Chinaunix首页 | 论坛 | 博客
  • 博客访问: 536444
  • 博文数量: 174
  • 博客积分: 4177
  • 博客等级: 上校
  • 技术积分: 1827
  • 用 户 组: 普通用户
  • 注册时间: 2007-10-15 14:12
文章分类

全部博文(174)

文章存档

2018年(1)

2017年(1)

2013年(3)

2012年(9)

2010年(12)

2009年(5)

2008年(106)

2007年(37)

我的朋友

分类: 系统运维

2008-02-29 16:33:05

 

1. Samba协议基础。

  在NetBIOS出现之后,Microsoft就使用NetBIOS实现了一个网络文件/打印服务系统,这个系统基于NetBIOS设定了一套文件共享协议,Microsoft称之为SMBServer Message Block)协议。这个协议被Microsoft用于它们Lan ManagerWindows NT服务器系统中,实现不同计算机之间共享打印机、串行口和通讯抽象(如命名管道、邮件插槽等)。

  随着Internet的流行,Microsoft希望将这个协议扩展到Internet上去,成为Inter net上计算机之间相互共享数据的一种标准。因此它将原有的几乎没有多少技术文档的SMB协议进行整理,重新命名为 CIFSCommon Internet File System),并打算将它与NetBIOS相脱离,试图使它成为Internet上的一个标准协议。

  因此,为了让WindowsUnix计算机相集成,最好的办法即是在Unix计算机中安装支持SMB/CIFS协议的软件,这样Windows客户就不需要更改设置,就能如同使用Windows NT服务器一样,使用Unix计算机上的资源了。Samba是用来实现SMB的一种软件,它的工作原理是,让NETBIOSWindows95网络邻居的通讯协议)和SMBServer Message Block)这两个协议运行于TCP/IP通信协议之上,并且使用WindowsNETBEUI协议让Unix计算机可以在网络邻居上被Windows计算机看到。它的功能有:

     > 共享Linux磁盘给Win95/NT

     > 共享Win95/NT磁盘给Linux机器

     > 共享Linux打印机给win95/NT

     > 共享win95/NT打印机给Linux机器。

  同时它的文件服务功能比NT系统还高,而且在Windows2000之前就提供了用户磁盘空间限制的功能。

#

# Sample configuration file for the Samba suite for Debian GNU/Linux.

#

#

# This is the main Samba configuration file. You should read the

# smb.conf(5) manual page in order to understand the options listed

# here. Samba has a huge number of configurable options most of which

# are not shown in this example

#

# Any line which starts with a ; (semi-colon) or a # (hash)

# is a comment and is ignored. In this example we will use a #

# for commentary and a ; for parts of the config file that you

# may wish to enable

#

# NOTE: Whenever you modify this file you should run the command

# "testparm" to check that you have not made any basic syntactic

# errors.

#

 

#======================= Global Settings =======================

 

[global]

 

## Browsing/Identification ###

 

# Change this to the workgroup/NT-domain name your Samba server will part of

# 定义该Samba服务器所在的工作组或者域

   workgroup = workgroup

 

# server string设定机器的描述,当我们通过网络邻居访问的时候可以在备注里面看见这个内

# 容,而且还可以使用samba设定的变量。这里说一下samba定义的变量:

#     %S = 当前服务名(如果有的话)

#     %P = 当前服务的根目录(如果有的话)

#     %u = 当前服务的用户名(如果有的话)

#     %g = 当前用户说在的主工作组

#     %U = 当前对话的用户名

#     %G = 当前对话的用户的主工作组

#     %H = 当前服务的用户的Home目录

#     %v = Samba服务的版本号。

#     %h = 运行Samba服务机器的主机名

#     %m = 客户机的NETBIOS名称

#     %L = 服务器的NETBIOS名称

#     %M = 客户机的主机名

#     %N = NIS服务器名

#     %p = NIS服务的Home目录

#     %R = 说采用的协议等级(值可以是CORE, COREPLUS, LANMAN1, LANMAN2NT1)

#     %d = 当前服务进程的ID

#     %a = 客户机的结构(只能识别几项:SambaWfWgWinNTWin95

#     %I = 客户机的IP

#     %T = 当前日期和时间

# server string is the equivalent of the NT Description field

   server string = %h server

 

