samba
前言
ftp用户端与服务端之间是通过协议访问的,但不支持通过挂载的方式访问,因为他不是一个文件系统。
samba这款软件使用的是CIFS协议,使用CIFS这个协议的软件不仅有SAMBA软件,还有windows 系统的共享功能;samba可以实现跨操作系统平台的文件共享,比如linux和windows之间的文件共享、linux与linux之间的共享、windows与windows之间的共享;
centos7搭建注意点:
- 注意地址解析问题
- 无需重启服务配置文件就能生效,但最好重启服务,重启两个服务smb、nmb
- 注意版本问题
- 注意smb的权限与文件系统权限的交集
samba的问题:
最大的问题就是权限问题,在权限当中搞的太灵活了,valid users、write list、read only之间的关系相互有冲突,让人搞不清是哪一条在起作用,让人非常恼火,我们可以在samba当中很轻松的让某些用户或组有读写权限,让匿名用户有只读权限,但是很难让某个普通用户拥有只读权限;
第二个就是需要周围设置,比如有时候需要windows开启smb1.0功能,有时候还要注意其解析问题。总的来说,肯定是不如windows使用共享用鼠标点几下来的方便。
需求
- development_1的成员:zhangsan、lisi、wanger
- development_2的成员:jia、yi、bing
希望实现匿名用户有读权限,而以上两个组的成员具有读写权限;
###################################服务端配置
[root@c71 ~]# !17
ip addr show ens33 | awk -F" " 'NR==3{print $2}'
192.168.80.136/24
# 下面这几项必须保持一致,不然的话,当我们用客户端访问卡的要死
[root@c71 ~]# hostname
c71
[root@c71 ~]# cat /etc/hostname
c71
[root@c71 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 c71
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 c71
[root@c71 ~]# ping c71
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.037 ms
[root@c71 ~]# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
[root@c71 ~]# systemctl stop firewalld
[root@c71 ~]# systemctl disable firewalld
[root@c71 ~]# cat /etc/selinux/config | grep disabled
# disabled - No SELinux policy is loaded.
SELINUX=disabled
[root@c71 ~]# yum -y install samba &> /dev/null;
[root@c71 ~]#systemctl enable smb ; systemctl enable nmb ; systemctl start smb ; systemctl start nmb ;
[root@c71 ~]# ss -tunlp | egrep '(445|137|138|139)'
[root@c71 /]# mkdir /smb_share ; chmod 777 /smb_share
[root@c71 ~]# groupadd development_2
[root@c71 ~]# groupadd development_1
[root@c71 ~]# useradd -s /sbin/nologin -g development_1 zhangsan
[root@c71 ~]# useradd -s /sbin/nologin -g development_1 lisi
[root@c71 ~]# useradd -s /sbin/nologin -g development_1 wanger
[root@c71 ~]# useradd -s /sbin/nologin -g development_2 jia
[root@c71 ~]# useradd -s /sbin/nologin -g development_2 yi
[root@c71 ~]# useradd -s /sbin/nologin -g development_2 bing
Failed to find entry for user zhangsan.
[root@c71 ~]# smbpasswd -a zhangsan
New SMB password:
Retype new SMB password:
Added user zhangsan.
[root@c71 ~]# smbpasswd -a lisi
New SMB password:
Retype new SMB password:
Added user lisi.
[root@c71 ~]# smbpasswd -a wanger
New SMB password:
Retype new SMB password:
Added user wanger.
[root@c71 ~]# smbpasswd -a jia
New SMB password:
Retype new SMB password:
Added user jia.
[root@c71 ~]# smbpasswd -a yi
New SMB password:
Retype new SMB password:
Added user yi.
[root@c71 ~]# smbpasswd -a bing
New SMB password:
Retype new SMB password:
Added user bing.
[root@c71 ~]# smbpasswd -e bing
Enabled user bing.
[root@c71 ~]# smbpasswd -e yi
Enabled user yi.
[root@c71 ~]# smbpasswd -e jia
Enabled user jia.
