3unit5&6&7
Red Hat System Administration III
#############单元 五iSCSI远程块存储
一、iSCSI概念
iSCSI(Internet SCSI)支持从客户端(发起端)通过IP向远程服务器上的SCSI存储设备(目标)发送SCSI命令。iSCSI限定名称用于确定发起端和目标,并采用
iqn.yyyy-mm.{reverse domain}:label
的格式。默认情况下,网络通信是至iSCSI目标上的端口3260/tcp的明文。
**iSCSI发起端:需要访问原始SAN存储的客户端。
**iSCSI目标:从iSCSI服务器提供的远程硬盘磁盘,或“目标门户”
**iSCSI目标门户:通过网络向发起端提供目标的服务器。
**IQN:“iSCSI限定名称”。每个发起端和目标需要唯一名称进行标识,
最好的做法是使用一个在Internet上可能独一无二的名称。
二、iSCSI目标配置
安装iSCSI目标软件包:
# yum install -y targetcli
启动服务:
# systemctl enable target; systemctl start target
进入iSCSI目标交互式配置模式:
# targetcli
Demo
/> ls
o- / ..................................................................... [...]
o- backstores .......................................................... [...]
| o- block .............................................. [Storage Objects: 0]
| o- fileio ............................................. [Storage Objects: 0]
| o- pscsi .............................................. [Storage Objects: 0]
| o- ramdisk ............................................ [Storage Objects: 0]
o- iscsi ........................................................ [Targets: 0]
o- loopback ..................................................... [Targets: 0]
/> /backstores/block create server0.disk1 /dev/iSCSI_vg/disk1_lv
Created block storage object server0.disk1 using /dev/iSCSI_vg/disk1_lv.
/> /iscsi create iqn.2014-12.com.example:server0
Created target iqn.2014-12.com.example:server0.
Created TPG 1.
/> /iscsi/iqn.2014-12.com.example:server0/tpg1/acls create iqn.2014-12.com.example:desktop0
Created Node ACL for iqn.2014-12.com.example:desktop0
/> /iscsi/iqn.2014-12.com.example:server0/tpg1/luns create /backstores/block/server0.disk1
Created LUN 0.
Created LUN 0->0 mapping in node ACL iqn.2014-12.com.example:desktop0
/> /iscsi/iqn.2014-12.com.example:server0/tpg1/portals create 172.25.0.11
Using default IP port 3260
Created network portal 172.25.0.11:3260.
/> exit
三、访问iSCSI存储
安装iSCSI发起端软件包:
# yum install -y iscsi-initiator-utils
在/etc/iscsi/initiatorname.iscsi中设置发起端的IQN:
InitiatorName=iqn.2014-12.com.example:desktop0
查找iSCSI服务器所提供的iSCSI目标(目标门户)
# iscsiadm -m discovery -t st -p 172.25.0.11
登录服务器上的一个或多个iscsi目标
# iscsiadm -m node -T iqn.2024-12.com.example:server0 -p
172.25.0.11 -l
此时,可以使用iSCSI磁盘,就好像它是本地连接硬盘驱动器。
可以挂载现有文件系统。如果磁盘未格式化,可以通过fdisk进行分区,例如,通过
文件系统格式化分区或作为LVM物理卷。
四、在/etc/fstab中永久挂载文件系统
1. 使用blkid确定文件系统UUID并使用UUID挂载,而不是/dev/sd*设备名称。(每次
引导时显示的设备名称都不同,具体取决于iSCSI设备通过网络进行响应的顺序。
如果按设备名称挂载,这会导致使用错误的设备。)
2. 在/etc/fstab中使用_netdev作为挂载选项。(这将确保客户端不会尝试挂载文件系
统,直至启用联网。否则,在引导时系统将出错。)
3. 确保iscsi服务在引导时启动。
五、中断使用iSCSI目标
确保没有使用目标所提供的任何设备。
确保从/etc/fstab等位置中删除使用目标的所有永久挂载。
登出iSCSI目标,以暂时断开连接。
# iscsiadm -m node -T iqn.2010-09.com.example:rdisks.demo -p 192.168.0.254 -u
删除iSCSI目标的本地记录,以永久断开连接。
# iscsiadm -m node -T iqn.2010-09.com.example:rdisks.demo -p 192.168.0.254 -o delete
linux共享设备
eg: 进入iSCSI目标交互式配置
服务端
[root@server41 mnt]# fdisk -l ##查看设备
[root@server41 mnt]# fdisk /dev/vdb
设备 Boot Start End Blocks Id System
/dev/vdb1 2048 1026047 512000 83 Linux
[root@server41 mnt]# partprobe
[root@server41 mnt]# yum install -y targetcli
[root@server41 mnt]# systemctl start target
[root@server41 mnt]# systemctl enable target
ln -s '/usr/lib/systemd/system/target.service' '/etc/systemd/system/multi-user.target.wants/target.service'
[root@server41 mnt]# targetcli
Warning: Could not load preferences file /root/.targetcli/prefs.bin.
targetcli shell version 2.1.fb34
Copyright 2011-2013 by Datera, Inc and others.
For help on commands, type 'help'.
/> ls
o- / ..................................................................... [...]
o- backstores .......................................................... [...]
| o- block .............................................. [Storage Objects: 0]
| o- fileio ............................................. [Storage Objects: 0]
| o- pscsi .............................................. [Storage Objects: 0]
| o- ramdisk ............................................ [Storage Objects: 0]
o- iscsi ........................................................ [Targets: 0]
o- loopback ..................................................... [Targets: 0]
/> /backstores/block create westos:storage1 /dev/vdb1 ##为/dev/vdb1设备设置别名westos:storage1
Created block storage object westos:storage1 using /dev/vdb1.
/> /iscsi create iqn.2017-05.com.example:star1 ##创建锁,iqn.2017-05.com.example:star1为锁名,域名倒着写
Created target iqn.2017-05.com.example:star1.
Created TPG 1.
/> /iscsi/iqn.2017-05.com.example:star1/tpg1/acls create iqn.2017-05.com.example:key1 ##加密,iqn.2017-05.com.example:key1为锁名,域名倒着写
Created Node ACL for iqn.2017-05.com.example:key1
/> /iscsi/iqn.2017-05.com.example:star1/tpg1/luns create /backstores/block/westos:storage1 ##锁和 /dev/vdb1设备关联
Created LUN 0.
