Fedora 32:使用 Samba 进行简单的本地文件共享

共享文件 Fedora 32 使用 Samba 是跨平台的、方便的、可靠的和高性能的。

什么是“桑巴”?

桑巴舞 是一个高质量的实现 服务器消息块协议 (SMB). 最初由 Microsoft 开发,用于通过局域网将 Windows 计算机连接在一起,现在广泛用于内部网络通信。

Apple 过去一直维护自己的独立文件共享,称为“Apple 归档协议 (法新社)“,然而在 最近一个时期,它也已切换到 SMB。

在本指南中,我们提供了最少的启用说明:

  • 公共文件夹共享(只读和读写)
  • 用户主文件夹访问
Note about this guide: The convention '~]$' for a local user command prompt, and '~]#' for a super user prompt will be used.

公共共享文件夹

拥有一个共享的公共场所,内部网络上的经过身份验证的用户可以访问文件,如果获得许可,甚至可以修改和更改文件,这会非常方便。 本指南的这一部分介绍了设置共享文件夹的过程,准备与 Samba 共享。

Please Note: This guide assumes the public sharing folder is on a Modern Linux Filesystem; other filesystems such as NTFS or FAT32 will not work. Samba uses POSIX Access Control Lists (ACLs).

For those who wish to learn more about Access Control Lists, please consider reading the documentation: "Red Hat Enterprise Linux 7: System Administrator's Guide: Chapter 5. Access Control Lists", as it likewise applies to Fedora 32.

In General, this is only an issue for anyone who wishes to share a drive or filesystem that was created outside of the normal Fedora Installation process. (such as a external hard drive).

It is possible for Samba to share filesystem paths that do not support POSIX ACLs, however this is out of the scope of this guide.

创建文件夹

对于本指南, /srv/公共/ 将使用共享文件夹。

/srv/ 目录包含由 Red Hat Enterprise Linux 系统提供的特定于站点的数据。 此目录为用户提供特定服务(例如 FTP、WWW 或 CVS)的数据文件的位置。 仅与特定用户有关的数据应放在 /home/ 目录中。

Red Hat Enterprise Linux 7,存储管理指南:第 2 章文件系统结构和维护:2.1.1.8。 /srv/ 目录

Make the Folder (will provide an error if the folder already exists).
~]# mkdir --verbose /srv/public

Verify folder exists:
~]$ ls --directory /srv/public

Expected Output:
/srv/public

设置文件系统安全上下文

要对公共文件夹进行读写访问,本指南将使用 public_content_rw_t 安全上下文。 那些想要只读的人可以使用:public_content_t。

使用 public_content_rw_t 类型标记已创建的文件和目录,以通过 vsftpd 以读写权限共享它们。 其他服务,例如 Apache HTTP Server、Samba 和 NFS 也可以访问标有此类型的文件。 请记住,必须先启用每个服务的布尔值,然后才能写入标有此类型的文件。

Red Hat Enterprise Linux 7,SELinux 用户和管理员指南:第 16 章文件传输协议:16.1。 类型:public_content_rw_t

在系统的本地文件系统安全上下文自定义注册表中将 /srv/public 添加为“public_content_rw_t”:

Add new security filesystem security context:
~]# semanage fcontext --add --type public_content_rw_t "/srv/public(/.*)?"

Verifiy new security filesystem security context:
~]# semanage fcontext --locallist --list

Expected Output: (should include)
/srv/public(/.*)? all files system_u:object_r:public_content_rw_t:s0

现在该文件夹已添加到本地系统的文件系统安全上下文注册表; 这 恢复控制 命令可用于将上下文“恢复”到文件夹:

Restore security context to the /srv/public folder:
$~]# restorecon -Rv /srv/public

Verify security context was correctly applied:
~]$ ls --directory --context /srv/public/

Expected Output:
unconfined_u:object_r:public_content_rw_t:s0 /srv/public/

用户权限

创建共享组

要允许用户对公共共享文件夹具有只读或读写访问权限,请创建两个管理这些权限的新组:public_readonly 和 public_readwrite。

用户帐户可以被授予只读访问权限,或者通过将他们的帐户添加到相应的组来进行读写(并允许通过 Samba 创建一个 smb 密码登录)。 此过程在“测试公共共享(本地主机)”部分中进行了演示。

Create the public_readonly and public_readwrite groups:
~]# groupadd public_readonly
~]# groupadd public_readwrite

Verify successful creation of groups:
~]$ getent group public_readonly public_readwrite

