CSDN博客

img tmd_net

smb设置参考手册

发表于2004/10/20 1:59:00  4763人阅读

分类: network admin

#----------------------------------------------------------------------------------#
# smb设置参考手册 #
# #
#----------------------------------------------------------------------------------#

[global]

#----------------------------------------------------------------------------------#
# workgroup = NT-Domain-Name or Workgroup-Name
#工作组设置本地网络使用工作组名字(或者是域)否则,Windows客户就不能从其网络邻居中发现这个Samba服务器。当然,你要是设置成域时,要把 security = domain设置成这样
workgroup = Sa119
#----------------------------------------------------------------------------------#

#----------------------------------------------------------------------------------#
# server string is the equivalent of the NT Description field
#server string是对于本地服务器的简单描述,这些信息将作为这台服务器的属性,返回给#Browser,显示在Windows客户中作为对这个服务器的描述。
server string = Linux Smb
#----------------------------------------------------------------------------------#

#----------------------------------------------------------------------------------#
# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
#用于限制可以访问这台samba服务器的客户机的IP地址范围,以提供安全限制。缺省情#况下,这行配置被注释了, 即所有的客户都可以访问这台计算机,这样就存在一定的安全问题。
#通常可以这样hosts allow = 192.168.0. 。整个网络号为192.168.0的机器都可以访问,其它的都将拒绝连接(注意最后的那个".")
hosts allow = 192.168.0.
#----------------------------------------------------------------------------------#

#----------------------------------------------------------------------------------#
# if you want to automatically load your printer list rather
# than setting them up individually then youll need this
#这些设置是用于设置samba服务器的打印机资源,load printer=yes就允许samba服务器对外共享服务器的打印机。
#打印机?...........我没.............
printcap name = /etc/printcap
load printers = yes
#----------------------------------------------------------------------------------#

#----------------------------------------------------------------------------------#
# It should not be necessary to spell out the print system type unless
# yours is non-standard. Currently supported print systems include:
# bsd, sysv, plp, lprng, aix, hpux, qnx
#定义打印系统的类型
printing = lprng
#----------------------------------------------------------------------------------#

#----------------------------------------------------------------------------------#
# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
#由于Mircrosoft客户没有用户的概念,因此有时会用没有用户和口令的请求访问服务器,就需要将这个没有用户的请求映射为系统中的某个用户,Samba服务器才能安全的访问系统。guest account 就定义这样的请求在Unix下对应的用户权限。为了安全的原因,不能让这个帐户在系统中有可写的权限,通常可以增加一个专用帐户,如pcguest。如果这个设置被注释的情况下,系统缺省使用nobody执行 Windows客户的请求。建议不要使用nobody用户,因为系统中的很多程序缺省都使用它,因此就会有安全问题。
#通常可以这样做先在下面的开关设置security = share ,使smb服务工作于共享级别,删除系统中的nobody帐号,打开 guest account = pcguest (既去掉 ";")
#在系统里添加一个smb组 groupadd -g 300 smb
#添加smb游客帐号 useradd -u 300 -g 300 -d /dev/null -s /dev/null smbguest 这样都将用smbguest这个帐号来影射访问请求
#注意一点的是,当你把security = user设置成这样(smb服务工作于用户级别)一但验证失败,将退回到share级别
guest account = smbguest
#----------------------------------------------------------------------------------#

#----------------------------------------------------------------------------------#
# this tells Samba to use a separate log file for each machine
# that connects
#这里定义samba的日志文件路径,%m用于代表从访问的NetBIOS 计算机名,如果使用的用户级认证,还可以使用%U表示不同的登录用户。例如从一名字为cainiao的计算机访问samba服务器的日志,将记录在 /var/log/samba/cainiao.log文件中。
# 一些变量说明:
#%S = 当前服务名
#%P = 当前服务的根目录
#%u = 当前服务的用户名
#%g = 当前用户说在的主工作组
#%U = 当前对话的用户名
#%G = 当前对话的用户的主工作组
#%H = 当前服务的用户的Home目录
#%v = Samba服务的版本号。
#%h = 运行Samba服务机器的主机名
#%m = 客户机的NETBIOS名称
#%L = 服务器的NETBIOS名称
#%M = 客户机的主机名
#%N = NIS服务器名
#%p = NIS服务的Home目录
#%R = 说采用的协议等级(值可以是CORE, COREPLUS, LANMAN1, LANMAN2,NT1)
#%d = 当前服务进程的ID
#%a = 客户机的系统
#%I = 客户机的IP
#%T = 当前日期和时间
log file = /var/log/samba/%I.log
#----------------------------------------------------------------------------------#

