next up previous contents
Next: 建立多使用者 SMB 掛載目錄 Up: SMB File Shares Previous: SMB 簡介   Contents

SAMBA 架設

  1. 安裝 samba 套件
    [root@kvm5 ~]# yum -y install samba
    
  2. 在 kvm5.deyu.wang 主機再新增一共享目錄 /groupdir。
    [root@kvm5 ~]# mkdir /groupdir
    
  3. ** 如果不知道 samba 相關的 fcontext type 可安裝 setools-console 套件,執行 seinfo 查詢。
    1. 查詢 seinfo 命令由哪個套件提供?
      [root@kvm5 ~]# yum provides *bin/seinfo
      ....................
      Matched from:
      Filename    : /usr/bin/seinfo
      
    2. seinfo 命令由 setools-console 提供,安裝此套件。
      [root@kvm5 ~]# yum install setools-console
      
    3. 執行 seinfo -t 列出所有 selinux fcontext type,再以管線處理及 grep 過濾 samba 相關的 type。
      [root@kvm5 ~]# seinfo -t | grep samba
         samba_secrets_t
         samba_spool_t
         samba_unconfined_script_exec_t
         samba_net_t
         samba_var_t
         samba_net_exec_t
         samba_net_tmp_t
         samba_unconfined_net_t
         samba_unconfined_script_t
         samba_unit_file_t
         sambagui_exec_t
         samba_share_t
         samba_initrc_exec_t
         sambagui_t
         samba_etc_t
         samba_log_t
      
  4. 設定目錄 /groupdir 下的 selinux type 為 samba_share_t,不先查詢,使用 TAB 鍵一樣會出現提示及補齊。
    [root@kvm5 ~]# semanage fcontext -a -t samba_share_t '/groupdir(/.*)?'
    
  5. 還原目錄 /groupdir 下的 selinux type 為 samba_share_t
    [root@kvm5 ~]# restorecon -vvFR /groupdir
    restorecon reset /groupdir context unconfined_u:object_r:default_t:s0->system_u:object_r:samba_share_t:s0
    
  6. 編輯設定檔 /etc/samba/smb.conf,設定工作群組為 DEYUGROUP,建立分享目錄 /groupdir 的名稱為 common、可瀏覽、只允許 192.168.122.0/24 網域用戶存取、用戶 deyu1 可以使用 123qwe 密碼存取這個分享目錄。
    [root@kvm5 ~]# vim /etc/samba/smb.conf
    [root@kvm5 ~]# grep '^[^#\;]' /etc/samba/smb.conf
    [global]
    	workgroup = DEYUGROUP
    	server string = Samba Server Version %v
    	# log files split per-machine:
    	log file = /var/log/samba/log.%m
    	# maximum size of 50KB per log file, then rotate:
    	max log size = 50
    	security = user
    	passdb backend = tdbsam
    	# the following login script name is determined by the machine name
    	# (%m):
    	# the following login script name is determined by the UNIX user used:
    	# use an empty path to disable profile support:
    	# various scripts can be used on a domain controller or a stand-alone
    	# machine to add or delete corresponding UNIX accounts:
    	load printers = yes
    	cups options = raw
    	# obtain a list of printers automatically on UNIX System V systems:
    [homes]
    	comment = Home Directories
    	browseable = no
    	writable = yes
    [printers]
    	comment = All Printers
    	path = /var/spool/samba
    	browseable = no
    	guest ok = no
    	writable = no
    	printable = yes
    [common]
    	path = /groupdir
    	browseable = yes
    	#hosts allow = .deyu.wang deyu.wang
    	hosts allow = 192.168.122.
    