Expected Output: (Note: x:1...: number will probability differ on your System)
public_readonly:x:1009:
public_readwrite:x:1010:

设置权限

现在为公共共享文件夹设置适当的用户权限:

Set User and Group Permissions for Folder:
~]# chmod --verbose 2700 /srv/public
~]# setfacl -m group:public_readonly:r-x /srv/public
~]# setfacl -m default:group:public_readonly:r-x /srv/public
~]# setfacl -m group:public_readwrite:rwx /srv/public
~]# setfacl -m default:group:public_readwrite:rwx /srv/public

Verify user permissions have been correctly applied:
~]$ getfacl --absolute-names /srv/public

Expected Output:
file: /srv/public
owner: root
group: root
flags: -s-
user::rwx
group::---
group:public_readonly:r-x
group:public_readwrite:rwx
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:public_readonly:r-x
default:group:public_readwrite:rwx
default:mask::rwx
default:other::---

桑巴舞

安装

~]# dnf install samba

主机名(全系统)

Samba 在共享文件时会使用计算机的名称; 最好设置一个主机名,以便可以在本地网络上轻松找到该计算机。

View Your Current Hostname:
~]$ hostnamectl status

如果您希望将主机名更改为更具描述性的名称,请使用以下命令:

Modify your system's hostname (example):
~]# hostnamectl set-hostname "simple-samba-server"
For a more complete overview of the hostnamectl command, please read the previous Fedora Magazine Article: "How to set the hostname on Fedora".

防火墙

配置防火墙是一项复杂而复杂的任务。 本指南将只对防火墙进行最少的操作,以使 Samba 能够通过。

For those who are interested in learning more about configuring firewalls; please consider reading the documentation: "Red Hat Enterprise Linux 8: Securing networks: Chapter 5. Using and configuring firewall", as it generally applies to Fedora 32 as well.
Allow Samba access through the firewall:
~]# firewall-cmd --add-service=samba --permanent
~]# firewall-cmd --reload

Verify Samba is included in your active firewall:
~]$ firewall-cmd --list-services

Output (should include):
samba

配置

删除默认配置

随附的库存配置 Fedora 这个简单的指南不需要 32。 特别是它支持与 Samba 共享打印机。

对于本指南,请备份默认配置并从头开始创建新的配置文件。

Create a backup copy of the existing Samba Configuration:
~]# cp --verbose --no-clobber /etc/samba/smb.conf /etc/samba/smb.conf.fedora0

Empty the configuration file:
~]# > /etc/samba/smb.conf

桑巴配置

Please Note: This configuration file does not contain any global definitions; the defaults provided by Samba are good for purposes of this guide.
Edit the Samba Configuration File with Vim:
~]# vim /etc/samba/smb.conf

将以下内容添加到 /etc/samba/smb.conf 文件中:

# smb.conf - Samba Configuration File

# The name of the share is in square brackets [],
#   this will be shared as //hostname/sharename

# There are a three exceptions:
#   the [global] section;
#   the [homes] section, that is dynamically set to the username;
#   the [printers] section, same as [homes], but for printers.

# path: the physical filesystem path (or device)
# comment: a label on the share, seen on the network.
# read only: disable writing, defaults to true.

# For a full list of configuration options,
#   please read the manual: "man smb.conf".

[global]

[public]
path = /srv/public
comment = Public Folder
read only = No

写权限

默认情况下,Samba 没有被授予修改系统任何文件的权限。 修改系统的安全配置以允许 Samba 修改任何具有 public_content_rw_t 安全上下文的文件系统路径。

为了方便, Fedora 为此,有一个内置的 SELinux 布尔值称为:smbd_anon_write,将其设置为 true 将使 Samba 能够写入任何已设置为 public_content_rw_t 安全上下文的文件系统路径。

对于那些希望 Samba 仅对其公共共享文件夹具有只读访问权限的人,他们可以选择跳过此步骤而不设置此布尔值。

There are many more SELinux boolean that are available for Samba. For those who are interested, please read the documentation: "Red Hat Enterprise Linux 7: SELinux User's and Administrator's Guide: 15.3. Samba Booleans", it also apply to Fedora 32 without any adaptation.
Set SELinux Boolean allowing Samba to write to filesystem paths set with the security context public_content_rw_t:
~]# setsebool -P smbd_anon_write=1

