Linux becomes "file server"
Http://www.lelew.com/ 2004-05-22 09:19:13
Linux becomes "file server" 1. Samba introduction to Windows Customer Provide File Services is implemented by Samba. Everyone who has a MS Windows network knows that the core of the MS Windows network is SMB / CIFS, and Samba is also a set of UNIX classes. The system implements the software of the SMB / CIFS protocol. As the clone of UNIX, Linux can also run this software. Compared with NT, Samba's file service function is not less than NT. It is very efficient. With Linux itself, it can realize user disk space limit function. The NT to 4.0 is still unable to implement this, Samba is hit by Samba Group (HTTP; //samba.org) development, the update is very fast, the highest version is version 2.0.7, is released on April 25, 2000, each updated version is functioning, but also fixes known Bug. The technical content involved in this chapter is 2.0.3 blue. At present, various Linux released most of the software, if your Linux release is Read Hat, is available in RPM, you can select this software while installing Linux, or install it separately, with root identity. Rpm -i samba-2.0.3-8.i386.rpm is OK. If your Linux release does not include this software, you can download it from ftp; // samba.org/pub/samba. In addition, your Linux's core must support SMBFS. Generally, various issues have put SMBFS support, if not included, you must recompile cores, get SMBFS support, how to compile core, please refer to related articles. Since the content of this chapter is based on a file server, focusing on the application of Samba on the file server. At present, Samba can not completely replace Windows NT, especially to set Samba into PDC, preferably do not do this, NT PDC is very complex, Samba can only implement some of the features. I hope the future version can be done. This software consists of a series of components. The main components include: SMBD SMB server, providing files and print services to SMB customers; NMBD, NetBIOS Name Server, Provides NetBIOS Name Service and Browse Support, Help SMB Customer Positioning Server; SMBClient, SMB client, used to access shared resources on the SMB server; TestPRNS test server access to printer access; TestParms Test the correctness of the Samba configuration file; SMB.CONF Samba configuration file; SMBSTATUS tool can list the current Connection on the SMBD server; make_smbcodepage This tool is used to generate a file system code page; SMBPASSWD is used to set the user password; Swat Samba's Web Management tool; Second, how to configure Samba, Samba is installed, as long as The Workgroup = XXXXX in this file will be run for your workgroup, but this cannot be in line with our needs.
Samba's configuration is performed around SMB.Conf. There are many ways to configure, if skilled, you can manually edit this file, or configure it through LinuxConf, and Samba itself has a web-based management tool SWAT, use 901 Port, after installing Samba, it will add one in your machine / etc / services: swat 901 / tcp #add swat service used via inetd Fill in inetd.conf: swat stream tcp noAit.400 Root / USR / SBIN / SWAT SWAT typed http: // youhostname: 901 / to enter SWAT to manage SAMBA in the address bar of the browser. Here is how to manually configure this file to achieve Samba a file server that meets the needs. Let's take a look at a small SMB.conf: # SMB.CONF EXAMPLE [Global] Workgroup = Workgroup Server String = Samba Server Hosts Allow = 192.168.1. 127. loading printers = no printcap name = / etc / printcap guest account = guest log file = /usr/local/samba/var/log.%m max log size = 50 security = user socket options = TCP_NODELAY [homes] comment = Home Directories browseable = yes writable = yes [printers] comment = All Printers path = / usr / spool / samba browseable = no guest ok = no writable = no printable = yes printer driver = Epson LQ-1600K [tmp] comment = Temporary file path = / tmp read only = no public = yes [public ] Comment = public zone path = / home / samba public = yes Writable = yes 1. Segment From the above example, the SMB.conf's format and the INI file in Windows are very similar, including multiple segments, each segment. Start by the paradigm, until the next paragraph, each parameter is placed in the middle of the square bracket. The format of the parameters in the segment is: Name = value. Each section, parameters, and comments in the document can only take a line. In other words, it is only one parameter or parameter or comment in a line. If you can't write or don't want to write a line, you can travel The end is "/" to expire. Segment names and parameter names are case sensitive. You can have a comment, comment; or # start to the end. In addition to [global], all segments can be seen as a shared resource, and the segment name is the name of the shared resource, and the parameters in the segment are the properties of shared resources.
