Debian系统Samba配置_debian samba配置

Debian系统上配置Samba

参考链接：
https://www.cnblogs.com/xycoin/p/6095688.html

系统及架构：
Linux Matrix_061001 5.10.42-yocto-standard #1 Thu Jun 3 07:00:52 UTC 2021 armv7l armv7l armv7l GNU/Linux

samba概述：
Samba是一套使用SMB(Server Message Block)协议的应用程序，通过支持这个协议，Samba允许Linux服务器与Windows系统之间进行通信,使跨平台的互访成为可能。Samba采用C/S模式，其工作机制是让NetBIOS( Windows 网上邻居的通信协议)和SMB两个协议运行于TCP/IP通信协议之上，并且用NetBEUI协议让Windows在“网上邻居”中能浏览Linux服务器。

Samba服务器包括两个后台应用程序：Smbd 和 Nmbd。Smbd 是Samba的核心，主要负责建立 Linux Samba服务器与Samba客户机之间的对话，验证用户身份并提供对文件和打印系统的访问；Nmbd主要负责对外发布Linux Samba服务器可以提供的NetBIOS名称和浏览服务，使Windows用户可以在“网上邻居”中浏览Linux Samba服务器中共享的资源。另外Samba还包括一些管理工具，如 smb-client，smbmount，testparm，Smbpasswd 等程序。

Samba服务器可实现如下功能：WINS和DNS服务；网络浏览服务；Linux和Windows域之间的认证和授权；UNICODE字符集和域名映射；满足CIFS协议的UNIX共享等。

注意： Samba 服务器的配置文件叫 smb.conf， 位于 /etc/samba/目录下。在 /usr/share/samba/目录下也有一个 smb.conf 文件> 备份，如果你在配置服务器时把 /etc/samba/smb.conf改乱了，就可以用该文件来恢复到初始状态。启动脚本位于 /etc/init.d/ 目> 录下，叫 samba，如果修改了 smb.conf 配置文件，可用 #/etc/init.d/samba restart 命令重启 Samba 服务

一、samba安装

[root@Matrix_061001 samba]apt-get update
[root@Matrix_061001 samba]apt-get install samba
1
2

二、创建共享目录以及修改权限

[root@Matrix_061001 samba]mkdir /home/guest			
[root@Matrix_061001 samba]chmod 777 /home/guest
1
2

三、创建samba用户

#创建samba用户
[root@Matrix_061001 samba]touch /etc/samba/smbpasswd		
[root@Matrix_061001 samba]smbpasswd -a yuan 
New SMB password:
Retype new SMB password:
Added user yuan.
[root@Matrix_061001 samba]

#查看当前samba用户
[root@Matrix_061001 samba]pdbedit -L
root:0:root
yuan:1002:
[root@Matrix_061001 samba]

#删除samba用户
[root@Matrix_061001 samba]smbpasswd -x yuan  
Deleted user yuan.
[root@Matrix_061001 samba]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

四、配置smb.conf文件

[root@Matrix_061001 samba]#cat /etc/samba/smb.conf
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a # (hash) 
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors. 
#
#======================= Global Settings =====================================
[global]

# workgroup = NT-Domain-Name or Workgroup-Name
   workgroup = MYGROUP

# server string is the equivalent of the NT Description field
   server string = Samba Server

# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
;   hosts allow = 192.168.1. 192.168.2. 127.

# if you want to automatically load your printer list rather
# than setting them up individually then you'll need this
   printcap name = /etc/printcap
   load printers = yes

# It should not be necessary to spell out the print system type unless
# yours is non-standard. Currently supported print systems include:
# bsd, sysv, plp, lprng, aix, hpux, qnx
;   printing = bsd

# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
;  guest account = pcguest

# this tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba/log.%m

# Put a capping on the size of the log files (in Kb).
   max log size = 50

# Security mode. Most people will want user level security. See
# security_level.txt for details.
   security = user
# Use password server option only with security = server
;   password server = <NT-Server-Name>

# Password Level allows matching of _n_ characters of the password for
# all combinations of upper and lower case.
;  username level = 8

# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
# Do not enable this option unless you have read those documents
;  encrypt passwords = yes
;  smb passwd file = /etc/samba/smbpasswd