Created LUN 0->0 mapping in node ACL iqn.2017-05.com.example:key1
/> /iscsi/iqn.2017-05.com.example:star1/tpg1/portals create 172.25.41.11 ##锁和服务器关联
客户端
[root@desktop41 ~]# yum search iscsi
[root@desktop41 ~]# yum install iscsi-initiator-utils.x86_64 -y
[root@desktop41 ~]# vim /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.2017-05.com.example:key1 ##iqn.2017-05.com.example:key1为新建的钥匙
[root@desktop41 ~]# systemctl restart iscsi
[root@desktop41 ~]# iscsiadm -m discovery -t st -p 172.25.41.11 ##查看锁名
172.25.41.11:3260,1 iqn.2017-05.com.example:star1
[root@desktop41 ~]# iscsiadm -m node -T iqn.2017-05.com.example:star1 -p 172.25.41.11 -l ##-l登陆
Logging in to [iface: default, target: iqn.2017-05.com.example:star1, portal: 172.25.41.11,3260] (multiple)
Login to [iface: default, target: iqn.2017-05.com.example:star1, portal: 172.25.41.11,3260] successful.
[root@desktop41 ~]# fdisk -l
Disk /dev/vda: 10.7 GB, 10737418240 bytes, 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x00013f3e
Device Boot Start End Blocks Id System
/dev/vda1 * 2048 20970332 10484142+ 83 Linux
Disk /dev/vdb: 10.7 GB, 10737418240 bytes, 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/sda: 524 MB, 524288000 bytes, 1024000 sectors ##/dev/sda为新建的设备/dev/vdb1
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 4194304 bytes
[root@desktop41 ~]# fdisk /dev/sda
Welcome to fdisk (util-linux 2.23.2).
Command (m for help): n
Partition type:
p primary (0 primary, 0 extended, 4 free)
e extended
Select (default p):
Using default response p
Partition number (1-4, default 1):
First sector (8192-1023999, default 8192):
Using default value 8192
Last sector, +sectors or +size{K,M,G} (8192-1023999, default 1023999): +200M ##对/dev/sda分区
Partition 1 of type Linux and of size 200 MiB is set
Command (m for help): wq
The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.
[root@desktop41 ~]# mkfs.xfs /dev/sda1
meta-data=/dev/sda1 isize=256 agcount=8, agsize=6400 blks
= sectsz=512 attr=2, projid32bit=1
= crc=0
data = bsize=4096 blocks=51200, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0 ftype=0
log =internal log bsize=4096 blocks=853, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
[root@desktop41 ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/vda1 10473900 3174596 7299304 31% /
devtmpfs 493408 0 493408 0% /dev
tmpfs 508996 80 508916 1% /dev/shm
tmpfs 508996 13376 495620 3% /run
tmpfs 508996 0 508996 0% /sys/fs/cgroup
172.25.41.11:/westos 10473984 3179776 7294208 31% /mnt
[root@desktop41 ~]# umount /mnt/
[root@desktop41 ~]# mount /dev/sda1 /mnt
[root@desktop41 ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/vda1 10473900 3174596 7299304 31% /
devtmpfs 493408 0 493408 0% /dev
tmpfs 508996 80 508916 1% /dev/shm
tmpfs 508996 13372 495624 3% /run
tmpfs 508996 0 508996 0% /sys/fs/cgroup
/dev/sda1 201388 10528 190860 6% /mnt
[root@desktop41 ~]# vim /etc/fstab ##在/etc/fstab中永久挂载文件系统
/dev/sda1 /mnt xfs defaults,_netdev 0 0
(2)eg:#############删除设备
客户端
[root@desktop41 ~]# iscsiadm -m discovery -t st -p 172.25.41.11##查找名字
172.25.41.11:3260,1 iqn.2017-05.com.example:star1
[root@desktop41 ~]# iscsiadm -m node -T iqn.2017-05.com.example:star1 -p 172.25.41.11 -u ##-u 退出登陆 登出iSCSI目标,以暂时断开连接(确保没有使用目标所提供的任何设备。确保从/etc/fstab等位置中删除使用目标的所有永久挂载。)
Logging out of session [sid: 1, target: iqn.2017-05.com.example:star1, portal: 172.25.41.11,3260]
Logout of [sid: 1, target: iqn.2017-05.com.example:star1, portal: 172.25.41.11,3260] successful.
[root@desktop41 ~]# fdisk -l
Disk /dev/vda: 10.7 GB, 10737418240 bytes, 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x00013f3e
Device Boot Start End Blocks Id System
/dev/vda1 * 2048 20970332 10484142+ 83 Linux
Disk /dev/vdb: 10.7 GB, 10737418240 bytes, 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0xe5d8abfb
Device Boot Start End Blocks Id System
[root@desktop41 ~]# systemctl restart iscsi.service
[root@desktop41 ~]# fdisk -l
Disk /dev/vda: 10.7 GB, 10737418240 bytes, 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x00013f3e
Device Boot Start End Blocks Id System
/dev/vda1 * 2048 20970332 10484142+ 83 Linux
Disk /dev/vdb: 10.7 GB, 10737418240 bytes, 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0xe5d8abfb
Device Boot Start End Blocks Id System
Disk /dev/sda: 524 MB, 524288000 bytes, 1024000 sectors ##重启iscsi.service服务/dev/sda又出现
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 4194304 bytes
Disk label type: dos
Disk identifier: 0x1079f708
Device Boot Start End Blocks Id System
/dev/sda1 8192 417791 204800 83 Linux
[root@desktop41 ~]# iscsiadm -m node -T iqn.2017-05.com.example:star1 -p 172.25.41.11 -o delete ##删除iSCSI目标的本地记录,以永久断开连接。
[root@desktop41 ~]# systemctl restart iscsi.service
[root@desktop41 ~]# fdisk -l
Disk /dev/vda: 10.7 GB, 10737418240 bytes, 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x00013f3e
Device Boot Start End Blocks Id System
/dev/vda1 * 2048 20970332 10484142+ 83 Linux
Disk /dev/vdb: 10.7 GB, 10737418240 bytes, 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0xe5d8abfb
Device Boot Start End Blocks Id System
服务端
[root@server41 mnt]# targetcli
targetcli shell version 2.1.fb34
Copyright 2011-2013 by Datera, Inc and others.
For help on commands, type 'help'.
