Operation and maintenance | Samba service shared file transfer (anonymous user access, designated user access, shared account mapping access)

Preface

1. Samba overview

Samba Firstly, we built a bridge between Linux and Windows platforms. Officially, due to the emergence of samba, we can communicate with each other between Linux system and Windows system, such as copying files, sharing resources between different operating systems, etc. we can set it up as a very powerful file sharing server or a printing server Provide local and remote online printing.

2. Samba application environment
  • File and printer sharing: file and printer sharing is the main function of Samba. The SMB process realizes resource sharing and publishes files and printers to the network for users to access;
  • Authentication and permission setting: the smbd service supports authentication and permission setting modes such as user mode and domain mode. Shared files and printers can be protected by encryption;
  • Name resolution: through nmbd service, Samaba can build NBNS (NetBIOS Name Service) server, provide name resolution, and resolve NetBIOS name of computer to IP address;
  • Browse service: in local area network, Samba server can be the local main browse server (LMB) to save the list of available resources. When using client to access Windows network neighborhood, it will provide browse list, display shared directory, printer and other resources;

1, Samba server deployment

1. samba server installation
[root@localhost ~]# yum install -y samba
2. Turn off selinux and firewall
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# setenforce 0
[root@localhost ~]# getenforce 
Permissive
3. Modify Samba configuration file
[root@localhost ~]# vim /etc/samba/smb.conf

# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.

[global]											///Global configuration
        workgroup = SAMBA
        security = user

        passdb backend = tdbsam

        printing = cups
        printcap name = cups
        load printers = yes
        cups options = raw

[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes

[printers]
        comment = All Printers
        path = /var/tmp
        printable = Yes
        create mask = 0600
        browseable = No

[print$]												///Shared printer service
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = @printadmin root
        force group = @printadmin
        create mask = 0664
        directory mask = 0775
4. Start samba service
[root@localhost ~]# systemctl start smb
5. Using Windows clients to access shared directories

PS: the login user and password are not configured at this time and cannot be logged in

2, Enterprise case practice

Case 1: anonymous user access

The company now uses a working group, villian Tsang. It needs to deploy samba server as a file sharing server, and publish the shared directory / share, named public, which allows all employees of the company to access
1. Create a shared directory and set permissions
[root@localhost ~]# mkdir /share				///Create shared directory
[root@localhost ~]# chmod 777 /share			///Give / share 777 read / write executable permission
[root@localhost ~]# touch villian.txt			///Shared directory write test file
2. Modify samba configuration file
[root@localhost ~]# vim /etc/samba/smb.conf

[global]														///Modify global configuration
        workgroup = VillianTsang								///Modify Workgroup
        map to guest = bad user									///Support anonymous sharing (samba4 and above)
        server string = This is VillianTsang directory			///Modify file directory description

[public]														///Add shared directory at the end of configuration file
        comment = This is a Shared villiantsang directory		///File directory description
        path = /share											///Absolute path of shared file directory
        public = yes											///Support anonymous access
        browsable = yes											/// browse 
3. Restart samba service
[root@localhost ~]# systemctl restart smb
4. Use Windows client to access shared directory (password free anonymous login)



Case 2: designated department user access

Create a sales shared directory. Share the / xsb directory through the user name and password. Only the sales department colleagues who know the user name and password can view the shared directory, and other departments cannot access it

1. Modify samba global configuration file
[global]
        workgroup = SAMBA
        security = user								///Change to user, user name access is required
        passdb backend = smbpasswd					///Password text name
        smb passwd file = /etc/samba/smbpasswd		///Password text storage location
2. Restart samba service
[root@localhost ~]# systemctl restart smb
3. Check whether the password file is generated
[root@localhost ~]# ls /etc/samba/
lmhosts  smb.conf  smb.conf.example  smbpasswd		///Automatic generation of smbpassword password text
4. Add sales users and groups
[root@localhost ~]# groupadd xsb										///Create sales group
[root@localhost ~]# useradd -g xsb zhangshan -M -s /sbin/nologin  		///Create Zhang San user of Sales Department 
[root@localhost ~]# useradd -g xsb wangwu -M -s /sbin/nologin 			///Create the fifth user of Sales Department