# The following are needed to allow password changing from Windows to
# update the Linux sytsem password also.
# NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above.
# NOTE2: You do NOT need these to allow workstations to change only
#        the encrypted SMB passwords. They allow the Unix password
#        to be kept in sync with the SMB password.
;  unix password sync = Yes
;  passwd program = /usr/bin/passwd %u
;  passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*

# Unix users can map to different SMB User names
;  username map = /etc/samba/smbusers

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
;   include = /etc/samba/smb.conf.%m

# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
;   interfaces = 192.168.12.2/24 192.168.13.2/24 

# Configure remote browse list synchronisation here
#  request announcement to, or browse list sync from:
#       a specific host or from / to a whole subnet (see below)
;   remote browse sync = 192.168.3.25 192.168.5.255
# Cause this host to announce itself to local subnets here
;   remote announce = 192.168.1.255 192.168.2.44

# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
;   local master = no

# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
;   os level = 33

# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
;   domain master = yes 

# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
;   preferred master = yes

# Use only if you have an NT server on your network that has been
# configured at install time to be a primary domain controller.
;   domain controller = <NT-Domain-Controller-SMBName>

# Enable this if you want Samba to be a domain logon server for 
# Windows95 workstations. 
;   domain logons = yes

# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
;   logon script = %m.bat
# run a specific logon batch file per username
;   logon script = %U.bat

# Where to store roving profiles (only for Win95 and WinNT)
#        %L substitutes for this servers netbios name, %U is username
#        You must uncomment the [Profiles] share below
;   logon path = \\%L\Profiles\%U

# All NetBIOS names must be resolved to IP Addresses
# 'Name Resolve Order' allows the named resolution mechanism to be specified
# the default order is "host lmhosts wins bcast". "host" means use the unix
# system gethostbyname() function call that will use either /etc/hosts OR
# DNS or NIS depending on the settings of /etc/host.config, /etc/nsswitch.conf
# and the /etc/resolv.conf file. "host" therefore is system configuration
# dependant. This parameter is most often of use to prevent DNS lookups
# in order to resolve NetBIOS names to IP Addresses. Use with care!
# The example below excludes use of name resolution for machines that are NOT
# on the local network segment
# - OR - are not deliberately to be known via lmhosts or via WINS.
; name resolve order = wins lmhosts bcast

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
;   wins support = yes

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
#       Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
;   wins server = w.x.y.z

# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one  WINS Server on the network. The default is NO.
;   wins proxy = yes

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
   dns proxy = no 

# Case Preservation can be handy - system default is _no_
# NOTE: These can be set on a per share basis
;  preserve case = no
;  short preserve case = no
# Default case is normally upper case for all DOS files
;  default case = lower
# Be very careful with case sensitivity - it can break things!
;  case sensitive = no

#============================ Share Definitions ==============================
[homes]
   comment = Home Directories
   browseable = no
   writable = yes

# Un-comment the following and create the netlogon directory for Domain Logons
; [netlogon]
;   comment = Network Logon Service
;   path = /home/netlogon
;   guest ok = yes
;   writable = no
;   share modes = no


# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
;[Profiles]
;    path = /home/profiles
;    browseable = no
;    guest ok = yes


# NOTE: If you have a BSD-style print system there is no need to 
# specifically define each individual printer
[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = no
# Set public = yes to allow user 'guest account' to print
   guest ok = no
   writable = no
   printable = yes

# This one is useful for people to share files
;[tmp]
;   comment = Temporary file space
;   path = /tmp
;   read only = no
;   public = yes

# A publicly accessible directory, but read only, except for people in
# the "staff" group
;[public]
;   comment = Public Stuff
;   path = /home/samba
;   public = yes
;   read only = yes
;   write list = @staff

# Other examples. 
#
# A private printer, usable only by fred. Spool data will be placed in fred's
# home directory. Note that fred must have write access to the spool directory,
# wherever it is.
;[fredsprn]
;   comment = Fred's Printer
;   valid users = fred
;   path = /homes/fred
;   printer = freds_printer
;   public = no
;   writable = no
;   printable = yes

# A private directory, usable only by fred. Note that fred requires write
# access to the directory.
;[fredsdir]
;   comment = Fred's Service
;   path = /usr/somewhere/private
;   valid users = fred
;   public = no
;   writable = yes
;   printable = no

