3unit5&6&7

Red Hat System Administration III

#############单元 五iSCSI远程块存储

 

一、iSCSI概念

 

iSCSI(Internet SCSI)支持从客户端(发起端)通过IP向远程服务器上的SCSI存储设备(目标)发送SCSI命令。iSCSI限定名称用于确定发起端和目标,并采用

iqn.yyyy-mm.{reverse domain}:label

的格式。默认情况下,网络通信是至iSCSI目标上的端口3260/tcp的明文。

 **iSCSI发起端:需要访问原始SAN存储的客户端。

 **iSCSI目标:从iSCSI服务器提供的远程硬盘磁盘,或“目标门户”

 **iSCSI目标门户:通过网络向发起端提供目标的服务器。

 **IQN:“iSCSI限定名称”。每个发起端和目标需要唯一名称进行标识,

最好的做法是使用一个在Internet上可能独一无二的名称。

 

二、iSCSI目标配置

 

安装iSCSI目标软件包:

# yum install -y targetcli

启动服务:

# systemctl enable target; systemctl start target

进入iSCSI目标交互式配置模式:

# targetcli

 

 Demo

/> ls

o- / ..................................................................... [...]

o- backstores .......................................................... [...]

| o- block .............................................. [Storage Objects: 0]

| o- fileio ............................................. [Storage Objects: 0]

| o- pscsi .............................................. [Storage Objects: 0]

| o- ramdisk ............................................ [Storage Objects: 0]

o- iscsi ........................................................ [Targets: 0]

o- loopback ..................................................... [Targets: 0]

/> /backstores/block create server0.disk1 /dev/iSCSI_vg/disk1_lv

Created block storage object server0.disk1 using /dev/iSCSI_vg/disk1_lv.

/> /iscsi create iqn.2014-12.com.example:server0

Created target iqn.2014-12.com.example:server0.

Created TPG 1.

/> /iscsi/iqn.2014-12.com.example:server0/tpg1/acls create iqn.2014-12.com.example:desktop0

Created Node ACL for iqn.2014-12.com.example:desktop0

/> /iscsi/iqn.2014-12.com.example:server0/tpg1/luns create /backstores/block/server0.disk1

Created LUN 0.

Created LUN 0->0 mapping in node ACL iqn.2014-12.com.example:desktop0

/> /iscsi/iqn.2014-12.com.example:server0/tpg1/portals create 172.25.0.11

Using default IP port 3260

Created network portal 172.25.0.11:3260.

/> exit

三、访问iSCSI存储

 

安装iSCSI发起端软件包:

# yum install -y iscsi-initiator-utils

/etc/iscsi/initiatorname.iscsi中设置发起端的IQN:

InitiatorName=iqn.2014-12.com.example:desktop0

 

查找iSCSI服务器所提供的iSCSI目标(目标门户)

# iscsiadm -m discovery -t st -p 172.25.0.11

 

登录服务器上的一个或多个iscsi目标

# iscsiadm -m node -T iqn.2024-12.com.example:server0 -p

172.25.0.11 -l

 

 

此时,可以使用iSCSI磁盘,就好像它是本地连接硬盘驱动器。

可以挂载现有文件系统。如果磁盘未格式化,可以通过fdisk进行分区,例如,通过

文件系统格式化分区或作为LVM物理卷。

 

四、在/etc/fstab中永久挂载文件系统

1. 使用blkid确定文件系统UUID并使用UUID挂载,而不是/dev/sd*设备名称。(每次

引导时显示的设备名称都不同,具体取决于iSCSI设备通过网络进行响应的顺序。

如果按设备名称挂载,这会导致使用错误的设备。)

2. 在/etc/fstab中使用_netdev作为挂载选项。(这将确保客户端不会尝试挂载文件系

,直至启用联网。否则,在引导时系统将出错。)

3. 确保iscsi服务在引导时启动。

 

五、中断使用iSCSI目标

确保没有使用目标所提供的任何设备。

确保从/etc/fstab等位置中删除使用目标的所有永久挂载。

登出iSCSI目标,以暂时断开连接。

# iscsiadm -m node -T iqn.2010-09.com.example:rdisks.demo -p 192.168.0.254 -u

 

删除iSCSI目标的本地记录,以永久断开连接。

# iscsiadm -m node -T iqn.2010-09.com.example:rdisks.demo -p 192.168.0.254 -o delete

 

 

 

linux共享设备

eg: 进入iSCSI目标交互式配置

服务端

[root@server41 mnt]# fdisk -l  ##查看设备

[root@server41 mnt]# fdisk /dev/vdb

   设备 Boot      Start         End      Blocks   Id  System

/dev/vdb1            2048     1026047      512000   83  Linux

[root@server41 mnt]# partprobe

[root@server41 mnt]# yum install -y targetcli

[root@server41 mnt]# systemctl start target

[root@server41 mnt]# systemctl enable target

ln -s '/usr/lib/systemd/system/target.service' '/etc/systemd/system/multi-user.target.wants/target.service'

[root@server41 mnt]# targetcli

Warning: Could not load preferences file /root/.targetcli/prefs.bin.

targetcli shell version 2.1.fb34

Copyright 2011-2013 by Datera, Inc and others.

For help on commands, type 'help'.

 

/> ls

o- / ..................................................................... [...]

  o- backstores .......................................................... [...]

  | o- block .............................................. [Storage Objects: 0]

  | o- fileio ............................................. [Storage Objects: 0]

  | o- pscsi .............................................. [Storage Objects: 0]

  | o- ramdisk ............................................ [Storage Objects: 0]

  o- iscsi ........................................................ [Targets: 0]

  o- loopback ..................................................... [Targets: 0]

/> /backstores/block create westos:storage1 /dev/vdb1  ##为/dev/vdb1设备设置别名westos:storage1

Created block storage object westos:storage1 using /dev/vdb1.

/> /iscsi create iqn.2017-05.com.example:star1  ##创建锁,iqn.2017-05.com.example:star1为锁名,域名倒着写

Created target iqn.2017-05.com.example:star1.

Created TPG 1.

/> /iscsi/iqn.2017-05.com.example:star1/tpg1/acls create iqn.2017-05.com.example:key1 ##加密,iqn.2017-05.com.example:key1为锁名,域名倒着写

Created Node ACL for iqn.2017-05.com.example:key1

/> /iscsi/iqn.2017-05.com.example:star1/tpg1/luns create /backstores/block/westos:storage1  ##锁和 /dev/vdb1设备关联

Created LUN 0.

