博客第21周

1、利用SAMBA实现指定目录共享

服务端:

 yum -y install samba

useradd -s /sbin/nologin -r smbuser1

smbpasswd -a smbuser1

 systemctl start smb.service

创建共享目录

mkdir /data/smbshare

chgrp admins /data/smbshare

chmod 2775 /data/smbshare

 

开机启动smb nmb

systemctl enable --now smb nmb

 

客户端

yum -y install cifs-utils samba-client

windows 访问：\\ip 

linux 访问

用smbuser1用户挂载smb共享并访问

mkdir /mnt/smbuser1

mount -o username=smbuser1 //服务端ip/data/smbshare /mnt/smbuser1

touch /mnt/smbuser1.txt 

chmod 600 /mnt/smbuser1.txt

2、实现不同samba用户访问相同的samba共享，实现不同的配置

groupadd -r smbgroup

useradd -s /sbin/nologin -G smbgroup smbuser1

 useradd -s /sbin/nologin -G smbgroup smbuser2

smbpasswd -a smbuser2

 

配置smb共享文件

cat /etc/samba/smb.conf

[share]

path=/data/smbshare

write list=@smbgroup

 

3、远程主机通过链接openvpn修复内网里 httpd 服务主机，假如现在 httpd 宕机了，我们需要链接进去让 httpd 启动

##安装openvpn包，私钥包###
install_openvpn_server(){
yum -y install openvpn easy-rsa
##openvpn-server端配置###
cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/
cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-server
cp -r /usr/share/doc/easy-rsa/vars.example /etc/openvpn/easy-rsa-server/3/vars
###安全功能###
openvpn --genkey --secret /etc/openvpn/certs/ta.key
cp /etc/openvpn/easy-rsa-server/3/vars{,.bak}
###定义CA有效期###
cat /etc/openvpn/easy--server/3/vars <<EOF
set_var EASYRSA_CERT_EXPIPE 3650
EOF
cd /etc/openvpn/easy-rsa-server/3/
.easyrsa
.easyrsa init-pki
###建立CA###
.easyrsa build-ca nopass<<EOF
yes
EOF
openssl x509 -in pki/ca.crt -noout -text
###创建服务端证书申请###
./easyrsa gen-req server nopass
./easyrsa sign server server

###密钥交换方法###
./easyrsa gen-dh
./easyrsa init-pki

mkdir /etc/openvpn/certs
find /etc/openvpn/ \( -name "server.key" -o -name "server.crt" -o -name ca.crt -o -name ta.key \) -exec cp {} /etc/openvpn/certs \;

###服务端上客户端文件建立###
cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-client
cp -r /usr/share/doc/easy-rsa/vars.example /etc/openvpn/easy-rsa-client/3/vars
cat /etc/openvpn/easy--server/3/vars <<EOF
set_var EASYRSA_CERT_EXPIPE 90
EOF
create_cert
cp server.conf{,.bak}
getent passwd openvpn
mkdir /var/log/openvpn
chown openvpn:openvpn /var/log/openvpn/
ll -d /var/log/openvpn
echo net.ipv4.ip_forward =1 >>/etc/sysctl.conf
sysctl -p
echo 'iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE' >>/etc/rc.d/rc.local
chmod +x /etc/rc.d/rc.local
/etc/rc.d/rc.local
systemctl daemon-reload
systemctl enable --now openvpn@server
}

create_cert(){

NAME='tyzh'
cd /etc/openvpn/easy-rsa-client/3
./easyrsa init-pki
./easyrsa gen-req ${NAME} nopass <<EOF
EOF
cd /etc/openvpn/easy-rsa-server/easy-rsa/3
./easyrsa import-req /etc/openvpn/easy-rsa-client/3/pki/reqs/${NAME}.req ${NAME}
./easyrsa sign client ${NAME} <<EOF
yes
EOF

mkdir /etc/openvpn/client/${NAME}
cp /etc/openvpn/easy-rsa-server/easy-rsa/3/pki/issued/${NAME}.crt /etc/openvpn/client/${NAME}
cp /etc/openvpn/easy-rsa-client/3/pki/private/${NAME}.key /etc/openvpn/client/${NAME}
cp /etc/openvpn/certs/{ca.crt,dh.pem,ta.key} /etc/openvpn/client/${NAME}
cat >/etc/openvpn/client/${NAME}/client.ovpn<<EOF
client
dev tun
proto tcp
remote 10.0.0.8 1194
resolv-retry infinite
nobind
ca ca.crt
cert ${NAME}.crt
key ${NAME}.key
remote-cert-tls server
#tls-auth ta.key 1
cipher AES-256-CBC
verb 3
compress 1z4-v2
EOF
echo "证书存放路径：/etc/openvpn/client/${NAME},证书文件如下："
echo -e "\E[1;32m***********************************************\E[0m"
ls -l /etc/openvpn/client/${NAME}
echo -e "\E[1;32m***********************************************\E[0m"

 

#!/bin/bash
#
#********************************************************************
#Author: tyzh
#QQ: 283399535
#Date: 2020-09-24
#FileName： openvpn-user-crt.sh
#URL: http://www.xxx.com
#Description： The test script
#Copyright (C): 2020 All rights reserved
#********************************************************************
. /etc/init.d/functions

OPENVPN_SERVER=10.0.0.8
PASS=tyzh2020

remove_cert(){
rm -rf /etc/openvpn/client/${NAME}
find /etc/openvpn/ -name "$NAME.*" -delete
}

create_cert(){
cd /etc/openvpn/easy-rsa-client/3
./easyrsa gen-req ${NAME} nopass <<EOF

EOF
cd /etc/openvpn/easy-rsa-server/easy-rsa/3
./easyrsa import-req /etc/openvpn/easy-rsa-client/3/pki/reqs/${NAME}.req ${NAME}
./easyrsa sign client ${NAME} <<EOF
yes
EOF

mkdir /etc/openvpn/client/${NAME}
cp /etc/openvpn/easy-rsa-server/easy-rsa/3/pki/issued/${NAME}.crt /etc/openvpn/client/${NAME}
cp /etc/openvpn/easy-rsa-client/3/pki/private/${NAME}.key /etc/openvpn/client/${NAME}
cp /etc/openvpn/certs/{ca.crt,dh.pem,ta.key} /etc/openvpn/client/${NAME}
cat >/etc/openvpn/client/${NAME}/client.ovpn<<EOF
client
dev tun
proto tcp
remote 10.0.0.8 1194
resolv-retry infinite
nobind
ca ca.crt
cert ${NAME}.crt
key ${NAME}.key
remote-cert-tls server
#tls-auth ta.key 1
cipher AES-256-CBC
verb 3
compress 1z4-v2
EOF
echo "证书存放路径：/etc/openvpn/client/${NAME},证书文件如下："
echo -e "\E[1;32m***********************************************\E[0m"
ls -l /etc/openvpn/client/${NAME}
echo -e "\E[1;32m***********************************************\E[0m"
cd /etc/openvpn/client/${NAME}
zip -qP "$PASS" /root/${NAME}.zip *
action "证书已经打包：/root/${NAME}.zip"
}

read -p "请输入用户的姓名拼音(如:tyzh) " NAME
remove_cert
create_cert

测试

 ssh 192.168.65.189