Konfiguracja samba LINUX
Poniżej prezentujemy sposób na uruchomienie i konfigurację systemu udostępniania plików i drukarek samba.
Artykuł opisuje podstawowe konfiguracje i narzędzia samba…
1) W celu instalacji pakietu samba na systemach dębin wykonujemy polecenie:
apt-get install samba samba-client
,w czasie instalacji manager pakietów "apt" pyta nas o nazwę grupy roboczej, podajemy nazwę np. biuro;
2) Plik konfiguracyjny samby znajduje się w /etc/samba/smb.conf
Warto skopiować plik do katalogu usera np.:
cp /etc/samba/smb.conf /home/user/samba/smb.bak
Przykładowy plik konfiguracyjny samby:
#======================= =======================
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = biuro
# server string is the equivalent of the NT Description field
server string = biuro
# Windows Internet Name Serving Support Section:
# WINS Support — Tells the NMBD component of Samba to enable its WINS Server
# wins support = no
# WINS Server — Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
; wins server = w.x.y.z
# This will prevent nmbd to search for NetBIOS names through DNS.
dns proxy = no
# What naming service and in what order should we use to resolve host names
# to IP addresses
name resolve order = lmhosts host wins bcast
#### Networking ####
# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
; interfaces = 127.0.0.0/8 eth0
interfaces = 127.0.0.1 192.168.1.251
# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself. However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
; bind interfaces only = yes
bind interfaces only = yes
#### Debugging/Accounting ####
# This tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# Cap the size of the individual log files (in KiB).
max log size = 1000
# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
# syslog only = no
# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
syslog = 0
# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html
# in the samba-doc package for details.
security = user
# You may wish to use password encryption. See the section on
# 'encrypt passwords' in the smb.conf(5) manpage before enabling.
encrypt passwords = true
# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.
passdb backend = tdbsam
obey pam restrictions = yes
# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
unix password sync = yes
# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
pam password change = yes
# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
map to guest = bad user
########## Domains ###########
# Is this machine able to authenticate users. Both PDC and BDC
# must have this setting enabled. If you are the BDC you must
# change the 'domain master' setting to no
#
; domain logons = yes
#
# The following setting only takes effect if 'domain logons' is set
# It specifies the location of the user's profile directory
# from the client point of view)
# The following required a [profiles] share to be setup on the
# samba server (see below)
; logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
# (this is Samba's default)
# logon path = \\%N\%U\profile
# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
; logon drive = H:
# logon home = \\%N\%U
# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
; logon script = logon.cmd
# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe. The example command creates a user account with a disabled Unix
# password; please adapt to your needs
; add user script = /usr/sbin/adduser –quiet –disabled-password –gecos "" %u
# This allows machine accounts to be created on the domain controller via the
# SAMR RPC pipe.
# The following assumes a "machines" group exists on the system
; add machine script = /usr/sbin/useradd ‑g machines ‑c "%u machine account" ‑d /var/lib/samba ‑s /bin/false %u
# This allows Unix groups to be created on the domain controller via the SAMR
# RPC pipe.
; add group script = /usr/sbin/addgroup –force-badname %g
########## Printing ##########
# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
# load printers = yes
# lpr(ng) printing. You may wish to override the location of the
# printcap file
; printing = bsd
; printcap name = /etc/printcap
# CUPS printing. See also the cupsaddsmb(8) manpage in the
# cupsys-client package.
; printing = cups
; printcap name = cups
############ Misc ############
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /home/samba/etc/smb.conf.%m
# Most people will find that this option gives better performance.
# See smb.conf(5) and /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/speed.html
# for details
# You may want to add the following on a Linux system:
# SO_RCVBUF=8192 SO_SNDBUF=8192
# socket options = TCP_NODELAY
# The following parameter is useful only if you have the linpopup package
# installed. The samba maintainer and the linpopup maintainer are
# working to ease installation and configuration of linpopup and samba.
; message command = /bin/sh ‑c '/usr/bin/linpopup "%f" "%m" %s; rm %s' &
# Domain Master specifies Samba to be the Domain Master Browser. If this
# machine will be configured as a BDC (a secondary logon server), you
# must set this to 'no'; otherwise, the default behavior is recommended.
# domain master = auto
# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
; idmap uid = 10000–20000
; idmap gid = 10000–20000
; template shell = /bin/bash
# The following was the default behaviour in sarge,
# but samba upstream reverted the default because it might induce
# performance issues in large organizations.
# See Debian bug #368251 for some of the consequences of *not*
# having this setting and smb.conf(5) for details.
; winbind enum groups = yes
; winbind enum users = yes
# Setup usershare options to enable non-root users to share folders
# with the net usershare command.
# Maximum number of usershare. 0 (default) means that usershare is disabled.
; usershare max shares = 100
# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
usershare allow guests = yes
#======================= Share Definitions =======================
[homes]
comment = Home Directories
browseable = no
# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
read only = yes
# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
create mask = 0777
# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
directory mask = 0777
# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.