Created LUN 0->0 mapping in node ACL iqn.2017-05.com.example:key1

/> /iscsi/iqn.2017-05.com.example:star1/tpg1/portals create 172.25.41.11  ##锁和服务器关联

客户端

[root@desktop41 ~]# yum search iscsi

[root@desktop41 ~]# yum install iscsi-initiator-utils.x86_64 -y

[root@desktop41 ~]# vim /etc/iscsi/initiatorname.iscsi

InitiatorName=iqn.2017-05.com.example:key1  ##iqn.2017-05.com.example:key1为新建的钥匙

[root@desktop41 ~]# systemctl restart iscsi

[root@desktop41 ~]# iscsiadm -m discovery -t st -p 172.25.41.11  ##查看锁名

172.25.41.11:3260,1 iqn.2017-05.com.example:star1

[root@desktop41 ~]# iscsiadm -m node -T iqn.2017-05.com.example:star1 -p 172.25.41.11 -l ##-l登陆

Logging in to [iface: default, target: iqn.2017-05.com.example:star1, portal: 172.25.41.11,3260] (multiple)

Login to [iface: default, target: iqn.2017-05.com.example:star1, portal: 172.25.41.11,3260] successful.

[root@desktop41 ~]# fdisk -l

 

Disk /dev/vda: 10.7 GB, 10737418240 bytes, 20971520 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk label type: dos

Disk identifier: 0x00013f3e

 

   Device Boot      Start         End      Blocks   Id  System

/dev/vda1   *        2048    20970332    10484142+  83  Linux

 

Disk /dev/vdb: 10.7 GB, 10737418240 bytes, 20971520 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

 

 

Disk /dev/sda: 524 MB, 524288000 bytes, 1024000 sectors  ##/dev/sda为新建的设备/dev/vdb1

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 4194304 bytes

 

[root@desktop41 ~]# fdisk /dev/sda

Welcome to fdisk (util-linux 2.23.2).

 

Command (m for help): n

Partition type:

   p   primary (0 primary, 0 extended, 4 free)

   e   extended

Select (default p):

Using default response p

Partition number (1-4, default 1):

First sector (8192-1023999, default 8192):

Using default value 8192

Last sector, +sectors or +size{K,M,G} (8192-1023999, default 1023999): +200M  ##对/dev/sda分区

Partition 1 of type Linux and of size 200 MiB is set

 

Command (m for help): wq

The partition table has been altered!

 

Calling ioctl() to re-read partition table.

Syncing disks.

[root@desktop41 ~]# mkfs.xfs /dev/sda1

meta-data=/dev/sda1              isize=256    agcount=8, agsize=6400 blks

         =                       sectsz=512   attr=2, projid32bit=1

         =                       crc=0

data     =                       bsize=4096   blocks=51200, imaxpct=25

         =                       sunit=0      swidth=0 blks

naming   =version 2              bsize=4096   ascii-ci=0 ftype=0

log      =internal log           bsize=4096   blocks=853, version=2

         =                       sectsz=512   sunit=0 blks, lazy-count=1

realtime =none                   extsz=4096   blocks=0, rtextents=0

[root@desktop41 ~]# df

Filesystem           1K-blocks    Used Available Use% Mounted on

/dev/vda1             10473900 3174596   7299304  31% /

devtmpfs                493408       0    493408   0% /dev

tmpfs                   508996      80    508916   1% /dev/shm

tmpfs                   508996   13376    495620   3% /run

tmpfs                   508996       0    508996   0% /sys/fs/cgroup

172.25.41.11:/westos  10473984 3179776   7294208  31% /mnt

[root@desktop41 ~]# umount /mnt/

[root@desktop41 ~]# mount /dev/sda1  /mnt

[root@desktop41 ~]# df

Filesystem     1K-blocks    Used Available Use% Mounted on

/dev/vda1       10473900 3174596   7299304  31% /

devtmpfs          493408       0    493408   0% /dev

tmpfs             508996      80    508916   1% /dev/shm

tmpfs             508996   13372    495624   3% /run

tmpfs             508996       0    508996   0% /sys/fs/cgroup

/dev/sda1         201388   10528    190860   6% /mnt

[root@desktop41 ~]# vim /etc/fstab  ##在/etc/fstab中永久挂载文件系统

/dev/sda1       /mnt    xfs     defaults,_netdev        0 0

 

2)eg:#############删除设备

客户端

[root@desktop41 ~]# iscsiadm -m discovery -t st -p 172.25.41.11##查找名字

172.25.41.11:3260,1 iqn.2017-05.com.example:star1

[root@desktop41 ~]# iscsiadm -m node -T iqn.2017-05.com.example:star1 -p 172.25.41.11 -u ##-u 退出登陆   登出iSCSI目标,以暂时断开连接(确保没有使用目标所提供的任何设备。确保从/etc/fstab等位置中删除使用目标的所有永久挂载。)

Logging out of session [sid: 1, target: iqn.2017-05.com.example:star1, portal: 172.25.41.11,3260]

Logout of [sid: 1, target: iqn.2017-05.com.example:star1, portal: 172.25.41.11,3260] successful.

 

[root@desktop41 ~]# fdisk -l

 

Disk /dev/vda: 10.7 GB, 10737418240 bytes, 20971520 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk label type: dos

Disk identifier: 0x00013f3e

 

   Device Boot      Start         End      Blocks   Id  System

/dev/vda1   *        2048    20970332    10484142+  83  Linux

 

Disk /dev/vdb: 10.7 GB, 10737418240 bytes, 20971520 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk label type: dos

Disk identifier: 0xe5d8abfb

 

   Device Boot      Start         End      Blocks   Id  System

[root@desktop41 ~]# systemctl restart iscsi.service

[root@desktop41 ~]# fdisk -l

 

Disk /dev/vda: 10.7 GB, 10737418240 bytes, 20971520 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk label type: dos

Disk identifier: 0x00013f3e

 

   Device Boot      Start         End      Blocks   Id  System

/dev/vda1   *        2048    20970332    10484142+  83  Linux

 

Disk /dev/vdb: 10.7 GB, 10737418240 bytes, 20971520 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk label type: dos

Disk identifier: 0xe5d8abfb

 

   Device Boot      Start         End      Blocks   Id  System

 

Disk /dev/sda: 524 MB, 524288000 bytes, 1024000 sectors  ##重启iscsi.service服务/dev/sda又出现

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 4194304 bytes

Disk label type: dos

Disk identifier: 0x1079f708

 

   Device Boot      Start         End      Blocks   Id  System

/dev/sda1            8192      417791      204800   83  Linux

[root@desktop41 ~]# iscsiadm -m node -T iqn.2017-05.com.example:star1 -p 172.25.41.11 -o delete  ##删除iSCSI目标的本地记录,以永久断开连接。

[root@desktop41 ~]# systemctl restart iscsi.service

[root@desktop41 ~]# fdisk -l

 

Disk /dev/vda: 10.7 GB, 10737418240 bytes, 20971520 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk label type: dos

Disk identifier: 0x00013f3e

 

   Device Boot      Start         End      Blocks   Id  System

/dev/vda1   *        2048    20970332    10484142+  83  Linux

 

Disk /dev/vdb: 10.7 GB, 10737418240 bytes, 20971520 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk label type: dos

Disk identifier: 0xe5d8abfb

 

   Device Boot      Start         End      Blocks   Id  System

   服务端

[root@server41 mnt]# targetcli

targetcli shell version 2.1.fb34

Copyright 2011-2013 by Datera, Inc and others.