#----------------------------------------------------------------------------------#
# Put a capping on the size of the log files (in Kb).
#max log size定义每个日志文件的存储限制。默认是0,(无限制)
#一定要定义好,防止硬盘被爆掉 ^_^
max log size = 20
#----------------------------------------------------------------------------------#

#----------------------------------------------------------------------------------#
# Security mode. Most people will want user level security. See
# security_level.txt for details.
#认证方式,包括简单的共享级认证和用户级认证。Unix为多用户操作系统,缺省就使用用户级认证方式。当使用用户级认证的时候,Samba服务器使用Unix操作系统的用户和口令(来自/etc/passwd )对用户进行认证,这是一种独立的认证方式。而有时候希望所有的服务器使用同一个认证数据库进行统一认证,因此就导致出现了基于域的统一认证模式。在一个域中,用户只需要通过域控制器进行认证即可,域中其他SMB服务器就将认可域控制器的认证。为了使Samba服务器支持域认证方式,可以有两种不同的设置方式,一种为真正的域认证,另一种为服务器认证方式,将Samba服务器配置为通过服务器验证用户,这需要指定security=server,以及指定password server的名字为NT的域控制器。认证服务器的方式不能事先域认证方式提供的一些特征,但它的适用范围并不仅限于域,使用工作组的网络也能通过统一的认证服务器来使用统一认证模式。
#一共有4种服务级别,分别是
#share:没有安全性的级别,任何用户都可以不要用户名和口令访问服务器上的资源。
#user:samba的默认配置,要求用户在访问共享资源之前资源必须先提供用户名和密码进行验证。
#server:和user安全级别类似,但用户名和密码是递交到另外一个服务器去验证,比如递交给一台#NT服务器。如果递交失败,就退到user安全级,以此类推。
#domain:这个安全级别要求网络上存在一台Windows的主域控制器,samba把用户名和密码递交#给它去验证。

security = share
#----------------------------------------------------------------------------------#

#----------------------------------------------------------------------------------#
# Use password server option only with security = server
# The argument list may include:
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
# password server = *
# 当服务级别使用server或者domain时,才需要设置这个
; password server = <NT-Server-Name>
#----------------------------------------------------------------------------------#

#----------------------------------------------------------------------------------#
# Password Level allows matching of _n_ characters of the password for
# all combinations of upper and lower case.
#系统在发送用户密码的时候,会把密码转换成大写再发送,这样就和samba的密码不一致,这个参数可以设定密码里允许的大写字母个数,这样samba就根据这个数目对接收到的密码进行大小写重组,以重组过的密码尝试验证密码的正确性。n越大,组合的次数就越多,验证时间就越长,安全性也会因此变得越低。例如n=2,用户的密码是abcd,但发送出去其实是ABCD,samba就会把这个ABCD进行大小写重组,组合后的结果可以是: Abcd, aBcd, abCd, abcD, abcd, ABcd, AbCd, AbcD,aBCd,aBcD,abCD。所以如果没有必要,就把n定为是零。这样的话samba只尝试两次,一个是接收到的密码,另一个尝试的是这个密码都是小写的情况。 username level = 8 情况类似。
; password level = 8
; username level = 8
#----------------------------------------------------------------------------------#

#----------------------------------------------------------------------------------#
# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
# Do not enable this option unless you have read those documents
#客户机和服务器之间进行认证时,把加密口令传输,这样保证了安全性。当然你的windows工作站要支持。因为一些老式的windows系统默认是不支持的(win95?好象现在没几个人用吧)
encrypt passwords = yes
#定义smb帐号密码文件路径
smb passwd file = /etc/samba/smbpasswd
#----------------------------------------------------------------------------------#