# a service which has a different directory for each machine that connects
# this allows you to tailor configurations to incoming machines. You could
# also use the %u option to tailor it by user name.
# The %m gets replaced with the machine name that is connecting.
;[pchome]
;  comment = PC Directories
;  path = /usr/pc/%m
;  public = no
;  writable = yes

# A publicly accessible directory, read/write to all users. Note that all files
# created in the directory by users will be owned by the default user, so
# any user with access can delete any other user's files. Obviously this
# directory must be writable by the default user. Another user could of course
# be specified, in which case all files would be owned by that user instead.
;[public]
;   path = /usr/somewhere/else/public
;   public = yes
;   only guest = yes
;   writable = yes
;   printable = no

# The following two entries demonstrate how to share a directory so that two
# users can place files there that will be owned by the specific users. In this
# setup, the directory should be writable by both users and should have the
# sticky bit set on it to prevent abuse. Obviously this could be extended to
# as many users as required.
;[myshare]
;   comment = Mary's and Fred's stuff
;   path = /usr/somewhere/shared
;   valid users = mary fred
;   public = no
;   writable = yes
;   printable = no
;   create mask = 0765

[guest]
    path =/home/guest
    available = yes
    valid users = yuan
    browsable = yes
    public = yes
    writable = yes
    guest ok = yes
[root@Matrix_061001 samba]#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294

五、启动samba服务器

[root@Matrix_061001 samba]
[root@Matrix_061001 samba]/etc/init.d/samba stop 
[root@Matrix_061001 samba]/etc/init.d/samba start
[root@Matrix_061001 samba]
1
2
3
4

六、使用

[root@Matrix_061001 samba]ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.11.1  netmask 255.255.255.0  broadcast 0.0.0.0
        inet6 fe80::213:48ff:fe03:ccce  prefixlen 64  scopeid 0x20<link>
        ether 00:13:48:03:cc:ce  txqueuelen 1000  (Ethernet)
        RX packets 486919  bytes 31953206 (30.4 MiB)
        RX errors 0  dropped 72  overruns 0  frame 0
        TX packets 29540  bytes 8927645 (8.5 MiB)
        TX errors 8  dropped 0 overruns 0  carrier 8  collisions 288
        device interrupt 39  base 0x8000 
1
2
3
4
5
6
7
8
9
10

smb.conf文件配置说明

常用的全局选项及说明如下所示

先说一下samba定义的变量：
%S = 当前服务名（如果有的话）
%P = 当前服务的根目录（如果有的话）
%u = 当前服务的用户名（如果有的话）
%g = 当前用户说在的主工作组
%U = 当前对话的用户名
%G = 当前对话的用户的主工作组
%H = 当前服务的用户的Home目录
%v = Samba服务的版本号。
%h = 运行Samba服务机器的主机名
%m = 客户机的NETBIOS名称
%L = 服务器的NETBIOS名称
%M = 客户机的主机名
%N = NIS服务器名
%p = NIS服务的Home目录
%R = 说采用的协议等级(值可以是CORE, COREPLUS, LANMAN1, LANMAN2，NT1)
%d = 当前服务进程的ID
%a = 客户机的结构（只能识别几项：Samba，WfWg，WinNT，Win95）
%I = 客户机的IP
%T = 当前日期和时间