[Global], [Homes] and [Printers] These three sections are more special and will be described later. The following precautions are for ordinary segments. A shared resource segment consists of the path to which access to the access, which can be a file resource or printing resources. The shared resource segment can give the guest-level user service, in general, guest users do not need passwords, if serving the guest, Guest's permissions are given according to the Guest account in UNIX. If the shared resource segment is not given to the guest, the password that needs the customer to access such a segment. Since access to the user's access to the shared resource segment is based on the user's access to the resource on the UNIX system, the server is not imparted by the permission to give the user to the user. For example, the following shared resource segment defines a file sharing, the user's authority writes to the path / home / ABC, the shared resource segment name is ABC, which is the shared name. [ABC] path = / home / abc writeable = true, this below defines a print share, sharing is read-only, but printing, that is, the only allowed write access is open, write, and shut down offline files . [MyPrinter] path = / usr / spool / public = / true printable = true guest ok = true special segment: [Global] parameters in this parameter is globally effective. [Homes] Segment When the user requests a share, the server will look for in the existing shared resource segment. If the matching shared resource segment is found, use this shared resource segment. If you can't find the requested share name as the user's username and find this user in the local password file. If the username exists and the password provided by the user is correct, then this HOME segment cloned A share is provided to the user. This new name is the user's username, not HOME. If the home segment does not specify a shared path, the home directory is used as the shared path. The usual shared resource segment can be specified by parameters can be specified to the [Home] segment. But in general, the [home] section can meet the ordinary application. [Homes] Writeable = yes Note, if you add Guess Access = OK in the [Home], all users can access all host directories without passwords! [Printers] This segment is used to provide print services. If [Printers] is defined, the user can connect the printer specified in the PrintCap file. When a connection request arrives, the SMBD goes to see the existing segments in the configuration file. If you use that segment, if you can't find the match, the [Home] segment is existed, you will use the [HOME] segment. Otherwise the shared name of the request is as a printer's total name, then look for the appropriate PrintCap file, see if the requested share name is a valid print shared name. If you match, then a new printer sharing is available to the customer. Note that the [Printers] service must be Printable, if specified is other, the server will refuse to load the configuration file. Usually specified paths should have written permissions.
[Printers] path = / usr / spool / public writeable = no guest ok = yes printable = yesprinter driver = EPSON LQ-1600K 2. There are many parameters that can be specified in the parameter segment, and some parameters can be used. Some parameters are available in any paragraph, first introduce some basic parameters, understand these basic parameters, basically able to use Samba generally, if you want to control Samba more fine, you can continue to refer to some advanced configurations. In addition, this chapter assumes that the reader is familiar with the MS Windows network, and it can be referred to related information. Global Parameter 2.1 Basic Parameters Workgroup Description: This parameter is used to specify the working group to be added by Samba, and if you set security = Domain, Workgroup can specify a domain name. For example: Workgroup = WGP1 Indicates the Working Group for WGP1 NetBIOS Name Description: This parameter specifies the Samba's NetBIOS name, can be not set, Samba will use the first part of the machine's DNS name, if your machine's DNS name is Host1.domain, Use Host1, for example: NetBIOS name = public Specify NetBIOS named Public Server String Description: This parameter specifies the machine description in the browsing list, and the description when configuring the network in MS Windows. Can be any string. You can also not fill, Samba will use the default Samba% V, that is, the Samba tail with its version number, but if you want to imitate the NT like a little, you can fill it. For example: Server string = master file server 2.2 Security Parameters Security Description: This is an important security configuration parameter, 4 values, Share, User, Server and Domain, defined Samba's basic security level, usually User Security = User This is the default configuration of Samba. In this case, the user must first provide username and password to verify before accessing the shared resource. Secursiy = Share This is a level of almost no security, and any user can access resources on the server without usernames and passwords. Security = Server and User security levels, but usernames and passwords are submitted to another SMB server to verify, such as submit to an NT server. If the submits fail, retreat to the USER security level, from the user's view, Server and User are nothing separate. Security = domain This security level requires that there is a NT PDC on the network, Samba delivers the username and password to NT PDC verification. From the user's view, the security level above the USER level is actually no separate, but the server verification is different, but these three security levels require users to have a system account on this Linux machine. Otherwise it is not accessible.