#----------------------------------------------------------------------------------#
# The following is needed to keep smbclient from spouting spurious errors
# when Samba is built with support for SSL.
#当起用ssl模式时,这里定义了ssl证书的位置.
; ssl CA certFile = /usr/share/ssl/certs/ca-bundle.crt
#----------------------------------------------------------------------------------#

#----------------------------------------------------------------------------------#
# The following are needed to allow password changing from Windows to
# update the Linux sytsem password also.
# NOTE: Use these with encrypt passwords and smb passwd file above.
# NOTE2: You do NOT need these to allow workstations to change only
# the encrypted SMB passwords. They allow the Unix password
# to be kept in sync with the SMB password.
#设定能否同步unix,smb口令.
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n/n *Retype*new*password* %n/n *passwd:*all*authentication*tokens*updated*successfully*
#----------------------------------------------------------------------------------#

#----------------------------------------------------------------------------------#
# You can use PAMs password change control flag for Samba. If
# enabled, then PAM will be used for password changes when requested
# by an SMB client instead of the program listed in passwd program.
# It should be possible to enable this without changing your passwd
# chat parameter for most setups.

pam password change = yes
#----------------------------------------------------------------------------------#

#----------------------------------------------------------------------------------#
# Unix users can map to different SMB User names
#用户映射文件客户机的用户是admin或者administrator连接时会被当作用户root看待。你可以打开/etc/samba/smbusers看看里面有什么?
; username map = /etc/samba/smbusers
#----------------------------------------------------------------------------------#

#----------------------------------------------------------------------------------#
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
#针对不同的连接而使用不同的smb.conf文件。这样可以让smb服务器更加强大和灵活,当然咯,在强大灵活的背后,就是会让设置变的更加复杂,所以我没有打开这个参数。我怕^_^
; include = /etc/samba/smb.conf.%m
#----------------------------------------------------------------------------------#

#----------------------------------------------------------------------------------#
# This parameter will control whether or not Samba should obey PAMs
# account and session management directives. The default behavior is
# to use PAM for clear text authentication only and to ignore any
# account or session management. Note that Samba always ignores PAM
# for authentication in the case of encrypt passwords = yes

obey pam restrictions = yes
#----------------------------------------------------------------------------------#

#----------------------------------------------------------------------------------#
# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
# 用于配置对TCP的处理方式。不太清楚,不多废话了。谁知道啊?
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
#----------------------------------------------------------------------------------#

#----------------------------------------------------------------------------------#
# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
#这个是设定把smb服务绑定到具体的网络接口上。否者smb服务将运行在所有的网络接口上。
; interfaces = 192.168.12.2/24 192.168.13.2/24
#----------------------------------------------------------------------------------#

#----------------------------------------------------------------------------------#
#当访问共享资源时,首先要先获取网络中的资源列表,默认情况下browser是由网络中的每个计算机来维护的。但没有必要每个计算机都维护整个资源列表,维护网络中当前资源列表的任务由网络上的几个特殊计算机完成的,这些计算机被称为Browser
# Configure remote browse list synchronisation here
# request announcement to, or browse list sync from:
# a specific host or from / to a whole subnet (see below)
; remote browse sync = 192.168.3.25 192.168.5.255
# Cause this host to announce itself to local subnets here
; remote announce = 192.168.1.255 192.168.2.44
#----------------------------------------------------------------------------------#

#----------------------------------------------------------------------------------#
# Browser Control Options:
# set local master to no if you dont want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
# 设定sam服务器是否能做为网络中的主browser
; local master = no
#----------------------------------------------------------------------------------#

#----------------------------------------------------------------------------------#
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
# browser优先权的设置
; os level = 33
#----------------------------------------------------------------------------------#

#----------------------------------------------------------------------------------#
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Dont use this
# if you already have a Windows NT domain controller doing this job
#设定smb服务器能否做为一个域的主browser,如果你的网络里已经有pdc(主域控制器),就不能设置这里。
; domain master = yes
#----------------------------------------------------------------------------------#

#----------------------------------------------------------------------------------#
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
; preferred master = yes
#----------------------------------------------------------------------------------#

#----------------------------------------------------------------------------------#
# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations.
#激活smb的域登陆服务器。
; domain logons = yes
#----------------------------------------------------------------------------------#