/> clearconfig confirm=True ##服务端删除设备
All configuration cleared
Red Hat System Administration III
##############################单元 六NFS文件的存储
一、NFS概念
网络文件系统(NFS)是Unix系统和网络附加存储文件管理器常用的网络文件系统,允许多个客户端通过网络共享文件访问。它可用于提供对共享二进制目录的访问,也可用于允许用户在同一工作组中从不同客户端访问其文件。NFS协议有多个版本:Linux支持版本4、版本3和版本2, 而大多数系统管理员熟悉的是NFSv3。默认情况下,该协议并不安全,但是更新的版本(如NFSv4)提供了对更安全的身份验证的支持,甚至可以通过kerberos进行加密。
二、NFS服务器配置
若要配置基本NFS服务器,您应该安装nfs-utils软件包。然后,您应该编辑/etc/exports以列出您希望通过网络与客户端系统共享的文件系统,并指出哪些客户端对导出具有何种访问权限。例如:
/var/ftp/pub 192.168.0.0/24(ro,sync)
将目录/var/ftp/pub导出至192.168.0.0/24网络上的所有主机(对目录具有只读权限)。
/export/homes *.example.com(rw,sync)
将目录/export/homes导出至exmaple.com中的所有主机(对目录具有读写权限)。
当NFS服务器运行时,每次您编辑/etc/exports后,都应通过在保存更改后执行exportfs -r来确保应用这些更改。您可以使用exportfs -v显示所有导出。
NFSv4还导出pseudo-root(所有导出的文件系统的root)。如果客户端挂载nfs-server:/ ,这将在NFS服务器上的/下面相对于其位置挂载所有导出文件系统。这对于浏览从客户端的服务器导出的所有
文件系统有用。您仍可单独挂载文件系统。
默认情况下,NFS服务器将NFS客户端上的root视为用户nfsnobody。即,如果root尝试访问挂载的导出中的文件,服务器会将其视作用户nfsnobody访问。在NFS导出被无磁盘客户端用作/和root需要被视作root的情况中,这种安全措施存在隐患。若要禁用此保护,服务器需要将no_root_squash添加到在/etc/exports中导出设置的选项列表:
/exports/root 192.168.0.1(rw,no_root_squash)
对于NFSv4,必须在服务器上打开端口2049/TCP(对于nfsd)。对于NFSv3和更早版本,必须为rpcbind、rpc.mountd、lockd和rpc.rquotad打开更多端口,而在“随机”选择的端口上启动其中许多服务这一事实又增加了复杂性。此外,NFSv2和NFSv3支持UDP传输,还要求打开相应的端口。本课程中我们将关注NFSv4。
三、Demo
1. 启动NFS服务:
# systemctl start nfs-server ; systemctl enable nfs-server
2. 创建共享目录并设置权限:
# mkdir /nfsshare ; chown nfsnobody /nfsshare
3. 编辑/etc/exports。例如:
/nfsshare/read 172.25.0.0/24(ro,sync)
/nfsshare/write 172.25.0.0/24(rw,sync) 127.0.0.1(rw,sync)
4. 从客户端查看并挂载NFS pseudo-root共享:
[root@desktop0 ~]# showmount -e server0
[root@desktop0 ~]# mkdir /mnt/nfsshare
[root@desktop0 ~]# mount -t nfs server0.example.com:/ /mnt/nfsshare
四、永久挂载NFS文件系统:
将相应的行添加至/etc/fstab:
nfsserver:/nfsshare /mnt/nfsshare nfs defaults 0 0
客户端NFS挂载选项
rw:挂载可读写的文件系统
ro:挂载只读文件系统
vers=4:尝试只使用指定的NFS版本进行挂载。如果服务器不支持该版本,则挂载请求失败
soft:如果NFS请求超时,三次尝试后返回错误。权衡数据完整性与提高客户端响应性。(默认行为hard,将无限期地重试)。
五、保护NFS输出
Demo:
在serverx和desktopx上运行脚本,加入kerberos认证域:
# lab nfskrb5 setup
安装kerberos服务所需的keytab:(以下操作都在server0上进行)
# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/server0.keytab
激活NFS v4.2版本,可以输出selinux标签,编辑/etc/sysconfig/nfs修改如下选项:
RPCNFSDARGS="-V 4.2"
启动nfs-secure-server服务:
# systemctl start nfs-secure-server; systemctl enable nfs-secure-server
配置NFS输出:
# mkdir /securenfs
# echo '/securenfs desktop0(sec=krb5p,rw)' >> /etc/exports
# exportfs -r
六、安装kerberos服务所需keytab:(以下操作都在dekstop0进行)
# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/desktop0.keytab
启动nfs-secure服务:
# systemctl start nfs-secure; systemctl enable nfs-secure
配置客户端挂载:
# mkdir /mnt/secureshare
# echo 'server0:/securenfs /mnt/secureshare nfs defaults,v4.2,sec=krb5p 0 0' >>/etc/fstab
# mount -a
eg:NFS服务器配置
[root@mail-hello ~]# yum install nfs-utils -y
Loaded plugins: langpacks
Package 1:nfs-utils-1.3.0-0.el7.x86_64 already installed and latest version
Nothing to do
[root@mail-hello ~]# systemctl restart nfs
[root@mail-hello ~]# systemctl start firewalld
[root@mail-hello ~]# firewall-cmd --permanent --add-service=nfs
success
[root@mail-hello ~]# firewall-cmd --permanent --add-service=mountd
success
[root@mail-hello ~]# firewall-cmd --permanent --add-service=rpc-bind ##端口随机
success
[root@mail-hello ~]# firewall-cmd --reload
success
[root@mail-hello ~]# vim /etc/exports
1 /westos 172.25.254.0/24(ro)
[root@mail-hello ~]# vim /etc/exports
[root@mail-hello ~]# exportfs -rv ##刷新
exporting 172.25.254.0/24:/westos
[root@mail-hello ~]# vim /etc/exports
1 /westos 172.25.254.0/24(rw)
[root@mail-hello ~]# exportfs -rv
exporting 172.25.254.0/24:/westos
[root@mail-hello ~]# vim /etc/exports
1 /westos 172.25.254.0/24(rw,no_root_squash)
[root@mail-hello ~]# exportfs -rv
exporting 172.25.254.0/24:/westos
[root@mail-eastos westos]# showmount -e 172.25.254.141
clnt_create: RPC: Program not registered
[root@mail-eastos westos]# showmount -e 172.25.254.141 ##install nfs-utils -y
Export list for 172.25.254.141:
[root@mail-eastos westos]# mount 172.25.254.141:/westos /mnt/
[root@mail-eastos westos]# cd /mnt/
[root@mail-eastos mnt]# ls
file
[root@mail-eastos mnt]# touch pp
touch: cannot touch ‘pp’: Read-only file system ##vim /etc/exports (ro)
[root@mail-eastos mnt]# touch pp ##rw
[root@mail-eastos mnt]# ll
total 0
-rw-r--r--. 1 le le 0 May 1 23:18 file
-rw-r--r--. 1 nfsnobody nfsnobody 0 May 2 01:43 pp
[root@mail-eastos mnt]# touch file3 ##no_root_squash
[root@mail-eastos mnt]# ll
total 0
-rw-r--r--. 1 le le 0 May 1 23:18 file
-rw-r--r--. 1 root root 0 May 2 01:44 file3
-rw-r--r--. 1 nfsnobody nfsnobody 0 May 2 01:43 pp
eg:保护NFS输出,加入kerberos认证域
[root@server41 ~]# cd /mnt/
[root@server41 mnt]# vim auth-config.sh ##创建ldapuser脚本
#!/bin/bash
echo install packages...