# hosts allow设置可以访问Samba服务器的主机,子网或域

#  hosts allow = 网络或者主机

#  可以设置允许访问的网络和主机IP,比如允许192.168.1.0/24192.168.2.1/32访问,# 就用host allow = 192.168.1.  192.168.2.1  127.0.0.1  注意后面加”.”号,各个项目间用

# 空格隔开,记得把本机也加进去。

# 例如,同时允许主机名为client1的客户端访问,允许域名为alarm.com的域访问,允许

#  192.168.16.*的所有主机均可访问(192.168.16.4),则此项目可设置为:

#            hosts allow = clients,alarm.com,192.168.16. EXCEPT 192.168.16.4

 

 

# Windows Internet Name Serving Support Section:

# WINS是由Microsoft公司开发的一种网络名称转换服务.它的主要功能是将NetBIOS名称 # 转换为对应的IP地址.该选项用来设置是否将这台Samba服务器作为WINS服务器,默认  # 为不使用.

# WINS Support - Tells the NMBD component of Samba to enable its WINS Server

;   wins support = no

 

# WINS Server - Tells the NMBD components of Samba to be a WINS Client

# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both

# 如果一台Samba服务器不是WINS服务器,但又需要WINS服务,可设置

# ”wins server = w.x.y.z”项目来指定WINS服务器,同时这台WINS服务器还必须能在DNS

# 服务器中登记.例如:网络中有一台WINS服务器,IP地址为192.168.16.178.Samba服务器

# 用该WINS服务器提供WINS服务,则设置如下:

#            wins server = 192.168.16.178

;   wins server = w.x.y.z

 

# This will prevent nmbd to search for NetBIOS names through DNS.

   dns proxy = no

 

# What naming service and in what order should we use to resolve host names

# to IP addresses

;   name resolve order = lmhosts host wins bcast

 

#### Networking ####

 

# 有多个网卡的Samba服务器设置需要监听的网卡

# 可通过 “interfaces = 网卡IP地址或网络接口设置该功能.在默认的配置下并不使用,但为

# 了保证多网卡的Samba服务器能正常工作,应设置此项.例如,Samba服务器有两个网卡,

# 别为eth0eth1,它们所对应的IP地址是192.168.16.177202.23.56.121.设置监听的网

# 卡为eth0,具体的设置方法有如下两种

#     (1) 使用网络接口

#        interfaces = eth0

#     (2) 使用IP地址,使用该方式的配置方法有3种:

#        Interfaces = 192.168.16.177

#        Interfaces = 192.168.16.177/24

#        Interfaces = 192.168.16.177/255.255.255.0

# The specific set of interfaces / networks to bind to

# This can be either the interface name or an IP address/netmask;

# interface names are normally preferred

;   interfaces = 127.0.0.0/8 eth0

 

# Only bind to the named interfaces and/or networks; you must use the

# 'interfaces' option above to use this.

# It is recommended that you enable this feature if your Samba machine is

# not protected by a firewall or is a firewall itself.  However, this

# option cannot handle dynamic or non-broadcast interfaces correctly.

;   bind interfaces only = true

 

 

 

#### Debugging/Accounting ####

 

# This tells Samba to use a separate log file for each machine

# that connects为登录服务器的用户建立不同的日志文件

   log file = /var/log/samba/log.%m

 

# Put a capping on the size of the log files (in Kb).

# 日志文件的大小,"0"代表无限制

   max log size = 1000

 

# If you want Samba to only log through syslog then set the following

# parameter to 'yes'.

;   syslog only = no

 

# We want Samba to log a minimum amount of information to syslog. Everything

# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log

# through syslog you should set the following parameter to something higher.

   syslog = 0

 

# Do something sensible when Samba crashes: mail the admin a backtrace

   panic action = /usr/share/samba/panic-action %d

 