[root@c71 ~]# smbpasswd -e zhangsan
Enabled user zhangsan.
[root@c71 ~]# smbpasswd -e wanger
Enabled user wanger.
[root@c71 ~]# smbpasswd -e lisi
Enabled user lisi.
[root@c71 ~]# testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
# Global parameters
[global]
printcap name = cups
security = USER
workgroup = SAMBA
idmap config * : backend = tdb
cups options = raw
[smb_share]
comment = smb_share
guest ok = Yes
path = /smb_share
write list = @development_1 @development_2
###################################客户端测试##########
root@u21:~# apt -y install samba-client &> /dev/null
root@u21:~# smbclient //192.168.80.136/smb_share
Enter WORKGROUP\root's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Feb 20 11:14:50 2022
.. D 0 Sun Feb 20 11:12:48 2022
issue N 23 Sun Feb 20 11:14:50 2022
fstab N 541 Sun Feb 20 11:14:50 2022
hostname N 4 Sun Feb 20 11:14:50 2022
passwd N 1434 Sun Feb 20 11:14:50 2022
52403200 blocks of size 1024. 50726628 blocks available
smb: \> rm issue
NT_STATUS_ACCESS_DENIED deleting remote file \issue
root@u21:~# smbclient //192.168.80.136/smb_share -U jia%cba-123
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Feb 20 11:14:50 2022
.. D 0 Sun Feb 20 11:12:48 2022
issue N 23 Sun Feb 20 11:14:50 2022
fstab N 541 Sun Feb 20 11:14:50 2022
hostname N 4 Sun Feb 20 11:14:50 2022
passwd N 1434 Sun Feb 20 11:14:50 2022
52403200 blocks of size 1024. 50726764 blocks available
smb: \> rm issue
NT_STATUS_ACCESS_DENIED deleting remote file \issue
smb: \> exit
root@u21:~# smbclient //192.168.80.136/smb_share -U jia%cba-123
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Feb 20 11:14:50 2022
.. D 0 Sun Feb 20 11:12:48 2022
issue N 23 Sun Feb 20 11:14:50 2022
fstab N 541 Sun Feb 20 11:14:50 2022
hostname N 4 Sun Feb 20 11:14:50 2022
passwd N 1434 Sun Feb 20 11:14:50 2022
52403200 blocks of size 1024. 50726744 blocks available
smb: \> rm issue
smb: \> exit
root@u21:~# smbclient //192.168.80.136/smb_share -U zhangsan%cba-123
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Feb 20 11:16:14 2022
.. D 0 Sun Feb 20 11:12:48 2022
fstab N 541 Sun Feb 20 11:14:50 2022
hostname N 4 Sun Feb 20 11:14:50 2022
passwd N 1434 Sun Feb 20 11:14:50 2022
52403200 blocks of size 1024. 50726748 blocks available
smb: \> rm passwd
smb: \> exit
基本原理
samba组件
- netbios(网络基本输入输出系统,windows主机之间基于主机名互相通信的机制,是广播机制)
windows既然不开共享,也会侦听137和138,因为netbios就是windows通过主机名进行互相访问的基础服务,smb也需要这种服务,每一次特别慢,因为第一次是广播。netbiosnmbd服务器控制,这个服务最好要打开,因为如果不打开windows访问的时候会非常慢。
- wins
netbios广播解析太慢了,后面出现了单节点解析,也就是netbios的升级版,也叫wins服务,
- winbind
samba的三个子服务之一、当samba启用了AD域功能之后,才会启动此服务,使用AD域需要打开winbindd
配置文件
配置文件结构:配置文件的结构是这样的,总体分为全局设定和特定共享设定,而特定共享设定又分为:家目录、打印机、自定义共享;
全局设定
global:netbios、workgroup
- smb服务端有两种服务模式:域模式、工作组;
- smb服务端有个服务:smb和nmb、smb侦听在tcp/139和tcp/445,主要用来传输使用(windows共享也是如此),nmb主要用来解析netbios地址,侦听在udp/137和udp/138端口。