#----------------------------------------------------------------------------------#
# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
#如果你采用domain方式登陆,必须设置登陆脚本。
#每个工作站登陆脚本。
; logon script = %m.bat
#----------------------------------------------------------------------------------#

#----------------------------------------------------------------------------------#
# run a specific logon batch file per username
#每个用户的登陆脚本。
; logon script = %U.bat
#----------------------------------------------------------------------------------#

#----------------------------------------------------------------------------------#
# Where to store roving profiles (only for Win95 and WinNT)
# %L substitutes for this servers netbios name, %U is username
# You must uncomment the [Profiles] share below
; logon path = //%L/Profiles/%U
#----------------------------------------------------------------------------------#

#----------------------------------------------------------------------------------#
#以下是和wins(网络命名服务)服务器有关的一些设置,我不太清楚,知道的朋友,可以帮忙加上去。
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
; wins support = yes

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
; wins server = w.x.y.z

# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one WINS Server on the network. The default is NO.
; wins proxy = yes

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
dns proxy = no
#----------------------------------------------------------------------------------#

#----------------------------------------------------------------------------------#
# Case Preservation can be handy - system default is _no_
# NOTE: These can be set on a per share basis
#设定copy文件时,保持大小写
; preserve case = no
; short preserve case = no
#----------------------------------------------------------------------------------#

#----------------------------------------------------------------------------------#
# Default case is normally upper case for all DOS files
#设定文件名是否大写还是小写,改成小的吧,我喜欢小的,嘿嘿~
default case = lower
#----------------------------------------------------------------------------------#

#----------------------------------------------------------------------------------#
# Be very careful with case sensitivity - it can break things!
#设定是否大小写敏感,还是no或加";"
; case sensitive = no
#----------------------------------------------------------------------------------#


#----------------------------------------------------------------------------------#
#先看这些让人头大的参数:
#[xxxx] :定义共享资源的名字。
#comment = xxxx :定义共享资源的描述。
#path = /home/share :定义共享资源的物理路径。
#writeable = yes|no :定义目录是否可以写。
#readonly =yes|no :同上!
#valid users = user (@group):设定可以访问该共享资源的用户或者组。
#invalid users = user (@group) :设定禁止访问该共享资源的用户或者组。
#read list = user (@group) :设定可以读取该共享资源的用户或者组。
#write list = user (@group) :设定可以读取和写入该共享资源的用户或者组。
#admin list = user (@group) :设定可以管理该共享资源的用户或者组。
#guest ok = yes|no :设定该共享资源是否能被来宾帐号访问。
#public = yes|no : 同上,写法不同而已。
#hide dot files = yes|no :是否显示隐藏文件。即以"."开头的文件。
#directory mode 0755 :定义新建目录的权限。
#create mode 0755:定义新建文件的权限。
#wide links = yes|no :定义是否能使用连接符号。
# browseable =yes|no:网络浏览表是否显示
#max connections = n 最大的连接数
#force create mode 0755 强制文件属性
#force directory mode 0755 强制目录属性
#force user 强制文件属主
#share modce = yes|no 是否当前用户使用
#client code page = 950 中文设定
#大概常用的就这些了。需要注意的一点是权限设定问题,比如:定义了一个名字为:tools的共享资源。路径为/home/smbhome/,且你已经使用writeable = yes或者write list = user (@group) 来定义了它是可以写的。但就不能写,why?请检查/home/smbhome目录的权限。也就是说,系统所设定的权限,要高于smb所设定的。
#下面用一个列子来说明如何设置共享。先把下面没有注释掉的字段全部注释掉。默认的设置不安全也不需要。
# 1.建立一个共享share。可以匿名访问,只能读。用户smbuser1可以写和读。
# 2.groupadd -g 300 smb /*建立smb组*/
# 3.useradd -u 300 -g 300 -d /dev/null -s /dev/null smbguest /*建立来宾帐号*/
# 4.smbguest 要和你在 guest account = smbguest 字段中定义的一致。
# 5.useradd -u 301 -g 300 -d /dev/null -s /dev/null smbuser1 /*建立smbuser1帐号*/
# 6.security = user /*把smb服务设置为用户级别*/
# 7.mkdir /home/smbhome /*建立/home/smbhome目录*/
# 8.chown smbuser1 /home/smbhome /*设定属主*/
# 9.chgrp smb /home/smbhome /*设定属组*/
# 10. chmod 0775 /home/smbhome /*设定权限*/
# 11. smbpasswd -a smbuser1 /*创建smbuser1帐号并设置密码.如果smbpasswd在你的系统上不工作,用smbadduser试下。*/
[share]
comment = linux share
path = /home/smbhome
guest ok = yes
write list = smbuser1
printable = no
directory mode 0775
create mode 0775
wide links = no
# 一些技巧和提示:
# 推介用vi来修改,因为它可以让你的眼球感到愉快.
# 修改完成后,需要重启动smb服务使你的设置生效,你可以用service smb restart(如果这条指令在你的系统上不工作,你可以尝试以下的:/etc/rc.d/init.d/samba restart 或者 /etc/rc.d/init.d/smb restart)
# 你可以使用testparm | more 指令来测试你的smb.conf文件是否有语法错误,并给出每个参数的详悉设置.
# hmomes这个共享比较特殊,一般没有对这个目录的设定路径。当客户机发出服务请求时,那么就搜索密码文件/etc/passwd得到用户的Home目录。通过Homes段,Samba可以得到用户的Home目录并使之共享。
#----------------------------------------------------------------------------------#