Verify bool has been correctly set:
$ getsebool smbd_anon_write

Expected Output:
smbd_anon_write --> on

桑巴服务

Samba 服务分为两个部分,我们需要启动。

桑巴“smb”服务

Samba“服务器消息块”(SMB) 服务用于通过本地网络共享文件和打印机。

手动的: ”smbd – 为客户端提供 SMB/CIFS 服务的服务器

启用和启动服务

For those who are interested in learning more about configuring, enabling, disabling, and managing services, please consider studying the documentation: "Red Hat Enterprise Linux 7: System Administrator's Guide: 10.2. Managing System Services".
Enable and start smb and nmb services:
~]# systemctl enable smb.service
~]# systemctl start smb.service

Verify smb service:
~]# systemctl status smb.service

测试公共共享(本地主机)

为了演示允许和删除对公共共享文件夹的访问权限,创建一个名为 samba_test_user 的新用户,该用户将首先被授予读取公共文件夹的权限,然后再授予读取和写入公共文件夹的权限。

此处演示的相同过程可用于将您的公共共享文件夹的访问权限授予您计算机的其他用户。

samba_test_user 将被创建为锁定的用户帐户,不允许正常登录计算机。

Create 'samba_test_user', and lock the account.
~]# useradd samba_test_user
~]# passwd --lock samba_test_user

Set a Samba Password for this Test User (such as 'test'):
~]# smbpasswd -a samba_test_user

测试对公共共享的只读访问权限:

Add samba_test_user to the public_readonly group:
~]# gpasswd --add samba_test_user public_readonly

Login to the local Samba Service (public folder):
~]$ smbclient --user=samba_test_user //localhost/public

First, the ls command should succeed,
Second, the mkdir command should not work,
and finally, exit:
smb: > ls
smb: > mkdir error
smb: > exit

Remove samba_test_user from the public_readonly group:
gpasswd --delete samba_test_user public_readonly

测试对公共共享的读写访问权限:

Add samba_test_user to the public_readwrite group:
~]# gpasswd --add samba_test_user public_readwrite

Login to the local Samba Service (public folder):
~]$ smbclient --user=samba_test_user //localhost/public

First, the ls command should succeed,
Second, the mkdir command should work,
Third, the rmdir command should work,
and finally, exit:
smb: > ls
smb: > mkdir success
smb: > rmdir success
smb: > exit

Remove samba_test_user from the public_readwrite group:
~]# gpasswd --delete samba_test_user public_readwrite

测试完成后,为安全起见,禁用 samba_test_user通过 samba 登录的能力。

Disable samba_test_user login via samba:
~]# smbpasswd -d samba_test_user

主文件夹共享

在指南的最后一部分; Samba 将被配置为共享用户主文件夹。

为了 example: 如果用户bob 已经注册了smbpasswd,那么bob 的主目录/home/bob 将成为共享//server-name/bob。

此共享仅对 bob 可用,其他用户不可用。

This is a very convenient way of accessing your own local files; however naturally it carries at a security risk.

设置主文件夹共享

为公共文件夹共享授予 Samba 权限

Set SELinux Boolean allowing Samba to read and write to home folders:
~]# setsebool -P samba_enable_home_dirs=1

Verify bool has been correctly set:
$ getsebool samba_enable_home_dirs

Expected Output:
samba_enable_home_dirs --> on

将家庭共享添加到 Samba 配置

将以下内容附加到系统 smb.conf 文件中:

# The home folder dynamically links to the user home.

# If 'bob' user uses Samba:
# The homes section is used as the template for a new virtual share:

# [homes]
# ...   (various options)

# A virtual section for 'bob' is made:
# Share is modified: [homes] -> [bob]
# Path is added: path = /home/bob
# Any option within the [homes] section is appended.

# [bob]
#       path = /home/bob
# ...   (copy of various options)


# here is our share,
# same as is included in the Fedora default configuration.

[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes

重新加载 Samba 配置

Tell Samba to reload it's configuration:
~]# smbcontrol all reload-config

测试主目录共享

Switch to samba_test_user and create a folder in it's home directory:
~]# su samba_test_user
samba_test_user:~]$ cd ~
samba_test_user:~]$ mkdir --verbose test_folder
samba_test_user:~]$ exit

Enable samba_test_user to login via Samba:
~]# smbpasswd -e samba_test_user

Login to the local Samba Service (samba_test_user home folder):
$ smbclient --user=samba_test_user //localhost/samba_test_user

Test (all commands should complete without error):
smb: > ls
smb: > ls test_folder
smb: > rmdir test_folder
smb: > mkdir home_success
smb: > rmdir home_success
smb: > exit

Disable samba_test_user from login in via Samba:
~]# smbpasswd -d samba_test_user

相关阅读:

Posted in: LinuxTags: ,