[root@C8 ~]# rpm -ql samba | grep sys 有两个system文件意味着有两个服务,一个常用,一个不常用
/usr/lib/systemd/system/nmb.service
/usr/lib/systemd/system/smb.service
# 解释配置文件,example里面有比较详细的解释
[root@C8 ~]# cd /etc/samba/ && ls
lmhosts smb.conf smb.conf.example
[root@C8 samba]# egrep -v '(^$|^#)' smb.conf
# 全局设置
[global]
# workgroup = SAMBA # 工作组的名称,这和windows的工作组是一个意思,沿袭了windows一部分东西,windows的默认工作组是workgroup,好改一下;
# 在centos6是可以通过sambaclient -L 探测服务端的工作组,centos7不行;
workgroup = WORKGROUP
# netbios的作用就是访问的时候可以使用netbiosname,而不用使用IP,有点类似于域名的概念,smbclient -L 后面直接跟netbios名字,但要依赖nmb服务
# 也就是说要先启动nmb之后,客户端才能使用netbios名字进行访问,smb是侦听在137、138两端口,注意,Ping netbios是不行的
netbios name = linux40
security = user
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @printadmin root
force group = @printadmin
create mask = 0664
directory mask = 0775
user
smb用户必须先是系统用户,用户的密码是通过samba自己维护的。
# 当我们通过windows访问centos的smb的时候,让我们输入的账号并不是centos系统用户的账号,而是samba用户的账号和密码。
# 添加访问的用户,smb用户首先得是一个系统用户,其次才能成为一个smb用户;
# 列出smb用户
[root@C8 ~]# pdbedit -L
[root@C8 ~]# useradd -s /sbin/nologin smb1
[root@C8 ~]# useradd -s /sbin/nologin smb2
# 添加smb用户
[root@C8 ~]# smbpasswd -a smb1
New SMB password:
Retype new SMB password:
Added user smb1.
[root@C8 ~]# smbpasswd -a smb2
New SMB password:
Retype new SMB password:
Added user smb2.
# 修改用户密码
[root@C8 ~]# smbpasswd smb1
New SMB password:
Retype new SMB password:
# 再列出
[root@C8 ~]# pdbedit -L
smb1:1001:
smb2:1002:
# 删除账号
[root@C8 ~]# smbpasswd -x smb1
# 下面这个文件就是smb的用户数据库文件
[root@C8 ~]# ll /var/lib/samba/private/passdb.tdb
-rw-------. 1 root root 421888 11月 14 18:51 /var/lib/samba/private/passdb.tdb
# 查看用户的详细信息,有一个SID,也是从微软当中模拟而来的
[root@C8 ~]# pdbedit -L -v smb1
Unix username: smb1
NT username:
Account Flags: [U ]
User SID: S-1-5-21-3762892953-1983712240-1896709800-1000 # 用户SID
Primary Group SID: S-1-5-21-3762892953-1983712240-1896709800-513
Full Name:
Home Directory: \\LINUX40\smb1
HomeDir Drive:
Logon Script:
Profile Path: \\LINUX40\smb1\profile
Domain: LINUX40
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: 三, 06 2月 2036 23:06:39 CST
Kickoff time: 三, 06 2月 2036 23:06:39 CST
Password last set: 日, 14 11月 2021 18:54:12 CST
Password can change: 日, 14 11月 2021 18:54:12 CST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
# 查看smb当前状态,当前没有人任何人连接
[root@C8 ~]# smbstatus
Samba version 4.13.3
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------
Service pid Machine Connected at Encryption Signing
---------------------------------------------------------------------------------------------
No locked files
host allow
# 允许哪台主机访问,10. 就代表网络位是10就可以,也可以写死
[global]
hosts allow = 10. 192.168. 192.168.0.105
log
为每一个客户端单独准备一个日志文件
[global]
log file = /var/log/samba/log.%I
log level = 2 日志级别,默认是0,不记录。
# 效果是为每一个客户端单独准备一个日志文件
[root@C8 ~]# ls /var/log/samba/
cores log.0.0.0.0 log.192.168.0.105 log.nmbd log.smbd old