For help on commands, type 'help'.

/> clearconfig confirm=True   ##服务端删除设备

All configuration cleared

 

Red Hat System Administration III

##############################单元 六NFS文件的存储

 

一、NFS概念

 

网络文件系统(NFS)是Unix系统和网络附加存储文件管理器常用的网络文件系统,允许多个客户端通过网络共享文件访问。它可用于提供对共享二进制目录的访问,也可用于允许用户在同一工作组中从不同客户端访问其文件。NFS协议有多个版本:Linux支持版本4、版本3和版本2, 而大多数系统管理员熟悉的是NFSv3。默认情况下,该协议并不安全,但是更新的版本(如NFSv4)提供了对更安全的身份验证的支持,甚至可以通过kerberos进行加密。

 

二、NFS服务器配置

 

若要配置基本NFS服务器,您应该安装nfs-utils软件包。然后,您应该编辑/etc/exports以列出您希望通过网络与客户端系统共享的文件系统,并指出哪些客户端对导出具有何种访问权限。例如:

/var/ftp/pub   192.168.0.0/24(ro,sync)

将目录/var/ftp/pub导出至192.168.0.0/24网络上的所有主机(对目录具有只读权限)。

/export/homes *.example.com(rw,sync)

将目录/export/homes导出至exmaple.com中的所有主机(对目录具有读写权限)。

 

NFS服务器运行时,每次您编辑/etc/exports后,都应通过在保存更改后执行exportfs -r来确保应用这些更改。您可以使用exportfs -v显示所有导出。

 

NFSv4还导出pseudo-root(所有导出的文件系统的root)。如果客户端挂载nfs-server:/ ,这将在NFS服务器上的/下面相对于其位置挂载所有导出文件系统。这对于浏览从客户端的服务器导出的所有

文件系统有用。您仍可单独挂载文件系统。

 

默认情况下,NFS服务器将NFS客户端上的root视为用户nfsnobody。即,如果root尝试访问挂载的导出中的文件,服务器会将其视作用户nfsnobody访问。在NFS导出被无磁盘客户端用作/和root需要被视作root的情况中,这种安全措施存在隐患。若要禁用此保护,服务器需要将no_root_squash添加到在/etc/exports中导出设置的选项列表:

/exports/root  192.168.0.1(rw,no_root_squash)

 

对于NFSv4,必须在服务器上打开端口2049/TCP(对于nfsd)。对于NFSv3和更早版本,必须为rpcbind、rpc.mountd、lockd和rpc.rquotad打开更多端口,而在“随机”选择的端口上启动其中许多服务这一事实又增加了复杂性。此外,NFSv2和NFSv3支持UDP传输,还要求打开相应的端口。本课程中我们将关注NFSv4。

 

三、Demo

 

1. 启动NFS服务:

# systemctl start nfs-server ; systemctl enable nfs-server

2. 创建共享目录并设置权限:

# mkdir /nfsshare ; chown nfsnobody /nfsshare

3. 编辑/etc/exports。例如:

/nfsshare/read 172.25.0.0/24(ro,sync)

/nfsshare/write 172.25.0.0/24(rw,sync) 127.0.0.1(rw,sync)

4. 从客户端查看并挂载NFS pseudo-root共享:

[root@desktop0 ~]# showmount -e server0

[root@desktop0 ~]# mkdir /mnt/nfsshare

[root@desktop0 ~]# mount -t nfs server0.example.com:/ /mnt/nfsshare

 

四、永久挂载NFS文件系统:

 

将相应的行添加至/etc/fstab:

nfsserver:/nfsshare /mnt/nfsshare nfs defaults 0 0

 

客户端NFS挂载选项

rw:挂载可读写的文件系统

ro:挂载只读文件系统

vers=4:尝试只使用指定的NFS版本进行挂载。如果服务器不支持该版本,则挂载请求失败

soft:如果NFS请求超时,三次尝试后返回错误。权衡数据完整性与提高客户端响应性。(默认行为hard,将无限期地重试)。

 

五、保护NFS输出

 

Demo:

serverx和desktopx上运行脚本,加入kerberos认证域:

# lab nfskrb5 setup

安装kerberos服务所需的keytab:(以下操作都在server0上进行)

# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/server0.keytab

激活NFS v4.2版本,可以输出selinux标签,编辑/etc/sysconfig/nfs修改如下选项:

RPCNFSDARGS="-V 4.2"

启动nfs-secure-server服务:

# systemctl start nfs-secure-server; systemctl enable nfs-secure-server

配置NFS输出:

# mkdir /securenfs

# echo '/securenfs desktop0(sec=krb5p,rw)' >> /etc/exports

# exportfs -r

 

六、安装kerberos服务所需keytab:(以下操作都在dekstop0进行)

 

# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/desktop0.keytab

启动nfs-secure服务:

# systemctl start nfs-secure; systemctl enable nfs-secure

配置客户端挂载:

# mkdir /mnt/secureshare

# echo 'server0:/securenfs /mnt/secureshare nfs defaults,v4.2,sec=krb5p 0 0' >>/etc/fstab

# mount -a

 

 

eg:NFS服务器配置

 

[root@mail-hello ~]# yum install nfs-utils -y

Loaded plugins: langpacks

Package 1:nfs-utils-1.3.0-0.el7.x86_64 already installed and latest version

Nothing to do

[root@mail-hello ~]# systemctl restart nfs

[root@mail-hello ~]# systemctl start firewalld

[root@mail-hello ~]# firewall-cmd --permanent --add-service=nfs

success

[root@mail-hello ~]# firewall-cmd --permanent --add-service=mountd

success

[root@mail-hello ~]# firewall-cmd --permanent --add-service=rpc-bind   ##端口随机

success

[root@mail-hello ~]# firewall-cmd --reload

success

[root@mail-hello ~]# vim /etc/exports

1 /westos         172.25.254.0/24(ro)

[root@mail-hello ~]# vim /etc/exports

[root@mail-hello ~]# exportfs -rv  ##刷新

exporting 172.25.254.0/24:/westos

[root@mail-hello ~]# vim /etc/exports

1 /westos         172.25.254.0/24(rw)

[root@mail-hello ~]# exportfs -rv

exporting 172.25.254.0/24:/westos

[root@mail-hello ~]# vim /etc/exports

1 /westos         172.25.254.0/24(rw,no_root_squash)

[root@mail-hello ~]# exportfs -rv

exporting 172.25.254.0/24:/westos

[root@mail-eastos westos]# showmount -e 172.25.254.141

clnt_create: RPC: Program not registered

[root@mail-eastos westos]# showmount -e 172.25.254.141 ##install nfs-utils -y

Export list for 172.25.254.141:

[root@mail-eastos westos]# mount 172.25.254.141:/westos /mnt/

[root@mail-eastos westos]# cd /mnt/

[root@mail-eastos mnt]# ls

file

[root@mail-eastos mnt]# touch pp

touch: cannot touch ‘pp’: Read-only file system  ##vim /etc/exports (ro)

[root@mail-eastos mnt]# touch pp  ##rw

[root@mail-eastos mnt]# ll

total 0

-rw-r--r--. 1 le        le        0 May  1 23:18 file

-rw-r--r--. 1 nfsnobody nfsnobody 0 May  2 01:43 pp

[root@mail-eastos mnt]# touch file3   ##no_root_squash

[root@mail-eastos mnt]# ll

total 0

-rw-r--r--. 1 le        le        0 May  1 23:18 file

-rw-r--r--. 1 root      root      0 May  2 01:44 file3

-rw-r--r--. 1 nfsnobody nfsnobody 0 May  2 01:43 pp

 

 

eg:保护NFS输出,加入kerberos认证域

 

[root@server41 ~]# cd /mnt/

[root@server41 mnt]# vim auth-config.sh  ##创建ldapuser脚本

#!/bin/bash

echo install packages...

yum install sssd krb5-workstation -y &> /dev/null

echo configure...

authconfig \

--enableldap \

--enablekrb5 \

--disableldapauth \

--enableldaptls \

--ldaploadcacert="http://172.25.254.254/pub/example-ca.crt" \

--ldapserver="classroom.example.com" \

--ldapbasedn="dc=example,dc=com" \

--krb5realm="EXAMPLE.COM" \

--krb5adminserver="classroom.example.com" \

--krb5kdc="classroom.example.com" \

--update && echo success !!

[root@server41 mnt]# sh auth-config.sh

install packages...

configure...

success !!

[root@server41 mnt]# id ldapuser1

uid=1701(ldapuser1) gid=1701(ldapuser1) 组=1701(ldapuser1)

[root@server41 mnt]# getent passwd ldapuser1

ldapuser1:*:1701:1701:LDAP Test User 1:/home/guests/ldapuser1:/bin/bash

[root@server41 mnt]# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/server41.keytab  ##下载证书

--2017-05-02 03:07:08--  http://classroom.example.com/pub/keytabs/server41.keytab

正在解析主机 classroom.example.com (classroom.example.com)... 172.25.254.254

正在连接 classroom.example.com (classroom.example.com)|172.25.254.254|:80... 已连接。

已发出 HTTP 请求,正在等待回应... 200 OK

长度:1258 (1.2K)

正在保存至: “/etc/krb5.keytab”

 

100%[======================================>] 1,258       --.-K/s 用时 0s      

 

2017-05-02 03:07:08 (194 MB/s) - 已保存 “/etc/krb5.keytab” [1258/1258])

 

[root@server41 mnt]# vim /etc/sysconfig/nfs

RPCNFSDARGS="-V 4.2" ##版本号为4.2     3的话会跳过安全验证

[root@server41 mnt]# systemctl status nfs-secure-server

nfs-secure-server.service - Secure NFS Server

   Loaded: loaded (/usr/lib/systemd/system/nfs-secure-server.service; disabled)

   Active: inactive (dead)

[root@server41 mnt]# systemctl start nfs-secure-server

[root@server41 mnt]# systemctl enable nfs-secure-server

ln -s '/usr/lib/systemd/system/nfs-secure-server.service' '/etc/systemd/system/nfs.target.wants/nfs-secure-server.service'

[root@server41 mnt]# mkdir /westos

[root@server41 mnt]# vim /etc/exports

/westos         172.25.41.0/24(rw,sec=krb5p)  ##共享文件系统        共享网段(读写方式,安全验证为krb5p)

[root@server41 mnt]# exportfs -rv

exporting 172.25.41.0/24:/westos

[root@server41 mnt]# systemctl stop firewalld.service

客户端

[root@desktop41 ~]# cd /mnt/

[root@desktop41 mnt]# vim auth-config.sh

[root@desktop41 mnt]# sh auth-config.sh

[root@desktop41 mnt]# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/desktop41.keytab ##下载证书

[root@desktop41 mnt]# systemctl start nfs-secure

[root@desktop41 mnt]# systemctl enable nfs-secure

ln -s '/usr/lib/systemd/system/nfs-secure.service' '/etc/systemd/system/nfs.target.wants/nfs-secure.service'

[root@desktop41 mnt]# vim /etc/exports

/westos         *(sec=krb5p,rw)

[root@desktop41 mnt]# exportfs -rv

exporting *:/westos

exportfs: Failed to stat /westos: No such file or directory

[root@desktop41 mnt]# mkdir /westos

[root@desktop41 mnt]# exportfs -rv

exporting *:/westos

[root@desktop41 ~]# systemctl stop firewalld.service

[root@desktop41 ~]# systemctl status nfs-secure.service

nfs-secure.service - Secure NFS

   Loaded: loaded (/usr/lib/systemd/system/nfs-secure.service; enabled)

   Active: active (running) since Tue 2017-05-02 03:21:20 EDT; 13min ago

  Process: 2484 ExecStart=/usr/sbin/rpc.gssd $RPCGSSDARGS (code=exited, status=0/SUCCESS)

 Main PID: 2485 (rpc.gssd)

   CGroup: /system.slice/nfs-secure.service

           └─2485 /usr/sbin/rpc.gssd

 

May 02 03:24:12 desktop41.example.com rpc.gssd[2485]: ERROR: unable to resolv...  ##没有解析

May 02 03:24:12 desktop41.example.com rpc.gssd[2485]: ERROR: failed to read s...

May 02 03:24:16 desktop41.example.com rpc.gssd[2485]: ERROR: unable to resolv...

May 02 03:24:16 desktop41.example.com rpc.gssd[2485]: ERROR: failed to read s...

May 02 03:24:24 desktop41.example.com rpc.gssd[2485]: ERROR: unable to resolv...

May 02 03:24:24 desktop41.example.com rpc.gssd[2485]: ERROR: failed to read s...

May 02 03:24:34 desktop41.example.com rpc.gssd[2485]: ERROR: unable to resolv...

May 02 03:24:34 desktop41.example.com rpc.gssd[2485]: ERROR: failed to read s...

May 02 03:24:46 desktop41.example.com rpc.gssd[2485]: ERROR: unable to resolv...

May 02 03:24:46 desktop41.example.com rpc.gssd[2485]: ERROR: failed to read s...

Hint: Some lines were ellipsized, use -l to show in full.