 

####### Authentication #######

 

 

# 定义Samba的安全级别,按从低到高分为四级:shareuserserverdomain。它们对应

# 的验证方式如下:

#     * share:没有安全性的级别,任何用户都可以不要用户名和口令访问服务器上的资源。

#     * user:samba的默认配置,要求用户在访问共享资源之前资源必须先提供用户名和密码

#     进行验证。

#     * server:user安全级别类似,但用户名和密码是递交到另外一个服务器去验证,比如

#     递交给一台NT服务器。因此,还必须指定口令服务器,即设置”password server”选项.

#     果递交失败,就退到user安全级。需要注意的是,如果采用加密的密码,Samba服务器就

#     无法反射检查原有的密码文件,所以必须指定另一个有效的smbpasswd密码文件.例如,

#     设置Samba服务器的安全等级为server,口令服务器为SMB2,另一个有效的密码文件为

#     smbpasswd_smb2,存放在/etc/samba目录下,设置如下:

#            security = server

#            password server = SMB2

#            smb passwd file = /etc/samba/smbpasswd_smb2

#     * domain:这个安全级别要求网络上存在一台Windows的主域控制器,samba把用户名

#     和密码递交给它去验证。

#     后面三种安全级都要求用户在本Linux机器上也要系统帐户。否则是不能访问的。

# "security = user" is always a good idea. This will require a Unix account

# in this server for every user accessing the server. See

# /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html

# in the samba-doc package for details.

;   security = user

 

# 全局参数 ” encrypt passwords” 设置项可用来指定用户的密码是否以加密的方式发送到

# Samba服务器,默认值是使用此功能.

# You may wish to use password encryption.  See the section on

# 'encrypt passwords' in the smb.conf(5) manpage before enabling.

   encrypt passwords = true

 

# If you are using encrypted passwords, Samba will need to know what

# password database type you are using. 

   passdb backend = tdbsam

 

   obey pam restrictions = yes

 

 

# 由于Mircrosoft客户没有用户的概念,因此有时会用没有用户和口令的请求访问服务器,

# 就需要将这个没有用户的请求映射为系统中的某个用 户,Samba服务器才能安全的访问

# 系统。guest account 就定义这样的请求在Unix下对应的用户权限。为了安全的原因,不

# 能让这个帐户在系统中有可写的权限,通常可以增加一个专用帐户,如pcguest。如果

# 个设置被注释的情况下,系统缺省使用nobody执行 Windows客户的请求。建议不要使用

# nobody用户,因为系统中的很多程序缺省都使用它,因此就会有安全问题。
#
通常可以这样做先在下面的开关设置security = share ,使smb服务工作于共享级别,删除

# 系统中的nobody帐号,打开 guest account = pcguest (既去掉 ";")
#
在系统里添加一个smb groupadd -g 300 smb
#
添加smb游客帐号 useradd -u 300 -g 300 -d /dev/null -s /dev/null smbguest 这样都将用

# smbguest这个帐号来影射访问请求
#
注意一点的是,当你把security = user设置成这样(smb服务工作于用户级别)一但验证

# 失败,将退回到share级别

# 定义游客帐号,而且需要把这个帐号加入/etc/passwd,如果未指定,服务器就会以”nobody”

# 账号来处理.默认的配置是不使用,可使用默认值

;   guest account = nobody

   invalid users = root

 

 

# Password Level allows matching of _n_ characters of the password for
# all combinations of upper and lower case.
#
系统在发送用户密码的时候,会把密码转换成大写再发送,这样就和samba的密码不一

# 致,这个参数可以设定密码里允许的大写字母个数,这样samba就根 据这个数目对接收

# 到的密码进行大小写重组,以重组过的密码尝试验证密码的正确性。n越大,组合的次数

# 就越多,验证时间就越长,安全性也会因此变得越低。例 n=2,用户的密码是abcd

# 但发送出去其实是ABCDsamba就会把这个ABCD进行大小写重组,组合后的结果可

# 以是: Abcd, aBcd, abCd, abcD, abcd, ABcd, AbCd, AbcD,aBCd,aBcD,abCD。所以如果没有必

# 要,就把n定为是零。这样的话samba只尝试两次,一个是接收到的密码,另一个尝试

# 的是这个密码都是小写的情况。 username level = 8 情况类似。
; password level = 8
; username level = 8

 