# The following parameter makes sure that only "username" can connect
# to \\server\username
# This might need tweaking when using external authentication schemes
valid users = %S
# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
;[netlogon]
; comment = Network Logon Service
; path = /home/samba/netlogon
; guest ok = yes
; read only = yes
# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
;[profiles]
; comment = Users profiles
; path = /home/samba/profiles
; guest ok = no
; browseable = no
; create mask = 0600
; directory mask = 0700
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
; write list = root, @lpadmin
# A sample share for sharing your CD-ROM with others.
;[cdrom]
; comment = Samba server's CD-ROM
; read only = yes
; locking = no
; path = /cdrom
; guest ok = yes
# The next two parameters show how to auto-mount a CD-ROM when the
# cdrom share is accesed. For this to work /etc/fstab must contain
# an entry like this:
#
# /dev/scd0 /cdrom iso9660 defaults,noauto,ro,user 0 0
#
# The CD-ROM gets unmounted automatically after the connection to the
#
# If you don't want to use auto-mounting/unmounting make sure the CD
# is mounted on /cdrom
#
; preexec = /bin/mount /cdrom
; postexec = /bin/umount /cdrom
[UDZIAL1]
comment = UDZIAL1
read only = no
locking = no
path = /data/udzial1
guest ok = no
browseable = yes
create mode = 0777
directory mode = 0777
force user = user_a
force group = users
username = user_a
[UDZIAL2]
comment = UDZIAL2
read only = no
locking = no
path = /data/udzial2
guest ok = no
browseable = yes
create mode = 0777
directory mode = 0777
force user = user_a
force group = users
username = user_a
#======================= =======================
3) Należy jeszcze ustawić prawa do udostępnianych katalogów:
chmod 777 –R /data/udzial_1
chmod 777 –R /data/udzial_2
4) Do katalogów i plików trzeba też określić właściciela:
chown ‑R user_a:users /data/udział_1
chown ‑R user_a:users /data/udział_2
, gdzie parametr –R określa rekurencję
5) Aby użytkownik połączył się z udziałem samby trzeba go założyć:
# smbpasswd [opcje] [uzytkownik] [nowe_hasło]
Opcje:
• ‑h — wyświetla pomoc
• ‑a — dodaje użytkownika do bazy,
• ‑x — usuwa użytkownika z bazy,
• ‑d — wyłącza konto,
• ‑e — włącza konto,
• ‑n — usuwa hasło.
,czyli smbpasswd –a user_a haslo
6) Aby wprowadzone zmiany mogły być zastosowane, konieczne jest zrestartowanie samby:
/etc/init.d/samba restart
7) Na stacji windows możemy podłączyć się pod zasób poleceniem:
\\192.168.1.251\UDZIAL_1
8) Inne narzędzia
a) Rozwiązywanie nazw:
# nmblookup Serwer
spowoduje wyszukanie adresu IP dla nazwy NetBIOS Serwer. *Wyszukiwanie jest tylko w bieżącej podsieci, do wyszukiwania w innych podsieciach musimy skorzystać z możliwości serwera WINS.
b) Klient samby
Za pomocą narzędzia smbclient mamy możliwość operowania na zdalnym serwerze.
Ogólna składnia tego polecenia jest następująca:
# smbclient udział [hasło] [opcje]
a niektóre z opcji to:
• ‑p port — połącz na podanym porcie,
• ‑N — nie pytaj o hasło,
• ‑U uzytkownik — określa nazwę użytkownika,
• ‑L host — pobiera listę udziałów z podanego hosta,
• ‑D katalog — startuje z podanego katalogu.
Po nawiązaniu połączenia pojawia się znak zachęty i możemy rozpocząć wydawanie poleceń. Warto pamiętać, że w każdym momencie możemy wpisać polecenie
Smb: /> help
,które wypisze nam listę wszystkich dostępnych poleceń, a następnie możemy wpisać polecenie:
Smb: /> help polecenie
które opisze nam dane polecenie.
Z najbardziej podstawowych poleceń to
• ls – pokazuje zawartość bieżącego katalogu,
• cd – zmienia bieżący katalog,
• get – pobiera wskazany plik z serwera,
• put – kopiuje wskazany lokalnie plik na serwer.
Kilka przykładów użycia:
# smbclient \\\\biuro\\udzial_1 ‑U user_a
# smbclient ‑L \\\\192.168.1.251 ‑N
# smbclient ‑L //192.168.0.251 ‑N
Za pomocą smbclient możemy także wydrukować coś na drukarce udostępnionej przez SMB:
# smbclient //biuro/hplj1022 ‑c 'print plik.ps'
c) Montowanie udostępnienia na stacji klienckiej LINUX
Konieczne będzie zainstalowanie pakietu cifs-utils poleceniem:
apt-get install cifs-utils
Na kliencie możemy zamontować dany udział poleceniem:
mount ‑t cifs //192.168.1.251/UDZIAL_1 /mnt/mountpoint ‑o user=nobody
d) Podłączanie zasobów na stacji klienciej LINUX
Do podłączania (montowania) zasobów wykorzystujemy polecenie mount wskazując jako typu plików cifs (zalecany) lub smbfs (starszy). Podstawowa składnia:
mount ‑t smbfs [-o opcje] udział sciezka
gdzie najczęściej używane opcje to:
• username=uzytkownik — określamy nazwę użytkownika,
• password=haslo — przekazujemy hasło; jeśli go nie podamy, zostaniemy o nie zapytani,
• ro, rw — określa tryb: odpowiednio tylko do odczytu lub do odczytu i zapisu.
Przykładowe użycie:
# mount ‑t smbfs ‑o username=user_a,password=haslo \\\\192.168.1.251\\udzial_1 /mnt/win