安装Samba独立服务器-官方说明中英文对照
Setting up Samba as a Standalone Server (安装Samba独立服务器)
Contents(目录)
- 1 Introduction-介绍
- 2 Creating a Basic guest only smb.conf File-创建一个基本的仅来宾 smb.conf 文件
- 3 Creating a Basic authenticated access smb.conf File-创建一个基本的认证访问 smb.conf 文件
- 4 Creating Local User Accounts, option #1-创建本地用户帐户,选项 #1
- 5 Creating Local User Accounts, option #2-创建本地用户帐户,选项 #2
- 6 Local Group Management-本地组管理
- 7 Creating the Shared Directories-创建共享文件夹
- 8 Setting ACLs on the Shared Directories-设置共享文件夹的ACLs
- 9 Verifying the Samba configuration-校验Samba配置
- 10 Starting Samba-启用Samba
- 11 Testing the Share Access-测试共享访问
- 12 Advanced share settings-高级共享设置
Introduction-介绍
In small networks, such as a home network, or to share folders on a host that is not part of a domain, you often do not want to set up an Active Directory or NT4 domain.
在一个小型网络中,例如一个家庭网络,或者在一个非域的主机上共享文件夹,你常常不想创建一个AD域或NT4域。
The following documentation describes how to set up a Samba standalone server providing:
下面的文档描述如何创建一个Samba独立服务器设施。
- a share that is accessible anonymously (guest access).可匿名访问的共享(来宾访问)
- a share that requires authentication against a local user database on the Samba host.基于本地Samba主机用户数据库的需要认证的共享
Creating a Basic guest only smb.conf File-创建一个基本的仅来宾 smb.conf 文件
The following is a minimal configuration for a Samba standalone server that only allows guest access:
下面是一个仅允许来宾访问的Samba独立服务器的最小化配置
[global]
map to guest = Bad User
log file = /var/log/samba/%m
log level = 1
server role = standalone server
[guest]
# This share allows anonymous (guest) access
# without authentication!
path = /srv/samba/guest/
read only = no
guest ok = yes
guest only = yes
 |
This example defines a share that is accessible without authentication. Guest shares can be a security problem. For example on a laptop that is connected to different networks, such as home, school, and work networks. Use guest shares with care and never use a guest share with authenticated users. 这个示例定义了一个不认证访问的共享。来宾共享可能会有安全问题。例如一个笔记本电脑连接到不同的网络,如家庭,学校与工作网络。小心使用来宾共享并且永远不要对认证用户使用来宾共享 |
|---|
 |
Starting from Windows 10 1709, guest access in SMB2 and SMB3 may be disabled by default. This means that guest access from Windows 10 to a Samba share may not work, for more information, see here. 从Windows 10 1709开始,使用SMB2和SMB3的来宾访问默认是关闭的。这意味着从Windows 10到Samba的来宾访问可能不工作,更多信息,请看上面【here】 |
|---|
Creating a Basic authenticated access smb.conf File-创建一个基本的认证访问 smb.conf 文件
The following is a minimal configuration for a Samba standalone server:
对于Samba独立服务器,下面是一个最小化配置。
[global]
log file = /var/log/samba/%m
log level = 1
server role = standalone server
[demo]
# This share requires authentication to access
path = /srv/samba/demo/
read only = no
inherit permissions = yes
- You can set a workgroup name with
workgroup = xxxxxxxx, where 'xxxxxxxx' is the required name. If the parameter isn't set, the default workgroup name 'WORKGROUP' will be used.(你可以使用workgroup = xxxxxx设置一个工作组。如果此参数没有设置,默认的工作组名称会使用WORKGROUP。) - You can restrict access to members of a specified group by adding
valid users = @demoGroupto the share, you will need to replacedemoGroupwith the required Unix group name. ( 你可以对共享添加valid users = @demoGroup来限制特定的组成员访问,用需要的Unix组名来替换demoGroup。) - The log parameters are not necessary for a minimal setup. However they are useful to set the log file and increasing the log level in case of problems.(对于一个最小化的配置日志参数不是必需的。但是设置日志文件并增加日志级别对于预防问题是有益的。)
- Whilst these are only minimal smb.conf files, you can add other parameters, such as 'unix password sync = yes' to ensure the Unix & Samba passwords are kept in sync. See 'man smb.conf' for more info.(尽管这些仅为最小化的smb.conf文件,你也能添加其他的参数,例如'unix password sync = yes'可以确保Unix与Samba密码保持同步。查看
man smb.conf获取更多信息。)
Creating Local User Accounts, option #1(创建本地用户帐户,选项 #1)
To provide authentication on a standalone host, you have to create the accounts locally on the operating system and additionally in the Samba database. By default, Samba uses the tdbsam back end and stores the database in the /usr/local/samba/private/passdb.tdb file. Optionally set a different location in the smb.conf file using the passdb backend parameter. See the smb.conf 5 man page for details.