[root@desktop41 ~]# vim /etc/hosts   ##解析

172.25.41.10 desktop41.example.com

172.25.41.11 server41.example.com

[root@desktop41 ~]# systemctl restart nfs-secure.service  ##重启服务

[root@desktop41 ~]# mount -o vers=4.2,sec=krb5p 172.25.41.11:/westos /mnt/ ##挂载

[root@desktop41 ~]# df

Filesystem           1K-blocks    Used Available Use% Mounted on

/dev/vda1             10473900 3174680   7299220  31% /

devtmpfs                493408       0    493408   0% /dev

tmpfs                   508996      80    508916   1% /dev/shm

tmpfs                   508996   13388    495608   3% /run

tmpfs                   508996       0    508996   0% /sys/fs/cgroup

172.25.41.11:/westos  10473984 3170688   7303296  31% /mnt

 

 

 

Red Hat System Administration III

#############################单元 七CIFS文件的存储

 

####################SMB文件共享

 

通用Internet文件系统(CIFS)也称为服务器信息块(SMB),是适用于MicrosoftWindows服务器和客户端的标准文件和打印机共享系统。

Samba服务可用于将Linux文件系统作为CIFS/SMB网络文件共享进行共享,并将Linux

打印机作为CIFS/SMB打印机共享进行共享。

 

Samba服务的组成部分

1. 软件包:

Samba-common – Samba的支持文件

Samba-client – 客户端应用程序

Samba – 服务器应用程序

2. 服务名称:smb nmb

3. 服务端口: 通常使用TCP/445进行所有连接。还使用UDP137、UDP138和TCP/139进行向后兼容

4. 主配置文件:/etc/samba/smb.conf

 

/etc/samba/smb.conf: [global]部分

 workgroup 用于指定Windows工作组或网络域名。

 hosts allow

hosts allow是用逗号、空格或制表符分隔的允许访问服务的主机集合。如果在[global]

部分中指定, 将适用于所有服务,无论单个服务是否具有不同的设置。 您可以按名

称或IP号指定主机。例如,您可以使用allow hosts = 192.168.0. 表示允许一个网络。l

 安全性

该选项影响客户端如何响应Samba,并且在smb.conf文件中是最重要的设置之一。

security = user 客户端必须通过有效的用户名和密码登录。

security = domain 只有当计算机已添加到NT域时才能正常工作。它要求将

encrypted passwords 参数设置为yes。在该模式中,Samba通过将用户名/密码传递至

Windows NT 主域控制器或备份域控 制器来进行验证,与Windows NT Server采用的方

式完全一样。请注意,有效的UNIX用户以及域控制 器上的账户必须仍然存在,以允

Samba具有有效的UNIX账户,可用以映射文件访问。您必须设置 passwd server参数

,为Samba提供服务器,以验证密码。

 

security = server Samba将通过将用户名/密码传递至另一个SMB服务器来尝试进行验证。

您必须设置password server参数, 为samba提供服务器, 以验证密码。

 

security = ads Samba在ADS realm中作为域成员。如要在该模式下操作,运行Samba的

计算机需要安装并配置Kerberos,并且需要使用net实用程序将Samba加入ADS realm。

 

/etc/samba/smb.conf:其他部分

[homes]

此共享(默认情况下启用)是一个特别共享,通过CIFS使用户的主目录可。它包括browseable

= no, 因此在用户进行身份验证之前,将不会显示为可用共享。共享名称可以指定为homes(

在这种情况下, Samba服务器会将其转换为用户的主目录路径)或username。

[printers]

默认情况下也可用,将共享当前可用的打印机 。

[share]

如果您想要设置其他共享,请将共享名称放置在括号中,如上所示。共享需要至少一个path参数。

 

######################SMB用户

 

useradd

security = user需要UNIX和Samba账户信息。添加用户(最好使用与Samba账户一样的名称),

/etc/samba/smbusers中放置条目(有一些示例)。如果您创建仅Samba用户,请将UNIX密

码设置为/sbin/nologin。

[root@serverX ~]# useradd -s /sbin/nologin wxh

smbpasswd

如果您没有Samba密码服务器,则必须在本地计算机上创建身份验证数据。使用smbpasswd创

Samba账户和密码。

如果smbpasswd只传递一个用户名而不带任何选项,它将尝试更改账户密码。传递-a选项将添

加账户 并设置密码。

[root@serverX ~]# smbpasswd -a wxh

New SMB password: westos

Retype new SMB password: westos

Added user wxh.

 

##################保护SMB

 

samba_enable_home_dirs和use_samba_home_dirs SELinux布尔值

samba_enable_home_dirs布尔值允许本地Linux主目录作为CIFS文件共享导出至其他

系统。另一方面 use_samba_home_dirs布尔值允许挂载远程CIFS文件共享并将其用作本地Linux主目录。

# setsebool -P samba_enable_home_dirs on

samba_share_t 用于共享用户自定义samba共享

# chcon -R -t samba_share_t /smbshare

# semanage fcontext -a -t samba_share_t '/smbshare(/.*)?'

# restorecon -vvFR /smbshare

samba_export_all_ro 和 samba_export_all_rw 用于共享系统目录

# setsebool -P samba_export_all_ro on

# setsebool -P samba_export_all_rw on

 

##########################访问CIFS共享

 

连接到CIFS文件共享的四个基本方法:

1. 图形访问CIFS共享

转至 “网络” --> “连接服务器”。填写以下字段:

Server Address : 172.25.0.11

Userame: wxh

Password: westos

2. 命令行FTP方式访问CIFS共享:

[root@server0 ~]# smbclient -L server0.example.com -U wxh

Enter wxh's password: westos

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

 

 

 

 

[root@server0 ~]# smbclient //server0.example.com/smbshare -U wxh

Enter wxh's password: westos

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

smb: \> ls

.   D  0 Thu Dec 18 17:27:27 2014

..   D   0 Thu Dec 18 11:37:20 2014

testfile N 12 Thu Dec 18 11:38:03 2014

3. 手动挂载CIFS共享

[root@server0 ~]# mount -o username=wxh //server0.example.com/smbshare /mnt/wxh

4. 永久挂载CIFS共享

将以下行添加到/etc/fstab:

//server0.example.com/smbshare /mnt/wxh  cifs   credentials=/root/userpasswd 0 0

创建/root/userpasswd:

user=wxh

pass=westos

 

Practice: ( 15 minutes )

configure a SMB share on the serverX system according to the following requirements:

share the newly create directory /smbshare with SMB.

members of the auxiliary group marketing have read and write permissions on the share.

all users that are not member of the marketing group have read permission.

the samba server is the mycompany workgroup and the share name is smbshare.

create the samba-only user brian, who is part of marketing team, with the password redhat.

create the new samba-only user rob with the password redhat, who is not part of the marketing team.

successfully grade the setup on the serverX system with lab smbshare grade.