yum install sssd krb5-workstation -y &> /dev/null
echo configure...
authconfig \
--enableldap \
--enablekrb5 \
--disableldapauth \
--enableldaptls \
--ldaploadcacert="http://172.25.254.254/pub/example-ca.crt" \
--ldapserver="classroom.example.com" \
--ldapbasedn="dc=example,dc=com" \
--krb5realm="EXAMPLE.COM" \
--krb5adminserver="classroom.example.com" \
--krb5kdc="classroom.example.com" \
--update && echo success !!
[root@server41 mnt]# sh auth-config.sh
install packages...
configure...
success !!
[root@server41 mnt]# id ldapuser1
uid=1701(ldapuser1) gid=1701(ldapuser1) 组=1701(ldapuser1)
[root@server41 mnt]# getent passwd ldapuser1
ldapuser1:*:1701:1701:LDAP Test User 1:/home/guests/ldapuser1:/bin/bash
[root@server41 mnt]# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/server41.keytab ##下载证书
--2017-05-02 03:07:08-- http://classroom.example.com/pub/keytabs/server41.keytab
正在解析主机 classroom.example.com (classroom.example.com)... 172.25.254.254
正在连接 classroom.example.com (classroom.example.com)|172.25.254.254|:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:1258 (1.2K)
正在保存至: “/etc/krb5.keytab”
100%[======================================>] 1,258 --.-K/s 用时 0s
2017-05-02 03:07:08 (194 MB/s) - 已保存 “/etc/krb5.keytab” [1258/1258])
[root@server41 mnt]# vim /etc/sysconfig/nfs
RPCNFSDARGS="-V 4.2" ##版本号为4.2 3的话会跳过安全验证
[root@server41 mnt]# systemctl status nfs-secure-server
nfs-secure-server.service - Secure NFS Server
Loaded: loaded (/usr/lib/systemd/system/nfs-secure-server.service; disabled)
Active: inactive (dead)
[root@server41 mnt]# systemctl start nfs-secure-server
[root@server41 mnt]# systemctl enable nfs-secure-server
ln -s '/usr/lib/systemd/system/nfs-secure-server.service' '/etc/systemd/system/nfs.target.wants/nfs-secure-server.service'
[root@server41 mnt]# mkdir /westos
[root@server41 mnt]# vim /etc/exports
/westos 172.25.41.0/24(rw,sec=krb5p) ##共享文件系统 共享网段(读写方式,安全验证为krb5p)
[root@server41 mnt]# exportfs -rv
exporting 172.25.41.0/24:/westos
[root@server41 mnt]# systemctl stop firewalld.service
客户端
[root@desktop41 ~]# cd /mnt/
[root@desktop41 mnt]# vim auth-config.sh
[root@desktop41 mnt]# sh auth-config.sh
[root@desktop41 mnt]# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/desktop41.keytab ##下载证书
[root@desktop41 mnt]# systemctl start nfs-secure
[root@desktop41 mnt]# systemctl enable nfs-secure
ln -s '/usr/lib/systemd/system/nfs-secure.service' '/etc/systemd/system/nfs.target.wants/nfs-secure.service'
[root@desktop41 mnt]# vim /etc/exports
/westos *(sec=krb5p,rw)
[root@desktop41 mnt]# exportfs -rv
exporting *:/westos
exportfs: Failed to stat /westos: No such file or directory
[root@desktop41 mnt]# mkdir /westos
[root@desktop41 mnt]# exportfs -rv
exporting *:/westos
[root@desktop41 ~]# systemctl stop firewalld.service
[root@desktop41 ~]# systemctl status nfs-secure.service
nfs-secure.service - Secure NFS
Loaded: loaded (/usr/lib/systemd/system/nfs-secure.service; enabled)
Active: active (running) since Tue 2017-05-02 03:21:20 EDT; 13min ago
Process: 2484 ExecStart=/usr/sbin/rpc.gssd $RPCGSSDARGS (code=exited, status=0/SUCCESS)
Main PID: 2485 (rpc.gssd)
CGroup: /system.slice/nfs-secure.service
└─2485 /usr/sbin/rpc.gssd
May 02 03:24:12 desktop41.example.com rpc.gssd[2485]: ERROR: unable to resolv... ##没有解析
May 02 03:24:12 desktop41.example.com rpc.gssd[2485]: ERROR: failed to read s...
May 02 03:24:16 desktop41.example.com rpc.gssd[2485]: ERROR: unable to resolv...
May 02 03:24:16 desktop41.example.com rpc.gssd[2485]: ERROR: failed to read s...
May 02 03:24:24 desktop41.example.com rpc.gssd[2485]: ERROR: unable to resolv...
May 02 03:24:24 desktop41.example.com rpc.gssd[2485]: ERROR: failed to read s...
May 02 03:24:34 desktop41.example.com rpc.gssd[2485]: ERROR: unable to resolv...
May 02 03:24:34 desktop41.example.com rpc.gssd[2485]: ERROR: failed to read s...
May 02 03:24:46 desktop41.example.com rpc.gssd[2485]: ERROR: unable to resolv...
