第 16.7 节 Samba 服务器
设置 samba 为独立服务器
测试环境:FreeBSD 11
安装 samba
# pkg install samba413
配置 samba
- 打开/etc/rc.conf
# ee /etc/rc.conf
- 在
/etc/rc.conf
最后加入如下,并保存:
nmbd_enable="YES"
winbindd_enable="YES"
samba_enable="YES"
samba_server_enable="YES"
- 创建
/usr/local/etc/smb4.conf
,添加如下内容并保存
#vi /usr/local/etc/smb4.conf
[root]
comment = root's stuff
path = /root
public = no
browseable = yes
writable = yes
printable = no
create mask = 0755
- 创建 samba root 用户:
# smbpasswd -a root
- 进入
/usr/local/etc
# cd /usr/local/etc
- 再执行
# service samba_server start //启动命令
或
# service samba_server restart //重启命令
- 查看 samba 状态:
# service samba_server status
- 在 windows 下利用 192.168.X.X 访问共享文件夹(以实际 IP 为准,Windows 需要先开启 SMB 1.0 支持)
192.168.X.X
将 Samba 设置为域成员
环境:freebsd 12
配置静态 IP 地址
使用如下命令配置:
bsdconfig
配置主机名
# ee /etc/rc.conf
hostname="fb"
配置 DNS
# ee /etc/resolv.conf
# Generated by resolvconf
search SVROS.COM //设置域控制器域名
# nameserver 192.168.253.2
nameserver 192.168.253.130 //设置域控制器 IP 地址
nameserver 223.5.5.5
nameserver 127.0.0.1
options edns0
修改 /etc/sysctl.conf
# echo "kern.maxfiles=25600" >> /etc/sysctl.conf
# echo "kern.maxfilesperproc=16384" >> /etc/sysctl.conf
# echo "net.inet.tcp.sendspace=65536" >> /etc/sysctl.conf
# echo "net.inet.tcp.recvspace=65536" >> /etc/sysctl.conf
创建 /etc/krb5.conf
[libdefaults]
default_realm = SVROS.COM //设置域名
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = yes
修改 /etc/nsswitch.conf
# sed -i -e "s/^passwd:.*/passwd: files winbind/" /etc/nsswitch.conf
# sed -i -e "s/^group:.*/group: files winbind/" /etc/nsswitch.conf
创建 /usr/local/etc/smb4.conf
[global]
workgroup = SVROS
server string = Samba Server Version %v
security = ads
realm = SVROS.COM
domain master = no
local master = no
preferred master = no
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
use sendfile = true
idmap config * : backend = tdb
idmap config * : range = 100000-299999
idmap config SVROS : backend = rid
idmap config SVROS : range = 10000-99999
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
winbind refresh tickets = yes
template homedir = /home/%D/%U
template shell = /bin/false
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
log file = /var/log/samba4/log.%m
max log size = 50
#============================ Share Definitions ==============================
[testshare]
comment = Test share
path = /samba/testshare
read only = no
force group = "Domain Users"
directory mode = 0770
force directory mode = 0770
create mode = 0660
force create mode = 0660
上面“testshare”最后两行内容实际使用权限优化(可选)
create mode = 0750
force create mode = 0750
将 samba 加入到域
net ads join --no-dns-updates -U administrator
net ads testjoin
# Should report "Join is OK"
# On your DC, open the DNS MMC and add an "A" entry for your BSD server so clients can find it
使 samba 启动并设置为开机自启动
# echo "samba_server_enable=YES" >> /etc/rc.conf
# echo "winbindd_enable=YES" >> /etc/rc.conf
# service samba_server start
测试 Kerberos
kinit administrator
# Enter domain admin password, it should return to the prompt with no errors
klist
# Credentials cache: FILE:/tmp/krb5cc_0
# Principal: administrator@SVROS.COM
#
# Issued Expires Principal
# Dec 6 10:15:39 2021 Feb 4 20:15:39 2021 krbtgt
测试 Winbind
wbinfo -u
# Should return domain users
wbinfo -g
# Should return domain groups
getent passwd
# Should return domain users at the end of the list with 10000+ UIDs
getent group
# Should return domain groups at the end of the list with 10000+ GIDs
如果 wbinfo 命令显示报错,请执行命令
# service samba_server restart
创建共享文件夹
# mkdir -p /samba/testshare
# chown "administrator":"domain users" /samba/testshare
# chmod 0770 /samba/testshare
如果只允许属主可读可写,属组只允许读,用以下命令设置:
# chmod 0750 /samba/testshare
如果只允许属主可读可写,属组和其他均不可读写,用以下命令设置:
# chmod -R 0700 /samba/testshare