用户将失败
New SMB password:
Retype new SMB password:
Failed to add entry for user westos.
[[email protected] ~]# useradd westos
[[email protected] ~]# smbpasswd -a westos
New SMB password:
Retype new SMB password:
Added user westos.
[[email protected] ~]# pdbedit -L #查看samba用户信息
[[email protected] ~]# pdbedit -x student #删除用户
[[email protected] ~]# pdbedit -L
westos:1001:
[[email protected] ~]# smbpasswd -a student
New SMB password:
Retype new SMB password:
Added user student.
[[email protected] ~]# pdbedit -L
student:1000:Student User
westos:1001:
客户端:
[[email protected] ~]# smbclient -L //172.25.254.202 -U student #L:显示
[[email protected] ~]# smbclient //172.25.254.202/student -U student #以student的用户身份登陆, /student:共享student用户的信息
Enter student's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \* #DENIED,禁止访问根目录,服务端SELinux服务没开
smb: \> quit
[[email protected] ~]# smbclient //172.25.254.202/student -U student
Enter student's password:
session setup failed: NT_STATUS_LOGON_FAILURE #遇到这种报错表示密码输入错误
服务端:
[[email protected] ~]# getsebool -a | grep samba #查看samba服务状态
samba_enable_home_dirs --> off #访问家目录功能关闭
[[email protected] ~]# setsebool -P samba_enable_home_dirs on #永久开启服务
客户端:
[[email protected] ~]# smbclient //172.25.254.202/student -U student
smb 上传文件
[[email protected] ~]# smbclient //172.25.254.202/student -U student
Enter student's password:Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
smb: \> !ls
anaconda-ks.cfg Documents Music Public Videos
Desktop Downloads Pictures Templates
smb: \> quit
[[email protected] ~]# pwd
/root
[[email protected] ~]# ls
anaconda-ks.cfg Documents Music Public Videos
Desktop Downloads Pictures Templates
[[email protected] ~]# cd /etc
[[email protected] etc]# smbclient //172.25.254.202/student -U student
Enter student's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
smb: \> !ls #!ls表示显示当前目录信息
smb: \> put passwd
putting file passwd as \passwd (979.0 kb/s) (average 979.0 kb/s)
服务端:
[[email protected] ~]# cd /home/student
[[email protected] student]# ls
passwd
客户端:
smb: \> put /bin/ls #直接通过路径不能上传文件,必须进入到文件所在目录
smb: \> quit
[[email protected] etc]# cd /bin
[[email protected] bin]# smbclient //172.25.254.202/student -U student
Enter student's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
smb: \> put ls #进入到文件文件目录后可以上传
putting file ls as \ls (57426.9 kb/s) (average 57429.7 kb/s)
smb: \> quit
smb 挂载
[[email protected] bin]# smbclient //172.25.254.202/student -U student
Enter student's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
smb: \> touch file #不能建立文件
touch: command not found
smb: \> quit
[[email protected] bin]# smbclient -L //172.25.254.202/ -U student
Enter student's password:
disk #硬盘,可挂载
临时挂载
[[email protected] bin]# mount //172.25.254.202/student /mnt/ -o username=student,password=123
[[email protected] bin]# df[[email protected] bin]# cd /mnt
[[email protected] mnt]# ls
ls passwd
[[email protected] mnt]# touch file{1..10}
服务端:
[[email protected] student]# ls
客户端:
[[email protected] mnt]# rm -fr *
[[email protected] mnt]# ls服务端:
[[email protected] student]# ls
永久挂载
方法一:[[email protected] mnt]# cd
[[email protected] ~]# vim /etc/fstab
//172.25.254.202/student /mnt/ cifs defaults,username=student,password=123 0 0
重启后,先挂载再启动系统;如果挂载失败,系统将无法启动不建议使用
[[email protected] ~]# mount -a
[[email protected] ~]# df
[[email protected] ~]# vim /etc/fstab #删除挂载内容
方法二:
mount //172.25.254.202/student /mnt -o username=student,password=lee
在所有服务启动后,初始化的时候开始执行,不会影响系统
[[email protected] ~]# reboot
[[email protected] ~]# df
smb 客户端使用
[[email protected] ~]# smbclient -L //172.25.254.202
1、修改组名称Domain
[[email protected] student]# rpm -qc samba-common[[email protected] student]# vim /etc/samba/smb.conf #smb服务主配置文件
89 workgroup = WESTOS
测试:
[[email protected] ~]# smbclient -L //172.25.254.202
Domain=[WESTOS]
2、设置用户权限
白名单
[[email protected] student]# vim /etc/samba/smb.conf
[[email protected] ~]# smbclient -L //172.25.254.202
黑名单
[[email protected] student]# vim /etc/samba/smb.conf
98 hosts deny = 172.25.254.102
[[email protected] ~]# smbclient -L //172.25.254.202
smb 共享目录
smb共享目录的selinux安全上下文: samba_share_t
共享系统目录时要打开:
samba_export_all _ro 和 samba_export_all_rw
文件 /etc/samba/smb.conf 中有修改smb的selinux安全上下文等相关配置的策略
1.自己创建的目录
服务端:
把刚才写的黑白名单注释掉
[[email protected] student]# mkdir /westos #建立/westos目录
[[email protected] student]# vim /etc/samba/smb.conf
321 [DIR] #可以看到的共享目录名称
322 comment=westos dir #说明
323 path = /westos #共享位置
在smb主配置文件40-42行可以看到修改自己创建的目录安全上下文修改方式
[[email protected] student]# semanage fcontext -a -t samba_share_t '/westos(/.*)? #修改安全上下文'
[[email protected] student]# restorecon -RvvF /westos #刷新
客户端测试:
[[email protected] ~]# smbclient //172.25.254.202/DIR #登录成功,但匿名用户不能访问
[[email protected] ~]# smbclient //172.25.254.202/DIR -U student
可以看到目录下的内容,共享自己创建的目录成功!
2.系统目录
服务端:
325 [mnt]
326 comment =/mnt dir
327 path = /mnt
客户端测试:
[[email protected] ~]# smbclient -L //172.25.254.202
服务端:
[[email protected] ~]# touch /mnt/file{1..5}
[[email protected] ~]# ls /mnt
file1 file2 file3 file4 file5
客户端测试:
[[email protected] ~]# smbclient //172.25.254.202/mnt -U student
服务端:
客户端测试:
可以看到新建文件
[[email protected] ~]# setenforce 1 #设置为强制模式
不能修改安全上下文,因为/mnt为系统目录,修改安全上下文后,其他服务使用该目录时会受到影响
[[email protected] ~]# vim /etc/samba/smb.conf #查看主配置文件
[[email protected] ~]# setsebool -P samba_export_all_ro on #打开后可以共享所有级别目录,比安全上下文级别高
客户端测试:
可以服务端看到系统目录/mnt下的文件,共享成功!
smb 权限管理
1、是否允许浏览:browseable = yes|no
[[email protected] ~]# vim /etc/samba/smb.conf
324 browseable =no #是否显示目录信息
客户端测试:
[[email protected] ~]# vim /etc/samba/smb.conf
324 browseable =yes #显示目录信息
[[email protected] ~]# smbclient -L //172.25.254.202
2、是否可写:writable = yes|no
服务端:[[email protected] ~]# vim /etc/samba/smb.conf
325 writable=yes
[[email protected] ~]# chmod 777 /westos/
客户端:
以student的身份挂载:
[[email protected] ~]# mount //172.25.254.202/DIR /mnt -o username=student,password=123[[email protected] ~]# touch /mnt/file
[[email protected] ~]# ll /mnt
total 0
-rw-r--r-- 1 student student 0 Jun 2 02:51 file
[[email protected] ~]# umount /mnt
以westos的身份挂载:
[[email protected] ~]# touch /mnt/file1
[[email protected] ~]# ll /mnt
total 0
-rw-r--r-- 1 student student 0 Jun 2 02:55 file
-rw-r--r-- 1 1001 1001 0 Jun 2 02:59 file1
以student身份挂载后建立的文件所有人和所有组均为student
以westos身份挂载后建立的文件所有人和所有组均为1001
id: westos: no such user
因为客户端没有westos用户
[[email protected] ~]# id westos
uid=1001(westos) gid=1001(westos) groups=1001(westos)服务端westos用户uid=1001,gid=1001
3、允许用户列表:write list = student
服务端:
[[email protected] ~]# vim /etc/samba/smb.conf
325 #writable=yes
326 write list = student
[[email protected] ~]# systemctl restart smb.service
客户端测试:
[[email protected] ~]# umount /mnt
[[email protected] ~]# mount //172.25.254.202/DIR /mnt -o username=westos,password=123
[[email protected] ~]# touch /mnt/file2
touch: cannot touch ‘/mnt/file2’: Permission denied #不可写,没有权限
[[email protected] ~]# umount /mnt
[[email protected] ~]# mount //172.25.254.202/DIR /mnt -o username=student,password=123
[[email protected] ~]# touch /mnt/file2
4、允许组列表(+或@表示组):write list = @student
326 write list = @student
客户端测试:
[[email protected] ~]# touch /mnt/file3
touch: cannot touch ‘/mnt/file3’: Permission denied
[[email protected] ~]# umount /mnt
在客户端把westos用户所有组设置为student
[[email protected] ~]# usermod -G student westos[[email protected] ~]# id westos
在客户端测试:
[[email protected] ~]# mount //172.25.254.202/DIR /mnt -o username=westos,password=123
[[email protected] ~]# touch /mnt/file3
[[email protected] ~]# umount /mnt
所有组为student的westos用户挂载后可以写入,操作成功!
