This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
файловый_сервер_samba [2020/08/26 09:42] val [Идентификация доступа к файловому серверу на основе копии базы данных учетных записей] |
файловый_сервер_samba [2024/05/31 08:25] val |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== Файловый сервер SAMBA ====== | ====== Файловый сервер SAMBA ====== | ||
- | [[http://ru.wikipedia.org/wiki/Samba]] | + | * [[https://ru.wikipedia.org/wiki/Samba|Samba]] |
+ | * [[https://interface31.ru/tech_it/2023/07/vklyuchaem-otobrazhenie-samba-servera-v-setevom-okruzhenii-windows.html|Включаем отображение Samba-сервера в сетевом окружении Windows]] | ||
===== Установка SAMBA ===== | ===== Установка SAMBA ===== | ||
Line 9: | Line 10: | ||
# apt install samba | # apt install samba | ||
- | # cd /etc/samba/ | + | # mkdir -p /disk2/samba && chown games /disk2/samba |
</code> | </code> | ||
- | ==== FreeBSD ==== | ||
- | <code> | ||
- | # pkg install samba44 | ||
- | # service samba_server rcvar | ||
- | |||
- | # cat /etc/rc.conf | ||
- | </code><code> | ||
- | ... | ||
- | samba_server_enable=yes | ||
- | smbd_enable=yes | ||
- | nmbd_enable=no | ||
- | winbindd_enable=no | ||
- | </code><code> | ||
- | # сd /usr/local/etc/ | ||
- | </code> | ||
===== Публичный каталог доступный на чтение ===== | ===== Публичный каталог доступный на чтение ===== | ||
Line 47: | Line 33: | ||
guest ok = Yes | guest ok = Yes | ||
</code><code> | </code><code> | ||
- | server# testparm | + | # mkdir /var/distrs |
- | server# mkdir /var/distrs && chown games /var/distrs | + | # cd /var/distrs |
+ | |||
+ | # wget http://val.bmstu.ru/unix/Mail/Thunderbird%20Setup%2017.0.msi | ||
</code> | </code> | ||
===== Публичный каталог доступный на запись ===== | ===== Публичный каталог доступный на запись ===== | ||
Line 71: | Line 59: | ||
force user = games | force user = games | ||
# browseable = no | # browseable = no | ||
- | </code><code> | ||
- | # mkdir -p /disk2/samba | ||
- | |||
- | # chown games /disk2/samba | ||
</code><code> | </code><code> | ||
# testparm | # testparm | ||
Line 85: | Line 69: | ||
<code> | <code> | ||
server# smbpasswd -a user1 | server# smbpasswd -a user1 | ||
- | server# smbpasswd -a user2 | + | New SMB password: wpassword1 |
+ | |||
+ | server# (echo wpassword2; echo wpassword2) | smbpasswd -a user2 | ||
# pdbedit -w -L | # pdbedit -w -L | ||
Line 91: | Line 77: | ||
# smbpasswd -x user1 | # smbpasswd -x user1 | ||
- | # cat smb.conf | + | # cat /etc/samba/smb.conf |
</code><code> | </code><code> | ||
[global] | [global] | ||
Line 99: | Line 85: | ||
security = user | security = user | ||
[homes] | [homes] | ||
- | read only = no | + | read only = no |
+ | valid users = %S | ||
+ | |||
+ | ; sometimes solves the problem permission deny | ||
+ | ;;;; users = %U | ||
+ | ; force user=%U | ||
[corp_share] | [corp_share] | ||
- | path = /var/samba | + | path = /disk2/samba |
- | # valid users = user1 user2 games | + | valid users = user1 user2 games |
- | # valid users = @wheel games | + | # valid users = @group1 games |
- | # valid users = @sudo games | + | |
force user = games | force user = games | ||
read only = No | read only = No | ||
- | </code><code> | ||
- | server# mkdir /var/samba | ||
- | |||
- | server# chown -R games /var/samba | ||
</code> | </code> | ||
Line 150: | Line 137: | ||
=== Active Directory === | === Active Directory === | ||
- | == Добавляем пользователя в AD == | ||
<code> | <code> | ||
Login: gatecifs | Login: gatecifs | ||
Line 156: | Line 142: | ||
</code> | </code> | ||
Пароль не меняется и не устаревает | Пароль не меняется и не устаревает | ||
- | |||
- | == Создаем ключ сервиса cifs связывая его с фиктивным пользователем AD == | ||
Устанавливаем Microsoft Windows Support Tools | Устанавливаем Microsoft Windows Support Tools | ||
- | Название сервиса HTTP обязательно заглавными буквами | ||
<code> | <code> | ||
C:\>ktpass -princ cifs/gate.corpX.un@CORPX.UN -mapuser gatecifs -pass 'Pa$$w0rd' -out gatecifs.keytab | C:\>ktpass -princ cifs/gate.corpX.un@CORPX.UN -mapuser gatecifs -pass 'Pa$$w0rd' -out gatecifs.keytab | ||
Line 193: | Line 176: | ||