# 测试一下
[root@template ~]# smbclient -L 192.168.0.104 -U smb1%123
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (Samba 4.13.3)
smb1 Disk Home Directories # 默认把自己家目录给共享出来了
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available
[root@C8 samba]# cat log.192.168.0.105
[2021/11/14 19:24:06.145968, 2] ../../source3/auth/auth.c:329(auth_check_ntlm_password)
check_ntlm_password: authentication for user [smb1] -> [smb1] -> [smb1] succeeded # 看到客户端信息
[2021/11/14 19:24:06.146691, 2] ../../source3/param/loadparm.c:2864(lp_do_section)
Processing section "[homes]"
[2021/11/14 19:24:06.146856, 2] ../../source3/param/loadparm.c:2864(lp_do_section)
Processing section "[printers]"
[2021/11/14 19:24:06.146964, 2] ../../source3/param/loadparm.c:2864(lp_do_section)
Processing section "[print$]"
# 在客户端上直接访问服务端家目录
[root@template ~]# smbclient //192.168.0.104/smb1 -U smb1%cba-123
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
# 在服务端上看连接
[root@C8 ~]# smbstatus
Samba version 4.13.3
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------
37329 smb1 smb1 192.168.0.105 (ipv4:192.168.0.105:43574) SMB3_11 - partial(AES-128-CMAC)
Service pid Machine Connected at Encryption Signing
---------------------------------------------------------------------------------------------
smb1 37329 192.168.0.105 日 11月 14 19时26分42秒 2021 CST - -
No locked files
# 默认家目录共享,全是因为这个模块下的内容
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
其它
- security = user,通过什么方式访问,user的意思是通过账号和密码的方式访问
- passdb backend = tdbsam,这就是用户名密码存储的地方
家目录
[homes]
# 注释信息
comment = Home Directories
# 有效用户,就是自己
valid users = %S, %D%w%S
# 是否允许它人浏览自己的家目录,默念不允许
browseable = No
read only = No
inherit acls = Yes
自定义
[shared_name]
path = /path/to/share_directory
# 注释信息
comment = COMMENT
# 是否允许来宾访问
guest ok = yes
# 是否可写,另一种写法是read only = No 是不是只读的,如果是只读的,那就是writable的no;
writable = yes
# 允许写入的用户列表,多个用户之间用逗分隔,组的话前面加@
write list = user1,user2,user3,@g1
# 允许读取的用户列表
valid users = user3,user4,@g2
# 测试语法是否有错
testpram
客户端
# c7探测目标c8主机共享了哪些文件夹
[root@template ~]# smbclient -L 192.168.0.104
Enter SAMBA\root's password: #这里没输入密码,直接回车,因为服务端暂时还没为sab用户创建用户名和密码
Anonymous login successful # 表示支持匿名访问
Sharename Type Comment # 当前结果显示没有共享任何内容
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (Samba 4.13.3)
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available
# c7探测目标windows主机共享了哪些文件夹
yum list samba*
yum -y install samba-client
[root@template ~]# smbclient -L 192.168.0.115 -U zhanghe%PASSWD
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk 远程管理
C$ Disk 默认共享
D$ Disk 默认共享
IPC$ IPC 远程 IPC
VT Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 192.168.0.115 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
[root@template ~]# smbclient //192.168.0.115/VT -U zhanghe%PASSWD
Try "help" to get a list of possible commands.