5、指定超级用户:admin users = westos(在可写情况下才可以执行动作)
[[email protected] ~]# vim /etc/samba/smb.conf
326 #write list = @student
327 admin users = westos
[[email protected] ~]# mount //172.25.254.202/DIR /mnt -o username=westos,password=123
[[email protected] ~]# touch /mnt/file4
[[email protected] ~]# ll /mnt
[[email protected] ~]# df
smb 多用户挂载
客户端测试:
[[email protected] ~]# useradd test
[[email protected] ~]# su - test[[email protected] ~]$ ls /mnt #任意用户都可以看到/mnt的内容,不安全
file file1 file2 file3 file4
[[email protected] ~]# umount /mnt
服务端:
[[email protected] ~]# yum install cifs-utils -y
[[email protected] ~]# man mount.cifs #查看挂载规则,根据挂载规则编写文件
credentials=filename
username=value
password=value
domain=value
The default in mainline kernel versions prior to v3.8 was sec=ntlm.
In v3.8, the default was changed to sec=ntlmssp.
multiuser
[[email protected] ~]# rpm -qa |grep samba #版本4.2,在3.8以上,sec=ntlmssp
[[email protected] ~]# vim /root/smbpass
username=student
password=123
[[email protected] ~]# mount -o credentials=/root/smbpass,sec=ntlmssp,multiuser //172.25.254.202/DIR /mnt
#挂载,credentials=/root/smbpass:文件指定的用户名、密码sec=nelmssp:认证方式
[[email protected] mnt]# ls
file file1 file2 file3 file4
[[email protected] mnt]# su - testLast login: Sat Jun 2 03:37:38 EDT 2018 on pts/0
[[email protected] ~]$ cd /mnt
[[email protected] mnt]$ ls
ls: reading directory .: Permission denied
切换到普通用户后不能查看/mnt下的文件,必须指定用户挂载通过smb认证才可以查看
[[email protected] ~]# cifscreds --help
[[email protected] ~]$ cifscreds add -u westos 172.25.254.202 #写入错的密码
Password:[[email protected] ~]$ ls /mnt
ls: cannot access /mnt: Permission denied
[[email protected] ~]$ cifscreds add -u westos 172.25.254.202 #第二次登陆会直接报错
You already have stashed credentials for 172.25.254.200 (172.25.254.200)
If you want to update them use:
cifscreds update
[[email protected] ~]$ cifscreds clearall #清理缓存
[[email protected] ~]$ cifscreds add -u westos 172.25.254.202
Password:
[[email protected] ~]$ ls /mnt
file file1 file2 file3 file4
可以看到/mnt下的内容
smb 匿名用户访问
linux 的匿名用户 Anonymouswindows 的匿名用户 guest
服务端:
328 guest ok =yes #允许匿名用户登录
125 map to guest =bad user #将匿名用户影射为guest用户
客户端测试:
[[email protected] ~]# smbclient //172.25.254.202/DIR
[[email protected] ~]# mount //172.25.254.202/DIR /mnt -o username=guest,password=""
[[email protected] ~]# df
[[email protected] ~]# umount /mnt