1、workgroup
该选项设置Samba服务器所属工作组名称，通过网上邻居可以从该工作组中找到该Samba服务器。默认设置如下：
workgroup = WORKGROUP
2、wins support
该选项设置Samba服务器是否作为WINS服务器。如果要启用该选项，则不能设置wins server选项，默认设置如下
; wins support = no 选项默认都是被注释掉了
3、wins serve
该选项指定WINS服务器的IP地址或主机名。默认设置如下：
; wins server = w.x.y.z 选项默认都是被注释掉了
4、interfaces 和bind interfaces only = yes
如果服务器有多个IP地址或网络接口，可以使用interfaces选项把IP地址或网络接口列出来。如果bind interfacesonly选项设置为yes，则表示Samba将绑定（监听）interfaces选项所设置的IP地址或网络接口，只通过这个些IP地址或网络接口提供服务，默认设置如下：
; interfaces = 127.0.0.0/8 eth0
; bind interfaces only = yes 上面两个选项默认都是被注释掉了
5、dns proxy
该选项设置是否启用DNS代理功能，默认设置如下：
dns proxy = no
6、log file
该选项用来设置Samba日志文件的存放位置和文件名称，默认设置如下：
log file = /var/log/samba/log.%m
这个选项中的.%m是Samba配置文件的保留变量，表示客户端的NetBIOS名称。
7、max log size
日志文件最大能达到多少Kbytes，如果超过该限制，则Samba自动在当前的日志文件名后面加上“.old”然后创建一个新的日志文件继续写入。如果为0,则表示没有大小限制。默认设置如下：
max log size = 1000
8、syslog only
设置Samba只通过syslog进行日志记录。默认设置如下：
; syslog only = no 默认这个选项被注销掉
9、syslog
syslog的日志级(0,err)(1,warning)(2,notice)(3,ifno)(4或以上，debug)。默认设置如下：
syslog = 0
10、server role
服务器角色。定义Samba将以何种模式操作。可能的值是“独立服务器”、“成员服务器”、“经典主域服务器”、“经典备份域控制器”、“活动目录域控制器"，默认设置如下：
server role = standalone server
11、passdb backend
密码数据库格式,之前samba服务器的用户信息都是以数据文件信息存放，为了加快速度, 目前密码文件已经转为使用数据库了!
默认的数据库格式为tdbsam,存放在/var/lib/samba/private/passdb.tdb，早期使用smbpasswd命令来管理用户密码， 后来使用 TDB数据库,因此建议使用新的 pdbedit 指令来管理用户数据smbpasswd仍然可以使用。默认设置如下：
passdb backend = tdbsam
12、obey pam restrictions
在Samba中集成PAM的访问控制功能。默认设置如下：
obey pam restrictions = yes
13、 unix password sync = yes
当用户改变samba加密的密码时,SAMBA会试着更新UNIX用户密码。默认设置如下：
unix password sync = yes
14、passwd program
这个就指定更改密码的命令。默认设置如下：
passwd program = /usr/bin/passwd %u
15、passwd chat
更改密码时的对话。默认设置如下：
passwd chat = Enter\snew\s\spassword:* %n\n
Retype\snew\s\spassword:* %n\n password\supdated\ssuccessfully .
16、pam password change
为samba打开pam改变密码控制机制的支持。默认设置如下：
pam password change = yes
17、map to guest
这个配置的意思是将所有samba系统主机所不能正确识别的用户都映射成guest用户。默认设置如下：
map to guest = bad user
18、usershare max shares
最大用户共享数量，0表示禁用用户共享。默认设置如下：
usershare max shares = 100
19、usershare allow guests
是否允许guest用户访问，这相当于在共享定义中设置guest ok = yes选项,最终以共享中的设置为准。
usershare allow guests = yes
以下是smb.conf配置文件中没有提到的，但是可以通过testparm -v命令查看到默认设置，如果不符合自己的实际设置，可以在配置文件中加入相应 的选项。
20、netbios name = DEBIAN
设置Samba Server的NetBIOS名称，在“网上邻居”中显示的主机名，如果不填，则默认会使用该服务器的DNS名称的第一部分。
21、server string = Samba 4.5.12-Debian
设定 Samba Server 的注释，可以是任何字符串，也可以不填。宏%v表示显示Samba的版本号。
22、hosts allow = 127. 192.168.1
192.168.10.1 设置允许连接到Samba Server的客户端，多个参数以空格隔开。可以用一个IP表示，也可以用一个网段表示。这选项也可以
在共享段起作用，只对某个共享的目录单独起作用。
hosts deny 与hosts allow 刚好相反。
ALL 表示所有用户，例如：hosts allow = ALL
EXCEPT 表示排除，例如：允许除192.168.1.100以为的所有主机访问，格式为 hosts allow = ALL EXCEPT 192.168.1.100
23、max connections = 0
max connections用来指定连接Samba Server的最大连接数目。如果超出连接数目，则新的连接请求将被拒绝。0表示不限制。
24、deadtime = 0
deadtime用来设置断掉一个没有打开任何文件的连接的时间。单位是分钟，0代表Samba Server不自动切断任何连接。
25、time server = yes/no
time server用来设置让nmdb成为windows客户端的时间服务器
26、security = user
设置用户访问Samba Server的验证方式，一共有四种验证方式。