为了在独立主机上提供认证,你必须在操作系统上创建本地帐号并且添加到Samba数据库。默认情况下,Samba使用tdbsam后端并在/usr/local/samba/private/passdb.tdb保存数据库。可选择使用passdb backend参数设置为不同的位置。查看smb.conf 5man页面获取更多细节。
- Create a
demoUseraccount on the local system:(在本地系统上创建一个demoUser帐号)
# useradd -M -s /sbin/nologin demoUser
Omit the -M parameter if the user requires a home directory on this host. For Samba access, the account does not require a valid shell.
如果此帐号需要家目录可省略-M参数。对于Samba访问,此帐号不需要一个有效的shell。
- To enable the
demoUseraccount on the local system:(在本地系统上开启这个demoUser帐号)
# passwd demoUser
Enter new UNIX password: Passw0rd
Retype new UNIX password: Passw0rd
passwd: password updated successfully
Setting a local password is required to enable the account. Samba denies access if the account is disabled locally. Local log ins using this password are not possible if the account was created without a valid shell.
为了开启此帐号,设置一个本地密码是必须的。如果此帐号在本地是禁用的Samba会禁止访问。如果创建帐户时没有有效的shell,则无法使用此密码进行本地登录。
- Add the
demoUseraccount to the Samba database:(添加帐号demoUser到Samba数据库)
# smbpasswd -a demoUser
New SMB password: Passw0rd
Retype new SMB password: Passw0rd
Added user demoUser.
The password assigned in these steps is the one used by the user to log in to the domain.
在这些步骤中分配的密码是用户登录到域时使用的密码
Creating Local User Accounts, option #2(创建本地用户帐户,选项 #2)
To provide authentication on a standalone host, users have to exist both on the operating system and in the Samba database.
要在独立主机上提供身份验证,用户必须同时存在于操作系统和Samba数据库中。
Samba can be configured to automatically create linux user accounts after successful samba authentication, using the [global] add user script smb.conf option. Unfortunately this option does not work as intended at end-user access time, but it can be leveraged to simplify adding users to your samba Standalone Server. Because, when adding a samba user with
Samba可以配置为在成功通过samba身份认证后自动创建linux用户帐号,使用【global】 add user scriptsmb.conf选项。不幸的是此选项不能在终端用户访问时按计划运行,但是当添加samba用户时它能够被用于简化操作。
# smbpasswd -a demoUser
New SMB password: Passw0rd
Retype new SMB password: Passw0rd
Added user demoUser.
samba will automatically call the configured add user script, and create the local linux user for you.
samba将自动调用配置的add user script,并自动为你创建本地linux用户。
A very simple sample add_user.sh script could be something like:
一个很简单的示例add_user.sh大概像这样:
#!/bin/bash
adduser --no-create-home --shell /usr/sbin/nologin --user-group $1
Both the linux and the samba user will be deleted with
使用下面的命令linux和samba用户两个都会被删除
# pdbedit -x demoUser
Local Group Management (本地组管理)
- To create a demoGroup group:(创建一个demoGroup组)
# groupadd demoGroup
- To add the demoUser account to the group:(添加demoUser帐号到组中)
# usermod -aG demoGroup demoUser
Creating the Shared Directories (创建共享目录)
To create the shares directories:
创建文件文件夹
# mkdir -p /srv/samba/guest/
# mkdir -p /srv/samba/demo/
If you are using (enforcing) SElinux, samba access to these locations might be denied, unless:
如果你正在使用(enforcing)SElinux,samba访问这些位置可能被拒绝,除非是:
# semanage fcontext -a -t samba_share_t "/srv/samba/guest(/.*)?"
# restorecon -Rv /srv/samba/guest/
and(并且)
# semanage fcontext -a -t samba_share_t "/srv/samba/demo(/.*)?"
# restorecon -Rv /srv/samba/demo/
Setting ACLs on the Shared Directories (设置共享文件夹的ALCs)
Set the following POSIX permissions:
设置以下POSIX授权
# chown -R nobody:nogroup /srv/samba/guest/
# chgrp -R demoGroup /srv/samba/demo/
# chmod 2770 /srv/samba/guest/
# chmod 2770 /srv/samba/demo/
This configures write access to members of the demoGroup group in both directories. Other users have read access in the /srv/samba/guest/ and no access in the /srv/samba/demo/ directory. The SGID bit - represented by the first bit (2) in the mode set on the directories - inherits the group of the parent directory instead setting it to the users primary group when new files are created.
此处配置demoGroup组成员对两个文件夹写访问。其他用户对/srv/samba/guest/目录读访问和不能访问/srv/samba/demo/目录。那个SGID位-在目录上模式设置的第一个位(2)-代表继承了父目录的组,而不是在创建新文件时将其设置为主组。
For further information, see Setting up a Share Using POSIX ACLs.
Verifying the Samba configuration (检验Samba配置)
You should verify the Samba configuration every time the /etc/samba/smb.conf file is updated by using the testparm utility
你就该在每次更新/etc/samba/smb.conf文件时使用testparm工具校验Samba配置
You can simply execute it as follows:
你可以像下面这样简单的执行它:
# testparm -s
Sample output:(示例输出)
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
...
If any errors are shown (you can ignore deprecation warnings), fix them before proceeding.
Starting Samba (启用Samba)
Start the smbd daemon:(开启smbd服务)
# smbd
Samba does not include start scripts. See your distribution's documentation how further information how to automatically start a service at boot time.
Samba不包含启动脚本。查看你的发行版中关于如何在启动时自动开启服务的详细信息的文档。
Testing the Share Access (测试共享访问)
- Access the
demoshare as userdemoUser:(使用demoUser用户访问demo共享)
# smbclient -U demoUser //SA/demo
Enter demoUser's password: Passw0rd
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba x.y.z]
smb: \> ls
. D 0 Sun Jan 3 21:00:00 2016
.. D 0 Sun Jan 3 19:00:00 2016
demo.txt A 0 Sun Jan 3 21:00:00 2016
9943040 blocks of size 1024. 7987416 blocks available
smb: \> quit
- Access the
demoshare as guest. The access is denied:(使用来宾用户访问demo共享,访问被拒绝:)
# smbclient -U guest //SA/demo
Enter guest's password:
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba x.y.z]
tree connect failed: NT_STATUS_ACCESS_DENIED
Advanced share settings (高级共享设置)
This section describes some advanced share configuration parameters. For further information about the used parameters, see the smb.conf (5) man page.
此章节描述了一些高级的共享配置参数。有关使用的参数的更多信息,查阅smb.conf (5) man页面。
Using the force Parameters (使用force参数)
[demo]
path = /srv/samba/demo/
read only = no
force create mode = 0660
force directory mode = 2770
force user = demoUser
force group = demoGroup
The force create mode and force directory mode parameters force Samba to create new files and folders with the set permissions.
fore create mode和force dirctory mode参数强制使用设置的权限Samba创建新的文件和文件夹
The force user and force group parameters map all connections to the specified user and group. Note that this can cause security problems if all users connecting to a share are mapped to a specific user account or group in the background.
force user和force group参数映射所有的连接到指定的用户和组。注意,如果所有的用户连接到一个共享都在后台映射到特定的用户帐号或组这可能导致安全问题。
User and Group-based Share Access (基于用户和组的共享访问)
See Configuring User and Group-based Share Access.