  7. hosts allow 允許的存取如果要使用網域名稱 .deyu.wang,必須在 global section 加上 hostname lookups = yes 設定,才能從主機名稱反查到 IP,但目前有一小問題是設定 hosts allow = .deyu.wang 允許 deyu.wang 網域的機器卻不包含 deyu.wang 本身,必須單獨再加入。
    [root@kvm5 ~]# vim /etc/samba/smb.conf 
    [root@kvm5 ~]# grep '^\[global\]' -A2 /etc/samba/smb.conf 
    [global]
    
    hostname lookups = yes
    
    [root@kvm5 ~]# testparm 
    Load smb config files from /etc/samba/smb.conf
    rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
    Processing section "[homes]"
    Processing section "[printers]"
    Processing section "[common]"
    Loaded services file OK.
    Server role: ROLE_STANDALONE
    Press enter to see a dump of your service definitions
    
    [global]
        workgroup = DEYUGROUP
        server string = Samba Server Version %v
        log file = /var/log/samba/log.%m
        max log size = 50
        hostname lookups = Yes
        idmap config * : backend = tdb
        cups options = raw
    
    [homes]
        comment = Home Directories
        read only = No
        browseable = No
    
    [printers]
        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        print ok = Yes
        browseable = No
    
    [common]
        path = /groupdir
        hosts allow = .deyu.wang
    
  8. 測試設定檔 /etc/samba/smb.conf 看是否有錯誤?
    [root@kvm5 ~]# testparm 
    Load smb config files from /etc/samba/smb.conf
    rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
    Processing section "[homes]"
    Processing section "[printers]"
    Processing section "[common]"
    Loaded services file OK.
    Server role: ROLE_STANDALONE
    Press enter to see a dump of your service definitions
    
    [global]
    	workgroup = DEYUGROUP
    	server string = Samba Server Version %v
    	log file = /var/log/samba/log.%m
    	max log size = 50
    	idmap config * : backend = tdb
    	cups options = raw
    
    [homes]
    	comment = Home Directories
    	read only = No
    	browseable = No
    
    [printers]
    	comment = All Printers
    	path = /var/spool/samba
    	printable = Yes
    	print ok = Yes
    	browseable = No
    
    [common]
    	path = /groupdir
    	hosts allow = 192.168.122.
    
  9. 要建立 smb 用戶必須先安裝 samba-client 套件。
    [root@kvm5 ~]# yum -y install samba-client
    
  10. 如果 deyu1 用戶不存在,則新增一個用戶 deyu1。
    [root@kvm5 ~]# useradd deyu1
    
  11. 新增 deyu1 為 samba 用戶。
    [root@kvm5 ~]# smbpasswd -a deyu1
    New SMB password:
    Retype new SMB password:
    Added user deyu1.
    
  12. 查看 samba 用戶。
    [root@kvm5 ~]# pdbedit -L
    deyu1:1000:
    
  13. 架設 Samba Server 需要設定開機啟動 smb 及 nmb 服務,其中「smb」是啟用 Samba Server 的服務,而「nmb」是在 Linux 系統上啟用 NetBIOS 協定。
    [root@kvm5 ~]# systemctl enable smb.service nmb.service 
    ln -s '/usr/lib/systemd/system/smb.service' '/etc/systemd/system/multi-user.target.wants/smb.service'
    ln -s '/usr/lib/systemd/system/nmb.service' '/etc/systemd/system/multi-user.target.wants/nmb.service'
    
  14. 現在啟動 smb 及 nmb 服務。
    [root@kvm5 ~]# systemctl start smb.service nmb.service
    
  15. 查看 samba 相關的布林值。
    [root@kvm5 ~]# getsebool -a | grep samba
    samba_create_home_dirs --> off
    samba_domain_controller --> off
    samba_enable_home_dirs --> off
    samba_export_all_ro --> off
    samba_export_all_rw --> off
    samba_portmapper --> off
    samba_run_unconfined --> off
    samba_share_fusefs --> off
    samba_share_nfs --> off
    sanlock_use_samba --> off
    use_samba_home_dirs --> off
    virt_sandbox_use_samba --> off
    virt_use_samba --> off
    
  16. 開啟 selinux 的 samba_export_all_rw 布林值,允許 Samba 讀取及寫入,-P 選項設定不只現在開啟,開機時也開啟此布林值。
    [root@kvm5 ~]# setsebool -P samba_export_all_rw on
    
  17. 查詢 samba_export_all_rw 布林值已開啟。
    [root@kvm5 ~]# getsebool samba_export_all_rw
    samba_export_all_rw --> on
    


De-Yu Wang 2018-09-07