1. user：Samba Server共享目录只能被授权的用户访问,由Samba Server负责检查账号和密码的正确性。账号和密码要在本Samba Server中建立。
2. domain：域安全级别,使用主域控制器(PDC)来完成认证。
3. auto:这是Samba中的默认安全设置，Samba会通过服务器角色参数(如果设置)来确定安全模式。
4. ads：在此模式下，Samba将充当ADS领域中的域成员
   在samba4中share 和 server验证方式已被弃用

27、encrypt passwords = yes/no
是否将认证密码加密。因为现在windows操作系统都是使用加密密码，所以一般要开启此项。不过配置文件默认已开启。
28、username map = /etc/samba/smbusers
用来定义用户名映射，比如可以将root换成administrator、admin等。不过要事先在smbusers文件中定义好。比如：root = administrator admin，这样就可以用administrator或admin这两个用户来代替root登陆Samba Server，更贴近windows用户的习惯。
29、guest account = nobody
用来设置Samba中guest用户对用的系统用户名。
30、load printers = yes/no
设置是否在启动Samba时就共享打印机。现行几乎都是网络打印机了，默认关闭就可以，这里也不讨论打印机的问题。
31、 smb ports = 139 445
指定服务监听SMB流量的端口。

常用的共享选项及说明

在该段中指定了一个通过Samba进行共享的目录，定义用户访问该目录的各种设置。如下所示：
[共享名称]：这个共享名称很重要，它是一个代号而已，用户在“网上邻居”中所看到的共享目录名


comment = 任意字符串
说明：comment是对该共享的描述，可以是任意字符串。

path = 共享目录路径
说明：path用来指定共享目录的路径。可以用%u、%m这样的宏来代替路径里的unix用户和客户机的Netbios名，用宏表示主要用于[homes]共享域。例如：如果我们不打算用home段做为客户的共享，而是在/home/share/下为每个Linux用户以他的用户名建个目录，作为他的共享目录，这样path就可以写成：path = /home/share/%u; 。用户在连接到这共享时具体的路径会被他的用户名代替，要注意这个用户名路径一定要存在，否则，客户机在访问时会找不到网络路径。同样，如果我们不是以用户来划分目录，而是以客户机来划分目录，为网络上每台可以访问samba的机器都各自建个以它的netbios名的路径，作为不同机器的共享资源，就可以这样写：path = /home/share/%m 。 browseable = yes/no 说明：browseable用来指定该共享是否在“网上邻居”中可见。
writable = yes/no
说明：writable用来指定该共享路径是否可写。
read only = yes/no
说明：设置共享目录为只读，这个选项和writable是互斥的，最好不要两个同时出现如果同时出现，那么最后出现的那个设置为主要的设置。
available = yes/no
说明：available用来指定该共享资源是否可用。
admin users = 该共享的管理者
说明：admin users用来指定该共享的管理员（对该共享具有完全控制权限）。在samba3.0中，如果用户验证方式设置成“security=share”时，此项无效。
例如：admin users =bobyuan，jane（多个用户中间用逗号隔开）。
valid users = 允许访问该共享的用户
说明：valid users用来指定允许访问该共享资源的用户。 例如：valid users = bobyuan，@bob，@tech（多个用户或者组中间用逗号隔开，如果要加入一个组就用“@+组名”表示。）
invalid users = 禁止访问该共享的用户
说明：invalid users用来指定不允许访问该共享资源的用户。
例如：invalid users = root，@bob（多个用户或者组中间用逗号隔开。）
write list = 允许写入该共享的用户
说明：write list用来指定可以在该共享下写入文件的用户。
例如：write list = bobyuan，@bob
public = yes/no
说明：public用来指定该共享是否允许guest账户访问。
guest ok = yes/no
说明：意义同“public”。
create mask = 0700
说明：指定用户通过Samba在该共享目录中创建文件的默认权限。0600代表创建文件的权限为rw-------
directory mask = 0700
说明：指定用户通过Samba在该共享目录中创建目录的默认权限。0600代表创建目录的权限为rwx------