centos 7 ,8 安装samba一般步骤,解决用户名密码无法登录的问题,解决ntlm和lanman访问限制,带审计,带日志,带回收站
1. 安装一般选择带gui的服务器即可。
2. yum install samba,和yum install samba-client,然后禁用firewalld,和selinux。一定要禁用。systemctl disble firewalld,vim /etc/selinux/config 改为disabled,也可以getenforce查看,和 systemctl status firewalld查看状态。 将smb ,nmb,加入系统守护进程, systemctl enable smb nmb 。
3.配置账号,一般有两个命令,smbpasswd -a xxx和pdbedit -a xxx,但是都必须提前建立同名的linux系统账号(系统中有tralin这个账号了,然后在用pdbedit -a tralin 设置一下),然后建立用这两个工具建立samba的登录用户,密码可以不一样。之前好像pdbedit可以建立虚拟账号不用提前建立system账号,但是在centos7、8中,测试不通过。可以同testparm smb.conf命令来测试。另外建立用户时,如果提示fail的,也是没有建立成功,可以用pdbedit -Lv来查看账号。
如果提示无权限,检查getenforce ,需要关闭selinux
增加审计,记录,回收站功能。看下面文章:看最下的代码
https://blog.51cto.com/riverxyz/5169482
4.在win7下,ntlmv2,和lanman的访问与之前不一样,网上有说明需要更改安全策略,这里给出一段samba的配置,不用设置win7(重点,关键点)
vim /etc/samba/smb.conf
在golbal节点增加以下配置。
NTLM auth = yes
Lanman auth = no
Client lanman auth = no
5. 建议用以上配置,避免个个客户机的修改,以上配置后,客户机默认不在需要做设置。
6. samba与vsftpd 字符编码一致性问题:
设定samba服务器
# vim /etc/samba/smb.conf
在[global]下面添加
unix charset = cp936
display charset = cp936
dos charset = cp936
cp936就是指系统里第936号编码格式,也就是GBK。指连接samba服务器的客户端采用编码为GB2312
CP936是GBK,GB2312是GBK的真子集。
在WIndows的控制面板,选区域与语言选项->高级,Code Page里面就有936对应GBK。
7 .vsftpd无需改变
8. 隐藏文件;
可以试试看在vsftpd.conf中加入
hide_file=.*
既可隐藏所有隐藏文件
9. 以下为另一种方式,即改客户端的:(非必须)
测试时,如果需要改win7,运行 secpol.msc 在本地策略,安全选项,发送LM和NTLM,改为仅发送NTLMv2相应,不发送LM和NTLM,最后一项。
网络访问,本地账号的共享和安全模型,由经典,改为仅来宾。
10 .删除宿主目录,如果再建立新的共享节点时,如【gtzbs】共享时,出现了默认的宿主文件夹共享,比如【tralin】,可以删除整个【home】节点来解决。也就是说,我建立了一个用户,并且给这个用户设置了共享的文件夹,但是windows显示有两个文件夹被共享,其中一个是宿主默认目录。要想解决此问题,注释掉整个HOME节点。
11. wget -nH -m - ftp://xxxxxxusername:xxxxxpassword@192.168.7.65/alidata/ 获取整个目录,不带ip前缀
参见2个文件,一个smb.conf 一个 rsyslog.conf
审计日志在 /var/log/samba/audit.log,有2个不用混淆,上一个目录也有同名文件。
smb.conf
# See smb.conf.example for a more detailed config file or # read the smb.conf manpage. # Run 'testparm' to verify the config is correct after # you modified it. [global] workgroup = WORKGROUP security = user netbios name = office passdb backend = tdbsam log file = /var/log/samba/%m.log max log size = 10240 log level = 2 full_audit:prefix = %u|%I|%S full_audit:failure = connect full_audit:success = mkdir rmdir rename unlink pwrite_send pwrite_recv pread_recv pread_send full_audit:facility = local2 full_audit:priority = notice printing = cups printcap name = cups load printers = yes cups options = raw NTLM auth = yes Lanman auth = no Client lanman auth = no Browsable = yes [share] comment = 共享文件夹 path = /home/share/ browseable = yes writeable = yes valid users = x,c write list = x,c # public = no 如果改为no,则一个用户名,只能登录一次。多用户不允许登录 public = yes guest ok = no create mask = 0777 directory mask = 0777 force directory mode = 0777 force create mode = 0777 vfs object = full_audit;recycle recycle:repository = .recycle recycle:keeptree = yes recycle:versions = yes recycle:touch = no recycle:maxsize = 0 recycle:exclude = *.tmp ~$* #[homes] # comment = Home Directories # valid users = %S, %D%w%S # browseable = yes # read only = No # inherit acls = Yes #[printers] # comment = All Printers # path = /var/tmp # printable = Yes # create mask = 0600 # browseable = No #[print$] # comment = Printer Drivers # path = /var/lib/samba/drivers # write list = @printadmin root # force group = @printadmin # create mask = 0664 # directory mask = 0775
回收站地址,在共享目录下的 隐藏文件夹 .recycle目录下。
rsyslog.conf 文件,仅在最后加一句话
# rsyslog configuration file # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html #### MODULES #### # The imjournal module bellow is now used as a message source instead of imuxsock. $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imjournal # provides access to the systemd journal #$ModLoad imklog # reads kernel messages (the same are read from journald) #$ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception #$ModLoad imudp #$UDPServerRun 514 # Provides TCP syslog reception #$ModLoad imtcp #$InputTCPServerRun 514 #### GLOBAL DIRECTIVES #### # Where to place auxiliary files $WorkDirectory /var/lib/rsyslog # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # File syncing capability is disabled by default. This feature is usually not required, # not useful and an extreme performance hit #$ActionFileEnableSync on # Include all config files in /etc/rsyslog.d/ $IncludeConfig /etc/rsyslog.d/*.conf # Turn off message reception via local log socket; # local messages are retrieved through imjournal now. $OmitLocalLogging on # File to store the position in the journal $IMJournalStateFile imjournal.state #### RULES #### # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg :omusrmsg:* # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log # ### begin forwarding rule ### # The statement between the begin ... end define a SINGLE forwarding # rule. They belong together, do NOT split them. If you create multiple # forwarding rules, duplicate the whole block! # Remote Logging (we use TCP for reliable delivery) # # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. #$ActionQueueFileName fwdRule1 # unique name prefix for spool files #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown #$ActionQueueType LinkedList # run asynchronously #$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 # ### end of the forwarding rule ###
# 需要加入这一句话,就可以了,增加审计日志 local2.* /var/log/samba/audit.log