May 02 03:24:46 desktop41.example.com rpc.gssd[2485]: ERROR: failed to read s...
Hint: Some lines were ellipsized, use -l to show in full.
[root@desktop41 ~]# vim /etc/hosts ##解析
172.25.41.10 desktop41.example.com
172.25.41.11 server41.example.com
[root@desktop41 ~]# systemctl restart nfs-secure.service ##重启服务
[root@desktop41 ~]# mount -o vers=4.2,sec=krb5p 172.25.41.11:/westos /mnt/ ##挂载
[root@desktop41 ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/vda1 10473900 3174680 7299220 31% /
devtmpfs 493408 0 493408 0% /dev
tmpfs 508996 80 508916 1% /dev/shm
tmpfs 508996 13388 495608 3% /run
tmpfs 508996 0 508996 0% /sys/fs/cgroup
172.25.41.11:/westos 10473984 3170688 7303296 31% /mnt
Red Hat System Administration III
#############################单元 七CIFS文件的存储
####################SMB文件共享
通用Internet文件系统(CIFS)也称为服务器信息块(SMB),是适用于MicrosoftWindows服务器和客户端的标准文件和打印机共享系统。
Samba服务可用于将Linux文件系统作为CIFS/SMB网络文件共享进行共享,并将Linux
打印机作为CIFS/SMB打印机共享进行共享。
Samba服务的组成部分
1. 软件包:
Samba-common – Samba的支持文件
Samba-client – 客户端应用程序
Samba – 服务器应用程序
2. 服务名称:smb nmb
3. 服务端口: 通常使用TCP/445进行所有连接。还使用UDP137、UDP138和TCP/139进行向后兼容
4. 主配置文件:/etc/samba/smb.conf
/etc/samba/smb.conf: [global]部分
workgroup 用于指定Windows工作组或网络域名。
hosts allow
hosts allow是用逗号、空格或制表符分隔的允许访问服务的主机集合。如果在[global]
部分中指定, 将适用于所有服务,无论单个服务是否具有不同的设置。 您可以按名
称或IP号指定主机。例如,您可以使用allow hosts = 192.168.0. 表示允许一个网络。l
安全性
该选项影响客户端如何响应Samba,并且在smb.conf文件中是最重要的设置之一。
security = user 客户端必须通过有效的用户名和密码登录。
security = domain 只有当计算机已添加到NT域时才能正常工作。它要求将
encrypted passwords 参数设置为yes。在该模式中,Samba通过将用户名/密码传递至
Windows NT 主域控制器或备份域控 制器来进行验证,与Windows NT Server采用的方
式完全一样。请注意,有效的UNIX用户以及域控制 器上的账户必须仍然存在,以允
许Samba具有有效的UNIX账户,可用以映射文件访问。您必须设置 passwd server参数
,为Samba提供服务器,以验证密码。
security = server Samba将通过将用户名/密码传递至另一个SMB服务器来尝试进行验证。
您必须设置password server参数, 为samba提供服务器, 以验证密码。
security = ads Samba在ADS realm中作为域成员。如要在该模式下操作,运行Samba的
计算机需要安装并配置Kerberos,并且需要使用net实用程序将Samba加入ADS realm。
/etc/samba/smb.conf:其他部分
[homes]
此共享(默认情况下启用)是一个特别共享,通过CIFS使用户的主目录可。它包括browseable
= no, 因此在用户进行身份验证之前,将不会显示为可用共享。共享名称可以指定为homes(
在这种情况下, Samba服务器会将其转换为用户的主目录路径)或username。
[printers]
默认情况下也可用,将共享当前可用的打印机 。
[share]
如果您想要设置其他共享,请将共享名称放置在括号中,如上所示。共享需要至少一个path参数。
######################SMB用户
useradd
security = user需要UNIX和Samba账户信息。添加用户(最好使用与Samba账户一样的名称),
或 在/etc/samba/smbusers中放置条目(有一些示例)。如果您创建仅Samba用户,请将UNIX密
码设置为/sbin/nologin。
[root@serverX ~]# useradd -s /sbin/nologin wxh
smbpasswd
如果您没有Samba密码服务器,则必须在本地计算机上创建身份验证数据。使用smbpasswd创
建 Samba账户和密码。
如果smbpasswd只传递一个用户名而不带任何选项,它将尝试更改账户密码。传递-a选项将添
加账户 并设置密码。
[root@serverX ~]# smbpasswd -a wxh
New SMB password: westos
Retype new SMB password: westos
Added user wxh.
##################保护SMB
samba_enable_home_dirs和use_samba_home_dirs SELinux布尔值
samba_enable_home_dirs布尔值允许本地Linux主目录作为CIFS文件共享导出至其他
系统。另一方面 use_samba_home_dirs布尔值允许挂载远程CIFS文件共享并将其用作本地Linux主目录。
# setsebool -P samba_enable_home_dirs on
samba_share_t 用于共享用户自定义samba共享
# chcon -R -t samba_share_t /smbshare
或 # semanage fcontext -a -t samba_share_t '/smbshare(/.*)?'
# restorecon -vvFR /smbshare
samba_export_all_ro 和 samba_export_all_rw 用于共享系统目录
# setsebool -P samba_export_all_ro on
# setsebool -P samba_export_all_rw on
##########################访问CIFS共享
连接到CIFS文件共享的四个基本方法:
1. 图形访问CIFS共享
转至 “网络” --> “连接服务器”。填写以下字段:
Server Address : 172.25.0.11
Userame: wxh
Password: westos
2. 命令行FTP方式访问CIFS共享:
[root@server0 ~]# smbclient -L server0.example.com -U wxh
Enter wxh's password: westos
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
[root@server0 ~]# smbclient //server0.example.com/smbshare -U wxh
Enter wxh's password: westos
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
smb: \> ls
. D 0 Thu Dec 18 17:27:27 2014
.. D 0 Thu Dec 18 11:37:20 2014
testfile N 12 Thu Dec 18 11:38:03 2014
3. 手动挂载CIFS共享
[root@server0 ~]# mount -o username=wxh //server0.example.com/smbshare /mnt/wxh
4. 永久挂载CIFS共享
将以下行添加到/etc/fstab:
//server0.example.com/smbshare /mnt/wxh cifs credentials=/root/userpasswd 0 0
创建/root/userpasswd:
user=wxh
pass=westos
Practice: ( 15 minutes )
configure a SMB share on the serverX system according to the following requirements:
share the newly create directory /smbshare with SMB.
members of the auxiliary group marketing have read and write permissions on the share.
all users that are not member of the marketing group have read permission.
the samba server is the mycompany workgroup and the share name is smbshare.
create the samba-only user brian, who is part of marketing team, with the password redhat.
create the new samba-only user rob with the password redhat, who is not part of the marketing team.
successfully grade the setup on the serverX system with lab smbshare grade.