[root@localhost ~]# id wangwu											///View user id information
uid=1005(wangwu) gid=1004(xsb) group=1004(xsb)
[root@localhost ~]# id zhangshan
uid=1004(zhangshan) gid=1004(xsb) group=1004(xsb)
5. Add samba account number of Sales Department
  • Add user and password
[root@localhost ~]# smbpasswd -a zhangshan				///Add Zhang San user of sales department to samba and set password
New SMB password:
Retype new SMB password:
Added user zhangshan.
[root@localhost ~]# smbpasswd -a wangwu
New SMB password:
Retype new SMB password:
Added user wangwu.
  • Check whether password text generates content
[root@localhost ~]# cat /etc/samba/smbpasswd 
zhangshan:1004:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:32ED87BDB5FDC5E9CBA88547376818D4:[U   ]:LCT-5E42242C:
wangwu:1005:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:32ED87BDB5FDC5E9CBA88547376818D4:[U      ]:LCT-5E422437:
6. Create a shared directory of sales department and set permissions
[root@localhost ~]# mkdir /xsb
[root@localhost ~]# chmod 777 /xsb		
[root@localhost ~]# vim xsb.txt
hello world
7. Modify the configuration file, specify the shared directory, and set the access rights
[xsb]
        comment = This is xsb directory
        path = /xsb
        valid users = @xsb
8. Restart samba service
[root@localhost ~]# systemctl restart smb
9. Use Windows client to access shared directory (use sales user + password to access)




Case 3: forbid some users of the Department to visit

PS1. Hide shared directory

browseable = no
In this way, users can't see the directory after accessing the shared directory, so they need to write the absolute URL of the directory for access

PS2. Control access source

hosts allow = 192.168.182.: allow IP access of the network segment 192.168.182.0/24
hosts deny = 192.168.182.12: disable 192.168.182.12 IP access

  • The hosts allow field defines the clients allowed to access (when set at the same time, the allowed level is higher than the forbidden level)
  • The hosts deny field defines the clients that are not allowed to access
  • EXCPT + IP (in addition to an IP, common policies)

For example, in the same scheme as case 2, IP access of 192.168.1.0/24 network segment is prohibited

1. Modify samba global configuration file
[xsb]
        comment = This is xsb directory
        path = /xsb
        valid users = @xsb
        writable = yes							///Allow write
        write list = zhangshan 					///Write permission user 
        hosts deny = 192.168.182.				///Disable network segment 192.168.182. User access
        browseable = no							///Hide shared directory, absolute path is required to access		
2. Restart samba service
[root@localhost ~]# systemctl restart smb
3. Using Windows clients to access shared directories



3, Account mapping

The user account information of Samba is saved in the smbpasswd file, and the account that can access the samba server must also correspond to a system account with the same name. Based on this point, for hackers, as long as they know the account of samba server, they will know the account of Linux system. As long as they break their Samba account password and make use of it, they can attack the samba server. Based on this, we can use the user account mapping function to solve this problem.

1. Modify samba global configuration file
[root@localhost ~]# vim /etc/samba/smb.conf

username map = /etc/samba/smbusers				///Add this line to the global configuration
2. Configure samba share profile
[root@localhost ~]# vim /etc/samba/smb.conf

[xsb]
        comment = This is xsb directory			
        path = /xsb								///Shared directory
        valid users = @xsb						///Allow users (Sales Department)
        writable = yes							///Allow information to be written
        write list = @xsb						///Write user list (same as above)
        public = no								///No public shared directory
3. Create smbusers text
[root@localhost ~]# vim /etc/samba/smbusers

villian = zhangshan lisi wangwu zhaoliu			///Map the account of villan user to Zhang San, Li Si, Wang Wu and Zhao Liu
4. Create a villian user account and map it
[root@localhost ~]# smbpasswd -a villian
New SMB password:
Retype new SMB password:
5. Restart samba service
[root@localhost ~]# systemctl restart smb
6. Using Windows clients to access shared directories



Extension 1: pdbedit command description

The pdbedit command is used to manage the account information database of Samba service in the format: "pdbedit [options] account"
When the user information is written to the database for the first time, you need to use the - a parameter. Later, you can modify the user password, delete the user, and so on.

pdbedit -L: View samba users
 pdbedit -a -u user: add samba user
 pdbedit -r -u user: modify samba user information
 pdbedit -x -u user: delete samba user
 
The samba service database password can also be operated with the smbpasswd command
 smbpasswd -a user: add a samba user
 smbpasswd -d user: disable a samba user
 smbpasswd -e user: recover a samba user
 smbpasswd -x user: delete a samba user

Extension 2: clear the login cache information



Published 127 original articles, won praise 13, visited 10000+
Private letter follow

Tags: Windows network vim Linux

Posted on Tue, 11 Feb 2020 01:18:03 -0500 by beeman000