cifs------网络文件系统(2)
接着上篇博客继续:
Samba 基本配置
[[email protected] ~]# rpm -qc samba-common //查看smb的配置文件
1、黑、白名单的设定
默认白名单,设置的ip是黑名单用户:hosts deny = ip
默认黑名单,设置的ip是白名单用户:hosts allow = ip
黑名单 :
假设不允许ip为172.25.1.2的的主机登陆
服务器端 :
[[email protected] ~]# vim /etc/samba/smb.conf //编辑配置文件
hosts deny = 172.25.1.2
[[email protected] ~]# systemctl restart smb.service //服务重启
此时,客户端:
[[email protected] ~]# smbclient -L //172.25.1.1/ -U student //服务被拒绝
白名单:
假设只允许ip为172.25.1.2的的主机登陆
服务器端:
[[email protected] samba]# vim /etc/samba/smb.conf //将黑名单注释掉,并添加白名单
[[email protected] ~]# systemctl restart smb.service //重启服务
此时,客户端:
[[email protected] ~]# smbclient //172.25.1.1/student -U student //可以登陆
2、smb 共享目录
非系统目录的共享
服务器端:
[[email protected] ~]# mkdir /westos
[[email protected] ~]# touch /westos/file{1..5} //目录下创建文件
修改安全上下文,这里出现了点问题;
[[email protected] ~]# semanage fcontext -a -t samba_share_t '/westos(/.*)?' //提示没有semanage这个命令
-bash: semanage: command not found
[[email protected] ~]# yum install -y semanage
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
No package semanage available.
Error: Nothing to do
[[email protected] ~]# yum provides semanage
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
rhel7.5/filelists_db | 3.4 MB 00:00:00
policycoreutils-python-2.5-22.el7.x86_64 : SELinux policy core python utilities
Repo : rhel7.5
Matched from:
Filename : /usr/sbin/semanage
[[email protected] ~]# yum -y install policycoreutils-python
[[email protected] ~]# semanage fcontext -a -t samba_share_t '/westos(/.*)?' //此时修改安全上下文
[[email protected] ~]# restorecon -FvvR /westos/ //刷新
[[email protected] ~]# semanage fcontext -l | grep /westos //过滤查看/westos的安全上下文修改是否成功
[[email protected] ~]# vim /etc/samba/smb.conf
[DIR] //可以看到的共享目录的名称
comment = westos file //对共享目录的描述
path = /westos //共享目录的绝对路径
[[email protected] ~]# systemctl restart smb.service //重启服务
客户端:
[[email protected] ~]# smbclient //172.25.1.1/DIR //匿名登陆
Enter SAMBA\root's password:
Anonymous login successful
tree connect failed: NT_STATUS_ACCESS_DENIED //登录失败,则匿名用户不可以登陆
[[email protected] ~]# smbclient //172.25.1.1/DIR -U student //student登陆
Enter SAMBA\student's password:
Try "help" to get a list of possible commands. //登陆成功
smb: \> ls
. D 0 Tue Mar 5 07:17:42 2019
.. DR 0 Tue Mar 5 07:16:09 2019
file1 N 0 Tue Mar 5 07:17:42 2019
file2 N 0 Tue Mar 5 07:17:42 2019
file3 N 0 Tue Mar 5 07:17:42 2019
file4 N 0 Tue Mar 5 07:17:42 2019
file5 N 0 Tue Mar 5 07:17:42 2019
17811456 blocks of size 1024. 16542024 blocks available
smb: \> quit //退出
系统目录的共享
服务端:
[[email protected] ~]# vim /etc/samba/smb.conf
[[email protected] ~]# systemctl restart smb.service
[[email protected] ~]# setsebool -P samba_export_all_ro on //打开该布尔值后可以共享所有目录,比安全上下文的级别高
[[email protected] ~]# ls /mnt
westos
客户端:
[[email protected] ~]# smbclient //172.25.1.1/DIR -U student
smb 权限管理
browseable = no | yes ——更改此参数,不用重启服务
no ——将该共享目录设置为隐藏
yes——将该共享目录设置为显示
writable = yes|no ——更改此参数,需要重启服务no | yes —— 设置用户是否可写(所有用户)
write list = student ——更改此参数,需要重启服务允许用户 student 进行写操作(相当于白名单)
write list = @student ——更改此参数,需要重启服务只允许属于 student 组的用户进行写操作
admin users = 用户名 ——更改此参数,需要重启服务
1.隐藏该共享目录
服务端:
[[email protected] ~]# vim /etc/samba/smb.conf
[[email protected] ~]# systemctl restart smb.service
客户端:
[[email protected] ~]# smbclient -L //172.25.1.1
2.显示该共享目录,且可写
服务器端:
[[email protected] ~]# vim /etc/samba/smb.conf
[[email protected] ~]# systemctl restart smb.service
[[email protected] ~]# chmod 777 /mnt
客户端:
[[email protected] ~]# mount //172.25.1.1/DIR /mnt -o username=student,password=redhat
[[email protected] ~]# mount //172.25.1.1/DIR /mnt -o username=student,password=redhat
[[email protected] ~]# cd /mnt/
[[email protected] mnt]# ls
westos
[[email protected] mnt]# touch file1
[[email protected] mnt]# ls
file1 westos
[[email protected] mnt]# cd
[[email protected] ~]# umount /mnt/
**************************************
以此类推。。。。。。
smb 多用户挂载
客户端:
[[email protected] ~]# yum install cifs-utils -y
[[email protected] ~]# vim /root/smbpass //根据挂载规则编写认证所需的文件
[[email protected] ~]# mount -o credentials=/root/smbpass,sec=ntlmssp,multiuser //172.25.1.1/DIR /mnt
//挂载,其中,credentials=/root/smbpass文件指定的用户名、密码,sec=ntlmssp 认证方式认证方式是ntlmssp;查询方式:rpm -ql | grep samba, multiuser为多用户挂载
[[email protected] ~]# df
[[email protected] ~]# cd /mnt/
[[email protected] mnt]# ls
file1 westos
[[email protected] mnt]# useradd file2 //创建用户file2
[[email protected] mnt]# su - file2 //切换到普通用户file2
[[email protected] ~]$ cd /mnt
[[email protected] mnt]$ ls //无法查看 ,必须指定用户挂载通过smb认证才可以查看
ls: reading directory .: Permission denied
[[email protected] mnt]$ exit
logout
[[email protected] mnt]# cifscreds --help //查看相关命令
cifscreds: unrecognized option '--help'
Usage:
cifscreds add [-u username] [-d] <host|domain>
cifscreds clear [-u username] [-d] <host|domain>
cifscreds clearall
cifscreds update [-u username] [-d] <host|domain>
[[email protected] mnt]# su - file2
Last login: Tue Mar 5 10:02:55 EST 2019 on pts/0
[[email protected] ~]$ cifscreds add -u student 172.25.1.1 //需要通过smb认证
Password:
[[email protected] ~]$ cd /mnt/
[[email protected] mnt]$ ls //此时可以查看mnt下面的文件
file1 westos
smb 匿名用户访问
服务器端:
[[email protected] ~]# vim /etc/samba/smb.conf
[[email protected] ~]# systemctl restart smb.service
客户端:
[[email protected] mnt]$ smbclient //172.25.1.1/DIR
//即匿名用户此时可以访问到
[[email protected] ~]# mount //172.25.1.1/DIR /mnt -o username=guest,password=""