#######################SMB多用户挂载
Demo: (desktopX)
安装cifs-utils软件包,它包含了cifscreds命令:
# yum install -y cifs-utils
创建smb多用户挂载目录:
# mkdir /mnt/multiuser
建立smb认证文件:
# echo 'username=brian' > /root/smb-multiuser.txt
# echo 'password=redhat' > /root/smb-multiuser.txt
编辑/etc/fstab,永久挂载smb共享:
//server0/smbshare /mnt/multiuser cifs credentials=/root/smb-multiuser.txt,multiuser,
sec=ntlmssp 0 0
# mount -a
# su - brian
$ touch /mnt/multiuser/test.txt
touch: cannot touch ‘/mnt/multiuser/brian.txt’: Permission denied
$ cifscreds add server0
Password: redhat
$ echo "multiuser" > /mnt/multiuser/brian.txt
$ cat /mnt/multiuser/brian.txt
multiuser
$ exit
# su - rob
$ cifscreds add server0
Password: redhat
$ echo "multiuser" > /mnt/multiuser/rob.txt
-bash: /mnt/multiuser/rob.txt: Permission denied
$ cat /mnt/multiuser/brian.txt
multiuser
(1)eg:samab服务安装 以及添加用户和用户登录
[root@mail-hello ~]# yum search samba
Loaded plugins: langpacks
============================== N/S matched: samba ==============================
samba-client.x86_64 : Samba client programs
samba-common.x86_64 : Files used by both Samba servers and clients
samba-libs.i686 : Samba libraries
samba-libs.x86_64 : Samba libraries
samba-python.x86_64 : Samba Python libraries
samba-winbind.x86_64 : Samba winbind
samba-winbind-modules.i686 : Samba winbind modules
samba-winbind-modules.x86_64 : Samba winbind modules
samba.x86_64 : Server and Client software to interoperate with Windows machines
Name and summary matches only, use "search all" for everything.
[root@mail-hello ~]# yum install samba-client.x86_64 samba-common.x86_64 samba.x86_64
[root@mail-hello ~]# systemctl stop firewalld
[root@mail-hello ~]# useradd westos
[root@mail-hello ~]# systemctl start smb ##开启samba服务
[root@mail-hello ~]# smbclient -L //172.25.254.141 ##显示172.25.254.141的samab
Enter root's password:
Anonymous login successful
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
Anonymous login successful
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@mail-hello ~]# passwd westos
Changing password for user westos.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
[root@mail-hello ~]# pdbedit -L ##显示所有的samab用户
[root@mail-hello ~]# smbpasswd -a student ##设置samab用户student密码为123
New SMB password:
Retype new SMB password:
Added user student.
[root@mail-hello ~]# smbpasswd -a westos
New SMB password:
Retype new SMB password:
Added user westos.
[root@mail-hello ~]# pdbedit -L
student:1000:Student User
westos:1001:
[root@mail-hello ~]# smbpasswd -a user1
New SMB password:
Retype new SMB password:
Failed to add entry for user user1.
[root@mail-hello ~]# smbclient -L //172.25.254.141 -U westos ##以westos用户显示172.25.254.141的Samba
Enter westos's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
westos Disk Home Directories ##westos用户家目录
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@mail-hello ~]# ll /home/westos/
total 0
[root@mail-hello ~]# touch /home/westos/file2
[root@mail-hello ~]# smbclient //172.25.254.141/westos -U westos
Enter westos's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
smb: \> quit
[root@mail-hello ~]# getsebool -a | grep samba
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_portmapper --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_use_samba --> off
use_samba_home_dirs --> off
virt_sandbox_use_samba --> off
virt_use_samba --> off
[root@mail-hello ~]# setse
setsebool setserial
[root@mail-hello ~]# setsebool -P samba_enable_home_dirs 1
[root@mail-hello ~]# smbclient //172.25.254.141/westos -U westos
Enter westos's password:
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]
smb: \> ls
. D 0 Mon May 1 21:22:43 2017
.. D 0 Mon May 1 21:16:23 2017
.bash_logout H 18 Wed Jan 29 07:45:18 2014
.bash_profile H 193 Wed Jan 29 07:45:18 2014
.bashrc H 231 Wed Jan 29 07:45:18 2014
.mozilla DH 0 Thu Jul 10 18:29:32 2014
.config DH 0 Thu Jul 10 19:06:52 2014
file2 N 0 Mon May 1 21:22:43 2017
40913 blocks of size 262144. 28490 blocks available
smb: \> quit
(2)samba服务配置
eg:##########################共享一个目录test
[root@mail-hello ~]# mkdir /westos
[root@mail-hello ~]# vim /etc/samba/smb.conf
89 workgroup = WESTOS ##公司域名
90 server string = Samba Server Version %v ##版本号可见
321 [TEST]
322 comment = westos directory
323 path = /westos
[root@mail-hello ~]# systemctl restart smb
[root@mail-hello ~]# smbclient -L //172.25.254.141
Enter root's password:
Anonymous login successful
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
TEST Disk westos directory
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
Anonymous login successful
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@mail-hello ~]# smbclient //172.25.254.141/TEST -U westos
Enter westos's password:
Anonymous login successful
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
tree connect failed: NT_STATUS_ACCESS_DENIED
[root@mail-hello ~]# semanage fcontext -a -t samba_share_t '/westos(/.*)?'
[root@mail-hello ~]# restorecon -RvvF /westos
restorecon reset /westos context unconfined_u:object_r:default_t:s0->system_u:object_r:samba_share_t:s0
32 # If you create a new directory, such as a new top-level directory, label it
33 # with samba_share_t so that SELinux allows Samba to read and write to it. D o
34 # not label system directories, such as /etc/ and /home/, with samba_share_t , as
35 # such directories should already have an SELinux label.
36 #
37 # Run the "ls -ldZ /path/to/directory" command to view the current SELinux
38 # label for a given directory.