# This boolean parameter controls whether Samba attempts to sync the Unix

# password with the SMB password when the encrypted SMB password in the

# passdb is changed.

;   unix password sync = no

 

# For Unix password sync to work on a Debian GNU/Linux system, the following

# parameters must be set (thanks to Ian Kahan < for

# sending the correct chat script for the passwd program in Debian Sarge).

   passwd program = /usr/bin/passwd %u

   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .

 

# This boolean controls whether PAM will be used for password changes

# when requested by an SMB client instead of the program listed in

# 'passwd program'. The default is 'no'.

;   pam password change = no

 

 

 

#  “username map”用来控制用户映射的,它允许管理员指定一个映射文件,该文件包含了在

#  客户机和服务器之间进行用户映射的信息.默认情况下/etc/samba/smbusers文件为指定的

#  映射文件,这样可屏蔽本机真实用户名,防止用户猜测服务器用户名等.

#  可在/etc/samba/smbusers添加如下内容:

#     root = administrator admin

#     nobody = guest pcguest smbguest

#     tom = alarm back

 

 

########## Domains ###########

 

# Is this machine able to authenticate users. Both PDC and BDC

# must have this setting enabled. If you are the BDC you must

# change the 'domain master' setting to no

#

;   domain logons = yes

#

# The following setting only takes effect if 'domain logons' is set

# It specifies the location of the user's profile directory

# from the client point of view)

# The following required a [profiles] share to be setup on the

# samba server (see below)

;   logon path = \\%N\profiles\%U

# Another common choice is storing the profile in the user's home directory

;   logon path = \\%N\%U\profile

 

# The following setting only takes effect if 'domain logons' is set

# It specifies the location of a user's home directory (from the client

# point of view)

;   logon drive = H:

;   logon home = \\%N\%U

 

# The following setting only takes effect if 'domain logons' is set

# It specifies the script to run during logon. The script must be stored

# in the [netlogon] share

# NOTE: Must be store in 'DOS' file format convention

;   logon script = logon.cmd

 

# This allows Unix users to be created on the domain controller via the SAMR

# RPC pipe.  The example command creates a user account with a disabled Unix

# password; please adapt to your needs

; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u

 

########## Printing ##########

 

# If you want to automatically load your printer list rather than setting them up individually then

#  you'll need this 设定是否自动共享打印机而不用设置下面的[printer]一节的相关东西

;   load printers = yes

 

# lpr(ng) printing. You may wish to override the location of the printcap file

# printing定义打印系统的类型,缺省是lprng,可选项有:bsd, sysv, plp, lprng, aix, hpux, qnx

# printcap name设置Samba服务启动时,将自动加载的打印机配置文件

;   printing = bsd

;   printcap name = /etc/printcap

 

# CUPS printing.  See also the cupsaddsmb(8) manpage in the

# cupsys-client package.

# 设置Samba服务启动时,将自动加载的打印机配置文件

;   printing = cups

;   printcap name = cups

 

# When using [print$], root is implicitly a 'printer admin', but you can

# also give this right to other users to add drivers and set printer

# properties

;   printer admin = @ntadmin

 

 

############ Misc ############

 

# 针对不同的连接而使用不同的smb.conf文件。这样可以让smb服务器更加强大和灵活,

# 当然咯,在强大灵活的背后,就是会让设置变的更加复杂

# Using the following line enables you to customise your configuration

# on a per machine basis. The %m gets replaced with the netbios name

# of the machine that is connecting

;   include = /home/samba/etc/smb.conf.%m

 

# Most people will find that this option gives better performance.

# See smb.conf(5) and /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/speed.html

# for details

# You may want to add the following on a Linux system:

#         SO_RCVBUF=8192 SO_SNDBUF=8192

   socket options = TCP_NODELAY

 