 

#######################SMB多用户挂载

 

Demo: (desktopX)

安装cifs-utils软件包,它包含了cifscreds命令:

# yum install -y cifs-utils

创建smb多用户挂载目录:

# mkdir /mnt/multiuser

建立smb认证文件:

# echo 'username=brian' > /root/smb-multiuser.txt

# echo 'password=redhat' > /root/smb-multiuser.txt

编辑/etc/fstab,永久挂载smb共享:

//server0/smbshare /mnt/multiuser cifs credentials=/root/smb-multiuser.txt,multiuser,

sec=ntlmssp 0 0

# mount -a

# su - brian

$ touch /mnt/multiuser/test.txt

touch: cannot touch ‘/mnt/multiuser/brian.txt’: Permission denied

$ cifscreds add server0

Password: redhat

$ echo "multiuser" > /mnt/multiuser/brian.txt

$ cat /mnt/multiuser/brian.txt

multiuser

$ exit

# su - rob

$ cifscreds add server0

Password: redhat

$ echo "multiuser" > /mnt/multiuser/rob.txt

-bash: /mnt/multiuser/rob.txt: Permission denied

$ cat /mnt/multiuser/brian.txt

multiuser

 

1)eg:samab服务安装 以及添加用户和用户登录

[root@mail-hello ~]# yum search samba

Loaded plugins: langpacks

============================== N/S matched: samba ==============================

samba-client.x86_64 : Samba client programs

samba-common.x86_64 : Files used by both Samba servers and clients

samba-libs.i686 : Samba libraries

samba-libs.x86_64 : Samba libraries

samba-python.x86_64 : Samba Python libraries

samba-winbind.x86_64 : Samba winbind

samba-winbind-modules.i686 : Samba winbind modules

samba-winbind-modules.x86_64 : Samba winbind modules

samba.x86_64 : Server and Client software to interoperate with Windows machines

 

  Name and summary matches only, use "search all" for everything.

[root@mail-hello ~]# yum install samba-client.x86_64 samba-common.x86_64 samba.x86_64

[root@mail-hello ~]# systemctl stop firewalld

[root@mail-hello ~]# useradd westos

[root@mail-hello ~]# systemctl start smb ##开启samba服务

[root@mail-hello ~]# smbclient -L //172.25.254.141 ##显示172.25.254.141的samab

Enter root's password:

Anonymous login successful

Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]

 

Sharename       Type      Comment

---------       ----      -------

IPC$            IPC       IPC Service (Samba Server Version 4.1.1)

Anonymous login successful

Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]

 

Server               Comment

---------            -------

 

Workgroup            Master

---------            -------

[root@mail-hello ~]# passwd westos

Changing password for user westos.

New password:

BAD PASSWORD: The password is shorter than 8 characters

Retype new password:

passwd: all authentication tokens updated successfully.

[root@mail-hello ~]# pdbedit -L  ##显示所有的samab用户

[root@mail-hello ~]# smbpasswd -a student ##设置samab用户student密码为123

New SMB password:

Retype new SMB password:

Added user student.

[root@mail-hello ~]# smbpasswd -a westos

New SMB password:

Retype new SMB password:

Added user westos.

[root@mail-hello ~]# pdbedit -L

student:1000:Student User

westos:1001:

[root@mail-hello ~]# smbpasswd -a user1

New SMB password:

Retype new SMB password:

Failed to add entry for user user1.

[root@mail-hello ~]# smbclient -L //172.25.254.141 -U westos ##以westos用户显示172.25.254.141的Samba

Enter westos's password:

Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]

 

Sharename       Type      Comment

---------       ----      -------

IPC$            IPC       IPC Service (Samba Server Version 4.1.1)

westos          Disk      Home Directories   ##westos用户家目录

Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]

 

Server               Comment

---------            -------

 

Workgroup            Master

---------            -------

[root@mail-hello ~]# ll /home/westos/

total 0

[root@mail-hello ~]# touch /home/westos/file2

[root@mail-hello ~]# smbclient  //172.25.254.141/westos -U westos

Enter westos's password:

Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]

smb: \> ls

NT_STATUS_ACCESS_DENIED listing \*

smb: \> quit

[root@mail-hello ~]# getsebool -a | grep samba

samba_create_home_dirs --> off

samba_domain_controller --> off

samba_enable_home_dirs --> off

samba_export_all_ro --> off

samba_export_all_rw --> off

samba_portmapper --> off

samba_run_unconfined --> off

samba_share_fusefs --> off

samba_share_nfs --> off

sanlock_use_samba --> off

use_samba_home_dirs --> off

virt_sandbox_use_samba --> off

virt_use_samba --> off

[root@mail-hello ~]# setse

setsebool  setserial  

[root@mail-hello ~]# setsebool -P samba_enable_home_dirs 1

[root@mail-hello ~]# smbclient  //172.25.254.141/westos -U westos

Enter westos's password:

Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]

smb: \> ls

  .                                   D        0  Mon May  1 21:22:43 2017

  ..                                  D        0  Mon May  1 21:16:23 2017

  .bash_logout                        H       18  Wed Jan 29 07:45:18 2014

  .bash_profile                       H      193  Wed Jan 29 07:45:18 2014

  .bashrc                             H      231  Wed Jan 29 07:45:18 2014

  .mozilla                           DH        0  Thu Jul 10 18:29:32 2014

  .config                            DH        0  Thu Jul 10 19:06:52 2014

  file2                               N        0  Mon May  1 21:22:43 2017

 

40913 blocks of size 262144. 28490 blocks available

smb: \> quit

 

2)samba服务配置

eg:##########################共享一个目录test

[root@mail-hello ~]# mkdir /westos

[root@mail-hello ~]# vim /etc/samba/smb.conf

89         workgroup = WESTOS ##公司域名

90         server string = Samba Server Version %v ##版本号可见

321         [TEST]

322         comment = westos directory

323         path = /westos

[root@mail-hello ~]# systemctl restart smb

[root@mail-hello ~]# smbclient -L //172.25.254.141

Enter root's password:

Anonymous login successful

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

 

Sharename       Type      Comment

---------       ----      -------

TEST            Disk      westos directory

IPC$            IPC       IPC Service (Samba Server Version 4.1.1)

Anonymous login successful

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

 

Server               Comment

---------            -------

 

Workgroup            Master

---------            -------

[root@mail-hello ~]# smbclient  //172.25.254.141/TEST -U westos

Enter westos's password:

Anonymous login successful

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

tree connect failed: NT_STATUS_ACCESS_DENIED

[root@mail-hello ~]# semanage fcontext -a -t samba_share_t '/westos(/.*)?'

[root@mail-hello ~]# restorecon -RvvF /westos

restorecon reset /westos context unconfined_u:object_r:default_t:s0->system_u:object_r:samba_share_t:s0

 

32 # If you create a new directory, such as a new top-level directory, label it

 33 # with samba_share_t so that SELinux allows Samba to read and write to it. D    o

 34 # not label system directories, such as /etc/ and /home/, with samba_share_t    , as

 35 # such directories should already have an SELinux label.

 36 #

 37 # Run the "ls -ldZ /path/to/directory" command to view the current SELinux

 38 # label for a given directory.