=== Настройка samba сервера в режиме ADS без использования WINBIND === | === Настройка samba сервера в режиме ADS без использования WINBIND === | ||
+ | |||
+ | * [[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899269|ads with MIT Kerberos KDC fails]] | ||
+ | |||
<code> | <code> | ||
- | ubuntu# cat smb.conf | + | gate# cat /etc/samba/smb.conf |
- | + | ||
- | freebsd# cat smb4.conf | + | |
</code><code> | </code><code> | ||
[global] | [global] | ||
... | ... | ||
- | security = ADS | + | security = user |
realm = CORPX.UN | realm = CORPX.UN | ||
kerberos method = system keytab | kerberos method = system keytab | ||
- | ... | ||
- | [share] | ||
- | ... | ||
- | path = /var/samba | ||
- | valid users = @group1 games | ||
... | ... | ||
</code> | </code> | ||
Line 222: | Line 201: | ||
==== Настройка samba сервера в режиме DOMAIN/ADS c WINBIND ==== | ==== Настройка samba сервера в режиме DOMAIN/ADS c WINBIND ==== | ||
<code> | <code> | ||
- | gate# cat smb.conf | + | gate# cat /etc/samba/smb.conf |
</code><code> | </code><code> | ||
[global] | [global] | ||
Line 229: | Line 208: | ||
[homes] | [homes] | ||
- | read only = no | + | ; may be need make homedir |
- | [share] | + | read only = no |
- | path = /var/samba | + | valid users = %S |
- | ; valid users = CORPX\user1, CORPX\Administrator, CORPX\root | + | |
- | ; valid users = "@CORPX\domain admins" games | + | [corp_share] |
- | ; valid users = "@CORPX\domain users" games | + | path = /disk2/samba |
- | valid users = @group1 games | + | |
+ | ;with winbind | ||
+ | ; valid users = CORPX\user1 CORPX\Administrator CORPX\root | ||
+ | ; valid users = @CORPX\group1 | ||
+ | ; valid users = "@CORPX\domain users" | ||
+ | |||
+ | ;without winbind, group1 must be master group | ||
+ | ; valid users = @group1 games | ||
+ | |||
+ | ;without winbind | ||
+ | ; valid users = user1 user2 games | ||
+ | | ||
read only = no | read only = no | ||
force user = games | force user = games | ||
Line 241: | Line 231: | ||
===== Автоматическое создание домашних каталогов ===== | ===== Автоматическое создание домашних каталогов ===== | ||
+ | |||
+ | * Использование библиотеки PAM [[Использование библиотеки PAM#Автоматическое создание домашних каталогов]] | ||
<code> | <code> | ||
Line 246: | Line 238: | ||
</code><code> | </code><code> | ||
... | ... | ||
- | session required pam_mkhomedir.so | + | @include common-session-noninteractive |
+ | session optional pam_mkhomedir.so | ||
</code><code> | </code><code> | ||
- | gate# cat smb.conf | + | gate# cat /etc/samba/smb.conf |
</code><code> | </code><code> | ||
[global] | [global] | ||
Line 256: | Line 249: | ||
===== Отладка ===== | ===== Отладка ===== | ||
+ | |||
+ | * [[https://wiki.samba.org/index.php/Client_specific_logging|Client specific logging]] | ||
<code> | <code> | ||
- | # cat smb.conf | + | # cat /etc/samba/smb.conf |
</code><code> | </code><code> | ||
[global] | [global] | ||
... | ... | ||
- | log level = 2 | + | max log size = 0 |
- | log file = /var/log/samba.log.%m | + | log file = /var/log/samba/log.%I |
- | max log size = 50 | + | log level = 10 |
- | debug timestamp = yes | + | debug pid = yes |
+ | debug uid = yes | ||
+ | debug class = yes | ||
+ | debug hires timestamp = yes | ||
... | ... | ||
</code> | </code> | ||
Line 271: | Line 269: | ||
===== Мониторинг активности пользователей ===== | ===== Мониторинг активности пользователей ===== | ||
- | * [[https://moiristo.wordpress.com/2009/08/10/samba-logging-user-activity/|Samba: Logging User Activity]] !!! можно настроить глобально или, на конкретном ресурсе !!! | + | * [[https://moiristo.wordpress.com/2009/08/10/samba-logging-user-activity/|Samba: Logging User Activity]] !!! аудит можно настроить глобально или, на конкретном ресурсе !!! |
<code> | <code> | ||
Line 277: | Line 275: | ||
</code><code> | </code><code> | ||
... | ... | ||
- | vfs objects = full_audit | + | vfs objects = full_audit |
- | full_audit:prefix = %U|%u|%I|%m|%S | + | full_audit:prefix = %U|%u|%I|%m|%S |
- | full_audit:success = unlink open | + | full_audit:success = unlink open |
- | full_audit:failure = none | + | full_audit:failure = none |
- | full_audit:priority = NOTICE | + | full_audit:priority = NOTICE |
... | ... | ||
</code><code> | </code><code> |