# The following parameter is useful only if you have the linpopup package

# installed. The samba maintainer and the linpopup maintainer are

# working to ease installation and configuration of linpopup and samba.

;   message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' &

 

 

# 设定smb服务器能否做为一个域的主browser,如果你的网络里已经有pdc(主域控制器),

# 就不能设置这里。

# Domain Master specifies Samba to be the Domain Master Browser. If this

# machine will be configured as a BDC (a secondary logon server), you

# must set this to 'no'; otherwise, the default behavior is recommended.

 

;   domain master = auto

 

# Some defaults for winbind (make sure you're not using the ranges

# for something else.)

;   idmap uid = 10000-20000

;   idmap gid = 10000-20000

;   template shell = /bin/bash

;

; The following was the default behaviour in sarge

; but samba upstream reverted the default because it might induce

; performance issues in large organizations

; See #368251 for some of the consequences of *not* having

; this setting and smb.conf(5) for all details

;

;   winbind enum groups = yes

;   winbind enum users = yes

 

#======================= Share Definitions =======================

 

[homes]

   comment = Home Directories

   browseable = no

 

# By default, the home directories are exported read-only. Change next

# parameter to 'yes' if you want to be able to write to them.

   writable = no

 

# File creation mask is set to 0700 for security reasons. If you want to

# create files with group=rw permissions, set next parameter to 0775.

   create mask = 0700

 

# Directory creation mask is set to 0700 for security reasons. If you want to

# create dirs. with group=rw permissions, set next parameter to 0775.

   directory mask = 0700

 

# Restrict access to home directories

# to the one of the authenticated user

# This might need tweaking when using external authentication schemes

   valid users = %S

 

# “read list = tom”用于设置只读用户,” write list = @share”用于设置可读写的用户组

# 如果所有的用户读写的权限是相同的,就可以使用”writable = yes|no”来设置

;[myshare]

;  comment = Samba’s share Dicrectory

;  read list = tom

;  write list = @share

;  path = /home/share

 

 

# Un-comment the following and create the netlogon directory for Domain Logons

# (you need to configure Samba to act as a domain controller too.)

;[netlogon]

;   comment = Network Logon Service

;   path = /home/samba/netlogon

;   guest ok = yes

;   writable = no

;   share modes = no

 

# Un-comment the following and create the profiles directory to store

# users profiles (see the "logon path" option above)

# (you need to configure Samba to act as a domain controller too.)

# The path below should be writable by all users so that their

# profile directory may be created the first time they log on

;[profiles]

;   comment = Users profiles

;   path = /home/samba/profiles

;   guest ok = no

;   browseable = no

;   create mask = 0600

;   directory mask = 0700

 

[printers]

   comment = All Printers

   browseable = no

   path = /var/spool/samba

   printable = yes

   public = no

   writable = no

   create mode = 0700

 

# Windows clients look for this share name as a source of downloadable

# printer drivers

[print$]

   comment = Printer Drivers

   path = /var/lib/samba/printers

   browseable = yes

   read only = yes

   guest ok = no

# Uncomment to allow remote administration of Windows print drivers.

# Replace 'ntadmin' with the name of the group your admin users are

# members of.

;   write list = root, @ntadmin

 

# A sample share for sharing your CD-ROM with others.

;[cdrom]

;   comment = Samba server's CD-ROM

;   writable = no

;   locking = no

;   path = /cdrom

;   public = yes

 

# The next two parameters show how to auto-mount a CD-ROM when the

#     cdrom share is accesed. For this to work /etc/fstab must contain

#     an entry like this:

#

#       /dev/scd0   /cdrom  iso9660 defaults,noauto,ro,user   0 0

#

# The CD-ROM gets unmounted automatically after the connection to the

#

# If you don't want to use auto-mounting/unmounting make sure the CD

#     is mounted on /cdrom

#

;   preexec = /bin/mount /cdrom

;   postexec = /bin/umount /cdrom

 

阅读(1556) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~