 39 #

 40 # Set SELinux labels only on files and directories you have created. Use the

 41 # chcon command to temporarily change a label:

 42 # chcon -t samba_share_t /path/to/directory

 

eg:#################samba匿名用户白名单与黑名单

[root@mail-hello ~]# vim /etc/samba/smb.conf

 96         hosts allow = 127. 172.25.254. ##127. 本机  及 172.25.254. 网段可写

324 ;       writable = yes

325         write list = @student ##@ + student以及所属student组的用户

可写

[root@mail-hello ~]# systemctl restart smb

[root@mail-hello ~]# mount //172.25.254.141/TEST /mnt/ -o username=westos,password=456 ##将//172.25.254.141/TEST 挂载到/mnt/ 以 westos身份

[root@mail-hello ~]# df

Filesystem            1K-blocks    Used Available Use% Mounted on

/dev/vda1              10473900 3180416   7293484  31% /

devtmpfs                 493408       0    493408   0% /dev

tmpfs                    508996      80    508916   1% /dev/shm

tmpfs                    508996   13360    495636   3% /run

tmpfs                    508996       0    508996   0% /sys/fs/cgroup

//172.25.254.141/TEST  10473900 3180416   7293484  31% /mnt

[root@mail-hello ~]# cd /mnt/

[root@mail-hello mnt]# ls -ld /westos/

drwxr-xr-x. 2 root root 21 May  1 22:02 /westos/ ##/westos/只对root可写

[root@mail-hello mnt]# touch file

touch: cannot touch ‘file’: Permission denied

[root@mail-hello mnt]# touch hello

touch: cannot touch ‘hello’: Permission denied

[root@mail-hello mnt]# cd

[root@mail-hello ~]# cd /mnt/

[root@mail-hello mnt]# touch hello

touch: cannot touch ‘hello’: Permission denied

[root@mail-hello mnt]# vim /etc/samba/smb.conf [root@mail-hello mnt]# systemctl restart smb[root@mail-hello mnt]# touch hello

touch: cannot touch ‘hello’: Permission denied

[root@mail-hello mnt]# chmod 777 /westos/

[root@mail-hello mnt]# touch hello

[root@mail-hello mnt]# ls

hello  westfile

[root@mail-hello mnt]# rm -fr westfile

[root@mail-hello mnt]# rm -fr hello

[root@mail-hello mnt]# vim /etc/samba/smb.conf

[root@mail-hello mnt]# systemctl restart smb

[root@mail-hello mnt]# touch file1

touch: cannot touch ‘file1’: Permission denied

[root@mail-hello mnt]# umount /mnt/

umount: /mnt: target is busy.

        (In some cases useful info about processes that use

         the device is found by lsof(8) or fuser(1))

[root@mail-hello mnt]# cd

[root@mail-hello ~]# umount /mnt/

[root@mail-hello ~]# mount //172.25.254.141/TEST /mnt/ -o username=student,password=123

[root@mail-hello ~]# touch file1

[root@mail-hello ~]# vim /etc/samba/smb.conf

[root@mail-hello ~]# systemctl restart smb

[root@mail-hello ~]# usermod -G student westos

[root@mail-hello ~]# df

Filesystem            1K-blocks    Used Available Use% Mounted on

/dev/vda1              10473900 3180484   7293416  31% /

devtmpfs                 493408       0    493408   0% /dev

tmpfs                    508996      80    508916   1% /dev/shm

tmpfs                    508996   13360    495636   3% /run

tmpfs                    508996       0    508996   0% /sys/fs/cgroup

//172.25.254.141/TEST  10473900 3180484   7293416  31% /mnt

[root@mail-hello ~]# umount /mnt/

[root@mail-hello ~]# id westos

uid=1001(westos) gid=1001(westos) groups=1001(westos),1000(student)

[root@mail-hello ~]# mount //172.25.254.141/TEST /mnt/ -o username=westos,password=456

[root@mail-hello ~]# cd

[root@mail-hello ~]# cd /mnt/

[root@mail-hello mnt]# touch haha

 

 

[root@mail-hello ~]# touch /westos/westfile

[root@mail-hello ~]# smbclient  //172.25.254.141/TEST -U westos

Enter westos's password:

Anonymous login successful

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

tree connect failed: NT_STATUS_ACCESS_DENIED

[root@mail-hello ~]# systemctl restart smb

[root@mail-hello ~]# smbclient  //172.25.254.141/TEST -U westos

Enter westos's password:

^C

[root@mail-hello ~]# smbclient  //172.25.254.141/TEST -U westos

Enter westos's password:

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

smb: \> ls

  .                                   D        0  Mon May  1 22:02:17 2017

  ..                                  D        0  Mon May  1 21:56:31 2017

  westfile                            N        0  Mon May  1 22:02:17 2017

 

40913 blocks of size 262144. 28490 blocks available

smb: \> quit

 

 

 

eg:

[root@mail-hello ~]# vim /etc/samba/smb.conf

327        valid users = +student   ##合法用户可以登陆

[root@mail-hello ~]# smbclient //172.25.254.141/TEST -U student

Enter student's password:

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

smb: \> ls

  .                                   D        0  Mon May  1 23:18:50 2017

  ..                                  D        0  Mon May  1 21:56:31 2017

  file                                N        0  Mon May  1 23:18:50 2017

 

40913 blocks of size 262144. 28489 blocks available

smb: \> quit

[root@mail-hello ~]# smbclient //172.25.254.141/TEST -U westos

Enter westos's password:

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

smb: \> ls

  .                                   D        0  Mon May  1 23:18:50 2017

  ..                                  D        0  Mon May  1 21:56:31 2017

  file                                N        0  Mon May  1 23:18:50 2017

 

40913 blocks of size 262144. 28489 blocks available

smb: \> quit

 

[root@mail-hello ~]# smbclient  -L //172.25.254.141/ -U westos

Enter westos's password:

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

 

Sharename       Type      Comment

---------       ----      -------

TEST            Disk      westos directory

IPC$            IPC       IPC Service (Samba Server Version 4.1.1)

westos          Disk      Home Directories

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

 

Server               Comment

---------            -------

 

Workgroup            Master

---------            -------

[root@mail-hello ~]# vim /etc/samba/smb.conf

328        browseable = no  ## [TEST] 隐藏

 

[root@mail-hello ~]# systemctl restart smb.service

[root@mail-hello ~]# smbclient  -L //172.25.254.141/ -U westos

Enter westos's password:

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

 

Sharename       Type      Comment

---------       ----      -------

IPC$            IPC       IPC Service (Samba Server Version 4.1.1)

westos          Disk      Home Directories

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

 

Server               Comment

---------            -------

 

Workgroup            Master

---------            -------

 

[root@mail-hello ~]# ll -ld /westos/

drwxrwxrwx. 2 root root 17 May  1 23:18 /westos/

[root@mail-hello ~]# chmod 755 /westos/

[root@mail-hello ~]# ll -ld /westos/

drwxr-xr-x. 2 root root 17 May  1 23:18 /westos/

[root@mail-hello ~]# vim /etc/samba/smb.conf

329         admin users = westos  ##在[TEST]中westos以 root身份登陆

 