#--------------------------------Share Definitions --------------------------------#
[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = %S
create mode = 0755
directory mode = 0755
printable = no
wide links = no
# If you want users samba doesnt recognize to be mapped to a guest user
; map to guest = bad user


# Un-comment the following and create the netlogon directory for Domain Logons
; [netlogon]
; comment = Network Logon Service
; path = /usr/local/samba/lib/netlogon
; guest ok = yes
; writable = no
; share modes = no


# Un-comment the following to provide a specific roving profile share
# the default is to use the users home directory
;[Profiles]
; path = /usr/local/samba/profiles
; browseable = no
; guest ok = yes


# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
;[printers]
; comment = All Printers
; path = /var/spool/samba
; browseable = no
# Set public = yes to allow user guest account to print
; guest ok = no
; writable = no
; printable = yes

# This one is useful for people to share files
;[tmp]
; comment = Temporary file space
; path = /tmp
; read only = no
; public = yes

# A publicly accessible directory, but read only, except for people in
# the "staff" group
;[public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; writable = yes
; printable = no
; write list = @staff

# Other examples.
#
# A private printer, usable only by fred. Spool data will be placed in freds
# home directory. Note that fred must have write access to the spool directory,
# wherever it is.
;[fredsprn]
; comment = Freds Printer
; valid users = fred
; path = /home/fred
; printer = freds_printer
; public = no
; writable = no
; printable = yes

# A private directory, usable only by fred. Note that fred requires write
# access to the directory.
;[fredsdir]
; comment = Freds Service
; path = /usr/somewhere/private
; valid users = fred
; public = no
; writable = yes
; printable = no

# a service which has a different directory for each machine that connects
# this allows you to tailor configurations to incoming machines. You could
# also use the %U option to tailor it by user name.
# The %m gets replaced with the machine name that is connecting.
;[pchome]
; comment = PC Directories
; path = /usr/local/pc/%m
; public = no
; writable = yes

# A publicly accessible directory, read/write to all users. Note that all files
# created in the directory by users will be owned by the default user, so
# any user with access can delete any other users files. Obviously this
# directory must be writable by the default user. Another user could of course
# be specified, in which case all files would be owned by that user instead.
;[public]
; path = /usr/somewhere/else/public
; public = yes
; only guest = yes
; writable = yes
; printable = no

# The following two entries demonstrate how to share a directory so that two
# users can place files there that will be owned by the specific users. In this
# setup, the directory should be writable by both users and should have the
# sticky bit set on it to prevent abuse. Obviously this could be extended to
# as many users as required.
;[myshare]
; comment = Marys and Freds stuff
; path = /usr/somewhere/shared
; valid users = mary fred
; public = no
; writable = yes
; printable = no
; create mask = 0765

0 0

相关博文

我的热门文章

img
取 消
img