smb: \> ls
smb: \> pwd
Current directory is \\192.168.0.115\VT\
smb: \> get 网络安全公开课20211012.mp4
smb: \> !ls # 查看当前目录
anaconda-ks.cfg 网络安全公开课20211012.mp4
smb: \> put anaconda-ks.cfg
putting file anaconda-ks.cfg as \anaconda-ks.cfg (290.3 kb/s) (average 290.3 kb/s)
挂载访问
mount -t cifs //SERVER/shared_name /local_point -o username=USERNAME,password=PASSWORD
/etc/fstab写到里面,开机自动挂载放到fstab会有密码泄露的风险,不建议开机自动挂载;
测试
仅有path
所有人都能读、也就是说所有人都能下载,但不能上传和删除,不能匿名
# 服务端
[root@c71 ~]# grep development /etc/group
development_1:x:1000:
development_2:x:1001:
[root@c71 ~]# tail -6 /etc/passwd
lisi:x:1001:1000::/home/lisi:/sinb/nologin
wanger:x:1002:1000::/home/wanger:/sinb/nologin
jia:x:1003:1001::/home/jia:/sinb/nologin
yi:x:1004:1001::/home/yi:/sinb/nologin
bing:x:1005:1001::/home/bing:/sinb/nologin
zhanghe:x:1006:1006::/home/zhanghe:/sbin/nologin
[root@c71 ~]# egrep -v '(^[[:space:]*$]]|^#)' /etc/samba/smb.conf
[global]
workgroup = SAMBA
security = user
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
[samba_share]
path = /smb_share
# 客户端
[root@c72 ~]# smbclient -L 192.168.80.130
Enter SAMBA\root's password:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
samba_share Disk
IPC$ IPC IPC Service (Samba 4.10.16)
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful
Server Comment
--------- -------
Workgroup Master
--------- -------
SAMBA C71
# 能下载,不能删除和上传
[root@c72 ~]# smbclient //192.168.80.130/samba_share -U zhangsan%cba-123
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Feb 20 01:52:18 2022
.. D 0 Sat Feb 19 20:49:26 2022
fstab A 465 Sat Feb 19 21:36:34 2022
passwd N 1483 Sun Feb 20 01:52:18 2022
issue N 23 Sun Feb 20 01:52:18 2022
52403200 blocks of size 1024. 50726904 blocks available
smb: \> get issue
getting file \issue of size 23 as issue (4.5 KiloBytes/sec) (average 4.5 KiloBytes/sec)
smb: \> rm issue
NT_STATUS_ACCESS_DENIED deleting remote file \issue
smb: \> put anaconda-ks.cfg
NT_STATUS_ACCESS_DENIED opening remote file \anaconda-ks.cfg
# 不能匿名
[root@c72 ~]# smbclient //192.168.80.130/samba_share
Enter SAMBA\root's password:
Anonymous login successful
tree connect failed: NT_STATUS_ACCESS_DENIED
public
public其实主浊guest ok ,如果我们写成public 那就是翻译成guest,是一个意思,就是是否允许匿名访问,打开了之后匿名用户也只是拥有下载权限;
# 服务端
[root@c71 ~]# grep -v "^#" /etc/samba/smb.conf
[global]
workgroup = SAMBA
security = user
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
[samba_share]
path = /smb_share
public = yes
# 客户端匿名访问测试
[root@c72 ~]# smbclient //192.168.80.130/samba_share
Enter SAMBA\root's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> put anaconda-ks.cfg
NT_STATUS_ACCESS_DENIED opening remote file \anaconda-ks.cfg
smb: \> get issue
getting file \issue of size 23 as issue (3.7 KiloBytes/sec) (average 3.7 KiloBytes/sec)
smb: \> rm issue
NT_STATUS_ACCESS_DENIED deleting remote file \issue
smb: \> ls
. D 0 Sun Feb 20 01:52:18 2022
.. D 0 Sat Feb 19 20:49:26 2022
fstab A 465 Sat Feb 19 21:36:34 2022
passwd N 1483 Sun Feb 20 01:52:18 2022
issue N 23 Sun Feb 20 01:52:18 2022
52403200 blocks of size 1024. 50726172 blocks available
# 普通用户的权限没变,还是只能下载
[root@c72 ~]# smbclient //192.168.80.130/samba_share -U lisi%cba-123
Try "help" to get a list of possible commands.