[root@mail-hello ~]# systemctl restart smb.service

[root@mail-hello ~]# smbclient //172.25.254.141/TEST -U westos

Enter westos's password:

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

smb: \> ls

  .                                   D        0  Mon May  1 23:18:50 2017

  ..                                  D        0  Mon May  1 21:56:31 2017

  file                                N        0  Mon May  1 23:18:50 2017

 

40913 blocks of size 262144. 28489 blocks available

smb: \> !ls  ##!ls 查看当前

anaconda-ks.cfg  Documents  file1  Pictures  Templates

Desktop  Downloads  Music  Public    Videos

smb: \> put anaconda-ks.cfg

putting file anaconda-ks.cfg as \anaconda-ks.cfg (28.0 kb/s) (average 28.0 kb/s)

smb: \> quit

[root@mail-hello ~]# ll -ld /westos/

drwxr-xr-x. 2 root root 39 May  1 23:28 /westos/

[root@mail-hello ~]# ll -l /westos/

total 12

-rwxr--r--. 1 root   westos 8619 May  1 23:28 anaconda-ks.cfg

-rw-r--r--. 1 westos westos    0 May  1 23:18 file

[root@mail-hello ~]# vim /etc/samba/smb.conf

123         map to guest = bad user

 

        [TEST]

323         comment = westos directory

324         path = /westos

325 ;       writable = yes

326         write list = @student

327 ;       valid users = +student

328 ;       browseable = no

329         admin users = westos  ##超级用户

330         guest ok = yes  ##虚拟用户登陆

 

[root@mail-hello ~]# systemctl restart smb.service

[root@mail-hello ~]# smbclient //172.25.254.141/TEST

Enter root's password:

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

tree connect failed: NT_STATUS_ACCESS_DENIED

[root@mail-hello ~]# vim /etc/samba/smb.conf

[root@mail-hello ~]# systemctl restart smb.service

[root@mail-hello ~]# smbclient //172.25.254.141/TEST

Enter root's password:

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

smb: \> ls

  .                                   D        0  Mon May  1 23:28:42 2017

  ..                                  D        0  Mon May  1 21:56:31 2017

  file                                N        0  Mon May  1 23:18:50 2017

  anaconda-ks.cfg                     A     8619  Mon May  1 23:28:43 2017

 

40913 blocks of size 262144. 28489 blocks available

smb: \> quit

 

 

eg:

[root@mail-hello ~]# vim /etc/samba/smb.conf

322         [TEST]

323         comment = westos directory

324         path = /westos

325         writable = yes

[root@mail-hello ~]# systemctl restart smb.service

[root@mail-hello ~]# smbclient //172.25.254.141/TEST

Enter root's password:

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

smb: \> ls

  .                                   D        0  Mon May  1 23:28:42 2017

  ..                                  D        0  Mon May  1 21:56:31 2017

  file                                N        0  Mon May  1 23:18:50 2017

  anaconda-ks.cfg                     A     8619  Mon May  1 23:28:43 2017

 

40913 blocks of size 262144. 28489 blocks available

smb: \> quit

[root@mail-hello ~]# systemctl restart smb.service

[root@mail-hello ~]# chmod 777 /westos/

 

另一虚拟机

[root@mail-eastos ~]# mkdir /westos

[root@mail-eastos ~]# mount //172.25.254.141/TEST /westos -o username=westos,password=456

[root@mail-eastos ~]# yum install samba-client.x86_64 -y

[root@mail-eastos ~]# smbclient -L //172.25.254.141 -U westos

Enter westos's password:

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

 

Sharename       Type      Comment

---------       ----      -------

TEST            Disk      westos directory

IPC$            IPC       IPC Service (Samba Server Version 4.1.1)

westos          Disk      Home Directories

Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]

 

Server               Comment

---------            -------

 

Workgroup            Master

---------            -------

[root@mail-eastos ~]# df

文件系统                 1K-块    已用    可用 已用% 挂载点

/dev/vda1             10473900 3368828 7105072   33% /

devtmpfs                493408       0  493408    0% /dev

tmpfs                   508996      80  508916    1% /dev/shm

tmpfs                   508996   13348  495648    3% /run

tmpfs                   508996       0  508996    0% /sys/fs/cgroup

//172.25.254.141/TEST 10473900 3180488 7293412   31% /westos

[root@mail-eastos ~]# useradd hello

[root@mail-eastos ~]# su - hello

[hello@mail-eastos ~]$ cd /westos/

[hello@mail-eastos westos]$ ls

anaconda-ks.cfg  file

[hello@mail-eastos westos]$ rm anaconda-ks.cfg

rm: remove write-protected regular file ‘anaconda-ks.cfg’? y

[hello@mail-eastos westos]$ touch hello

touch: cannot touch ‘hello’: Permission denied

[hello@mail-eastos westos]$ yum install cifs-utils -y

 

[root@mail-eastos ~]# vim /root/smbpass

 1 username=westos

  2 password=456

[root@mail-eastos ~]# mount //172.25.254.141/TEST /westos -o credentials=/root/smbpass,multiuser,sec=ntlmssp

[root@mail-eastos ~]# ll /root/smbpass

-rw-r--r--. 1 root root 29 May  2 00:03 /root/smbpass

[root@mail-eastos ~]# su - hello

上一次登录:Tue May  2 00:01:04 EDT 2017pts/0 上

[hello@mail-eastos ~]$ cd /westos

[hello@mail-eastos westos]$ ls

ls: reading directory .: Permission denied

[hello@mail-eastos westos]$ logout

[root@mail-eastos ~]# su - westos

su: user westos does not exist

[root@mail-eastos ~]# useradd westos

[root@mail-eastos ~]# su - westos

[westos@mail-eastos ~]$ cd /westos

[westos@mail-eastos westos]$ ls

ls: reading directory .: Permission denied

[westos@mail-eastos westos]$ logout

[root@mail-eastos ~]# su - westos

上一次登录:Tue May  2 00:12:15 EDT 2017pts/0 上

[westos@mail-eastos ~]$ cifscreds add 172.25.254.141

Password:

[westos@mail-eastos ~]$ cd /westos/

[westos@mail-eastos westos]$ ls

file  hello

[westos@mail-eastos westos]$ rm -fr hello

[westos@mail-eastos westos]$ logout

[root@mail-eastos ~]# su - hello

上一次登录:Tue May  2 00:10:50 EDT 2017pts/0 上

[hello@mail-eastos ~]$ cifscreds add 172.25.254.141

Password:

[hello@mail-eastos ~]$ cd /westos

[hello@mail-eastos westos]$ ls

ls: reading directory .: Permission denied

 

posted @ 2017-05-06 18:32  yangying  阅读(505)  评论(0编辑  收藏  举报