39 #
40 # Set SELinux labels only on files and directories you have created. Use the
41 # chcon command to temporarily change a label:
42 # chcon -t samba_share_t /path/to/directory
eg:#################samba匿名用户白名单与黑名单
[root@mail-hello ~]# vim /etc/samba/smb.conf
96 hosts allow = 127. 172.25.254. ##127. 本机 及 172.25.254. 网段可写
324 ; writable = yes
325 write list = @student ##@ + student以及所属student组的用户
可写
[root@mail-hello ~]# systemctl restart smb
[root@mail-hello ~]# mount //172.25.254.141/TEST /mnt/ -o username=westos,password=456 ##将//172.25.254.141/TEST 挂载到/mnt/ 以 westos身份
[root@mail-hello ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/vda1 10473900 3180416 7293484 31% /
devtmpfs 493408 0 493408 0% /dev
tmpfs 508996 80 508916 1% /dev/shm
tmpfs 508996 13360 495636 3% /run
tmpfs 508996 0 508996 0% /sys/fs/cgroup
//172.25.254.141/TEST 10473900 3180416 7293484 31% /mnt
[root@mail-hello ~]# cd /mnt/
[root@mail-hello mnt]# ls -ld /westos/
drwxr-xr-x. 2 root root 21 May 1 22:02 /westos/ ##/westos/只对root可写
[root@mail-hello mnt]# touch file
touch: cannot touch ‘file’: Permission denied
[root@mail-hello mnt]# touch hello
touch: cannot touch ‘hello’: Permission denied
[root@mail-hello mnt]# cd
[root@mail-hello ~]# cd /mnt/
[root@mail-hello mnt]# touch hello
touch: cannot touch ‘hello’: Permission denied
[root@mail-hello mnt]# vim /etc/samba/smb.conf [root@mail-hello mnt]# systemctl restart smb[root@mail-hello mnt]# touch hello
touch: cannot touch ‘hello’: Permission denied
[root@mail-hello mnt]# chmod 777 /westos/
[root@mail-hello mnt]# touch hello
[root@mail-hello mnt]# ls
hello westfile
[root@mail-hello mnt]# rm -fr westfile
[root@mail-hello mnt]# rm -fr hello
[root@mail-hello mnt]# vim /etc/samba/smb.conf
[root@mail-hello mnt]# systemctl restart smb
[root@mail-hello mnt]# touch file1
touch: cannot touch ‘file1’: Permission denied
[root@mail-hello mnt]# umount /mnt/
umount: /mnt: target is busy.
(In some cases useful info about processes that use
the device is found by lsof(8) or fuser(1))
[root@mail-hello mnt]# cd
[root@mail-hello ~]# umount /mnt/
[root@mail-hello ~]# mount //172.25.254.141/TEST /mnt/ -o username=student,password=123
[root@mail-hello ~]# touch file1
[root@mail-hello ~]# vim /etc/samba/smb.conf
[root@mail-hello ~]# systemctl restart smb
[root@mail-hello ~]# usermod -G student westos
[root@mail-hello ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/vda1 10473900 3180484 7293416 31% /
devtmpfs 493408 0 493408 0% /dev
tmpfs 508996 80 508916 1% /dev/shm
tmpfs 508996 13360 495636 3% /run
tmpfs 508996 0 508996 0% /sys/fs/cgroup
//172.25.254.141/TEST 10473900 3180484 7293416 31% /mnt
[root@mail-hello ~]# umount /mnt/
[root@mail-hello ~]# id westos
uid=1001(westos) gid=1001(westos) groups=1001(westos),1000(student)
[root@mail-hello ~]# mount //172.25.254.141/TEST /mnt/ -o username=westos,password=456
[root@mail-hello ~]# cd
[root@mail-hello ~]# cd /mnt/
[root@mail-hello mnt]# touch haha
[root@mail-hello ~]# touch /westos/westfile
[root@mail-hello ~]# smbclient //172.25.254.141/TEST -U westos
Enter westos's password:
Anonymous login successful
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
tree connect failed: NT_STATUS_ACCESS_DENIED
[root@mail-hello ~]# systemctl restart smb
[root@mail-hello ~]# smbclient //172.25.254.141/TEST -U westos
Enter westos's password:
^C
[root@mail-hello ~]# smbclient //172.25.254.141/TEST -U westos
Enter westos's password:
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
smb: \> ls
. D 0 Mon May 1 22:02:17 2017
.. D 0 Mon May 1 21:56:31 2017
westfile N 0 Mon May 1 22:02:17 2017
40913 blocks of size 262144. 28490 blocks available
smb: \> quit
eg:
[root@mail-hello ~]# vim /etc/samba/smb.conf
327 valid users = +student ##合法用户可以登陆
[root@mail-hello ~]# smbclient //172.25.254.141/TEST -U student
Enter student's password:
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
smb: \> ls
. D 0 Mon May 1 23:18:50 2017
.. D 0 Mon May 1 21:56:31 2017
file N 0 Mon May 1 23:18:50 2017
40913 blocks of size 262144. 28489 blocks available
smb: \> quit
[root@mail-hello ~]# smbclient //172.25.254.141/TEST -U westos
Enter westos's password:
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
smb: \> ls
. D 0 Mon May 1 23:18:50 2017
.. D 0 Mon May 1 21:56:31 2017
file N 0 Mon May 1 23:18:50 2017
40913 blocks of size 262144. 28489 blocks available
smb: \> quit
[root@mail-hello ~]# smbclient -L //172.25.254.141/ -U westos
Enter westos's password:
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
TEST Disk westos directory
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
westos Disk Home Directories
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@mail-hello ~]# vim /etc/samba/smb.conf
328 browseable = no ## [TEST] 隐藏
[root@mail-hello ~]# systemctl restart smb.service
[root@mail-hello ~]# smbclient -L //172.25.254.141/ -U westos
Enter westos's password:
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
westos Disk Home Directories
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@mail-hello ~]# ll -ld /westos/
drwxrwxrwx. 2 root root 17 May 1 23:18 /westos/
[root@mail-hello ~]# chmod 755 /westos/