smb: \> put anaconda-ks.cfg
NT_STATUS_ACCESS_DENIED opening remote file \anaconda-ks.cfg
smb: \> get fstab
getting file \fstab of size 465 as fstab (151.4 KiloBytes/sec) (average 151.4 KiloBytes/sec)
smb: \> rm fstab
NT_STATUS_ACCESS_DENIED deleting remote file \fstab
smb: \> ls
. D 0 Sun Feb 20 01:52:18 2022
.. D 0 Sat Feb 19 20:49:26 2022
fstab A 465 Sat Feb 19 21:36:34 2022
passwd N 1483 Sun Feb 20 01:52:18 2022
issue N 23 Sun Feb 20 01:52:18 2022
52403200 blocks of size 1024. 50726132 blocks available
writable
是否能被所有用户可写,默认是no,等价于read only,writable = yes 等价于 read only = no
# 服务端
[root@c71 ~]# testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
# Global parameters
[global]
printcap name = cups
security = USER
workgroup = SAMBA
idmap config * : backend = tdb
cups options = raw
[samba_share]
guest ok = Yes
path = /smb_share
read only = No # 自动翻译成read only
# 客户端匿名用户获得读写权限
[root@c72 ~]# smbclient //192.168.80.130/samba_share
Enter SAMBA\root's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> put anaconda-ks.cfg
putting file anaconda-ks.cfg as \anaconda-ks.cfg (7.2 kb/s) (average 7.2 kb/s)
smb: \> rm issue
# 客户端的普通用户还是仅有读的权限
[root@c72 ~]# smbclient //192.168.80.130/samba_share -U zhangsan%cba-123
Try "help" to get a list of possible commands.
smb: \> put anaconda-ks.cfg
NT_STATUS_ACCESS_DENIED opening remote file \anaconda-ks.cfg
smb: \> put /etc/issue
NT_STATUS_OBJECT_PATH_NOT_FOUND opening remote file \etc\issue
smb: \> rm issue
NT_STATUS_NO_SUCH_FILE listing \issue
smb: \> get issue
NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file \issue
smb: \> get fstab
getting file \fstab of size 465 as fstab (75.7 KiloBytes/sec) (average 75.7 KiloBytes/sec)
valid users
valid user 是非常的强劲,不是仅允许谁访问,不在名单内部的都不允许看到,当valied users与write lists同在时,valied users生效。
# 服务端
[root@c71 ~]# testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
# Global parameters
[global]
printcap name = cups
security = USER
workgroup = SAMBA
idmap config * : backend = tdb
cups options = raw
[samba_share]
guest ok = Yes
path = /smb_share
read only = No
valid users = @development_1
# development 拥有完整的权限
[root@c72 ~]# smbclient //192.168.80.130/samba_share -U lisi%cba-123
Try "help" to get a list of possible commands.
smb: \> get issue
NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file \issue
smb: \> get fstab
getting file \fstab of size 465 as fstab (90.8 KiloBytes/sec) (average 90.8 KiloBytes/sec)
smb: \> rm fstab
smb: \> put anaconda-ks.cfg
NT_STATUS_ACCESS_DENIED opening remote file \anaconda-ks.cfg
smb: \> put issue
putting file issue as \issue (5.6 kb/s) (average 5.6 kb/s)
smb: \> exit
[root@c72 ~]# smbclient //192.168.80.130/samba_share -U jia%cba-123
tree connect failed: NT_STATUS_ACCESS_DENIED
[root@c72 ~]# smbclient //192.168.80.130/samba_share -U yi%cba-123
tree connect failed: NT_STATUS_ACCESS_DENIED
# 匿名关闭
[root@c72 ~]# smbclient //192.168.80.130/samba_share
Enter SAMBA\root's password:
Anonymous login successful
tree connect failed: NT_STATUS_ACCESS_DENIED
write list
完全独立,最好不要与其它选项连用,就是在这个列表里面才有完整的权限