[root@mail-hello ~]# ll -ld /westos/
drwxr-xr-x. 2 root root 17 May 1 23:18 /westos/
[root@mail-hello ~]# vim /etc/samba/smb.conf
329 admin users = westos ##在[TEST]中westos以 root身份登陆
[root@mail-hello ~]# systemctl restart smb.service
[root@mail-hello ~]# smbclient //172.25.254.141/TEST -U westos
Enter westos's password:
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
smb: \> ls
. D 0 Mon May 1 23:18:50 2017
.. D 0 Mon May 1 21:56:31 2017
file N 0 Mon May 1 23:18:50 2017
40913 blocks of size 262144. 28489 blocks available
smb: \> !ls ##!ls 查看当前
anaconda-ks.cfg Documents file1 Pictures Templates
Desktop Downloads Music Public Videos
smb: \> put anaconda-ks.cfg
putting file anaconda-ks.cfg as \anaconda-ks.cfg (28.0 kb/s) (average 28.0 kb/s)
smb: \> quit
[root@mail-hello ~]# ll -ld /westos/
drwxr-xr-x. 2 root root 39 May 1 23:28 /westos/
[root@mail-hello ~]# ll -l /westos/
total 12
-rwxr--r--. 1 root westos 8619 May 1 23:28 anaconda-ks.cfg
-rw-r--r--. 1 westos westos 0 May 1 23:18 file
[root@mail-hello ~]# vim /etc/samba/smb.conf
123 map to guest = bad user
[TEST]
323 comment = westos directory
324 path = /westos
325 ; writable = yes
326 write list = @student
327 ; valid users = +student
328 ; browseable = no
329 admin users = westos ##超级用户
330 guest ok = yes ##虚拟用户登陆
[root@mail-hello ~]# systemctl restart smb.service
[root@mail-hello ~]# smbclient //172.25.254.141/TEST
Enter root's password:
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
tree connect failed: NT_STATUS_ACCESS_DENIED
[root@mail-hello ~]# vim /etc/samba/smb.conf
[root@mail-hello ~]# systemctl restart smb.service
[root@mail-hello ~]# smbclient //172.25.254.141/TEST
Enter root's password:
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
smb: \> ls
. D 0 Mon May 1 23:28:42 2017
.. D 0 Mon May 1 21:56:31 2017
file N 0 Mon May 1 23:18:50 2017
anaconda-ks.cfg A 8619 Mon May 1 23:28:43 2017
40913 blocks of size 262144. 28489 blocks available
smb: \> quit
eg:
[root@mail-hello ~]# vim /etc/samba/smb.conf
322 [TEST]
323 comment = westos directory
324 path = /westos
325 writable = yes
[root@mail-hello ~]# systemctl restart smb.service
[root@mail-hello ~]# smbclient //172.25.254.141/TEST
Enter root's password:
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
smb: \> ls
. D 0 Mon May 1 23:28:42 2017
.. D 0 Mon May 1 21:56:31 2017
file N 0 Mon May 1 23:18:50 2017
anaconda-ks.cfg A 8619 Mon May 1 23:28:43 2017
40913 blocks of size 262144. 28489 blocks available
smb: \> quit
[root@mail-hello ~]# systemctl restart smb.service
[root@mail-hello ~]# chmod 777 /westos/
另一虚拟机
[root@mail-eastos ~]# mkdir /westos
[root@mail-eastos ~]# mount //172.25.254.141/TEST /westos -o username=westos,password=456
[root@mail-eastos ~]# yum install samba-client.x86_64 -y
[root@mail-eastos ~]# smbclient -L //172.25.254.141 -U westos
Enter westos's password:
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Sharename Type Comment
--------- ---- -------
TEST Disk westos directory
IPC$ IPC IPC Service (Samba Server Version 4.1.1)
westos Disk Home Directories
Domain=[WESTOS] OS=[Unix] Server=[Samba 4.1.1]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root@mail-eastos ~]# df
文件系统 1K-块 已用 可用 已用% 挂载点
/dev/vda1 10473900 3368828 7105072 33% /
devtmpfs 493408 0 493408 0% /dev
tmpfs 508996 80 508916 1% /dev/shm
tmpfs 508996 13348 495648 3% /run
tmpfs 508996 0 508996 0% /sys/fs/cgroup
//172.25.254.141/TEST 10473900 3180488 7293412 31% /westos
[root@mail-eastos ~]# useradd hello
[root@mail-eastos ~]# su - hello
[hello@mail-eastos ~]$ cd /westos/
[hello@mail-eastos westos]$ ls
anaconda-ks.cfg file
[hello@mail-eastos westos]$ rm anaconda-ks.cfg
rm: remove write-protected regular file ‘anaconda-ks.cfg’? y
[hello@mail-eastos westos]$ touch hello
touch: cannot touch ‘hello’: Permission denied
[hello@mail-eastos westos]$ yum install cifs-utils -y
[root@mail-eastos ~]# vim /root/smbpass
1 username=westos
2 password=456
[root@mail-eastos ~]# mount //172.25.254.141/TEST /westos -o credentials=/root/smbpass,multiuser,sec=ntlmssp
[root@mail-eastos ~]# ll /root/smbpass
-rw-r--r--. 1 root root 29 May 2 00:03 /root/smbpass
[root@mail-eastos ~]# su - hello
上一次登录:Tue May 2 00:01:04 EDT 2017pts/0 上
[hello@mail-eastos ~]$ cd /westos
[hello@mail-eastos westos]$ ls
ls: reading directory .: Permission denied
[hello@mail-eastos westos]$ logout
[root@mail-eastos ~]# su - westos
su: user westos does not exist
[root@mail-eastos ~]# useradd westos
[root@mail-eastos ~]# su - westos
[westos@mail-eastos ~]$ cd /westos
[westos@mail-eastos westos]$ ls
ls: reading directory .: Permission denied
[westos@mail-eastos westos]$ logout
[root@mail-eastos ~]# su - westos
上一次登录:Tue May 2 00:12:15 EDT 2017pts/0 上
[westos@mail-eastos ~]$ cifscreds add 172.25.254.141
Password:
[westos@mail-eastos ~]$ cd /westos/
[westos@mail-eastos westos]$ ls
file hello
[westos@mail-eastos westos]$ rm -fr hello
[westos@mail-eastos westos]$ logout
[root@mail-eastos ~]# su - hello
上一次登录:Tue May 2 00:10:50 EDT 2017pts/0 上
[hello@mail-eastos ~]$ cifscreds add 172.25.254.141
Password:
[hello@mail-eastos ~]$ cd /westos
[hello@mail-eastos westos]$ ls
ls: reading directory .: Permission denied