Encrypt Passwords Description: Do you encrypt your password? Samba itself can maintain a password file / etc / smbpasswd, if you do not encrypt the password, the copy password is passed during the verification session during the verification session, Samba directly put this password and The / etc / passwd password file in Linux is verified. Some of this problem, one is that the version after Windows 95 OS / R2 and the version after the version of Windows NT SP3 will pass the default password. To make these systems can transfer the plain text password must be changed in its registry. For the version of Windows 95 OS / R2, you can add a hexadiped value enablePlainTextPassword = 00000001 in [HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SYSTEM / CURRENTCONTROLSET / SYSTEM / VXD / VNETSUP]. For version of Windows NT SP3, you can add a hex value enableplaintextPassword = 00000001 in [HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SYSTEM / RDR / parameters], so you can transfer the text password on the network. In addition, there is a very annoying thing that is the NT system. If a server is safe at the user-level security mode, the password encrypted transmission is not supported, NT will reject and server connections, unless the server prompts the user to prompt the password. What will this happen in practical applications? If you have an account USER1 in the NT machine, there is an account USER1 on the Linux machine, the password is the same, but when you go to the Linux machine, NT will prompt your wrong password or unknown username. , Ask you to enter the username and password again, NT and server connections. If you map the shared resource on Linux as a network drive, the NT will prompt you when you start trying to reconnect this network drive next time, you will prompt you for error password or unknown username .... Therefore, the application of general Samba is basically set to YES: Encrypt Passwords = YES. Of course, Samba's users are Linux system users, Sambad encryption tools are smbpasswd, the simplest usage is the username here must be the username where the / etc / passwd exists, and then prompts to enter the password and confirmation Password, generate a new password entry, put it in the / etc / smbpasswd file. In addition, Samba provides a tool-MKSMBPasswd.sh, which is a shell script that can generate a SMBPasswd file from the / etc / passwd file, usage: CAT / etc / passwd | mksmbpasswd.sh> / etc / smbpasswd. Add users in the passwd to the smbpasswd. From the security, the access authority of the SMBPasswd file is set to 600. Username map Description: This parameter allows you to specify a file containing a mapping between the username and the Linux system username, the format of the file is a map, the mapping format is: Linux useename = Client Username .. . For example, root = admin adminstrator This is converted into root when the client's user is admin or administrator.
This feature is very convenient to user management, allowing administrators to move to the user's account on the customer or server. File names usually use the default / etc / smbusers password level description: This is for some SMB customers like Windows for Workgroup, OS / 2, and the system like WFW will convert passwords when sending user passwords. It is larger to send, so that the password of Samba is inconsistent with the password of Samba, this parameter can set the number of uppercase letters allowed in the password, so Samba is subject to the recently received password according to this number, with a recombinant password attempt to verify The correctness of the password. The larger the value, the more the number of combinations, the longer the verification time, the lower the security! For example, if this value is 2, the user's password is ABCD, but the sending is actually ABCD, Samba will make this ABCD case recombination, the combined password can be: ABCD, ABCD, ABCD, ABCD, ABCD, ABCD , ABCD, ABCD, ABCD, ABCD, ABCD. So if there is no need, it is set to zero (generally there should be no need to use the system like WFW). In this case, Samba only tries twice, one is the received password, and the other is that this password is lowercase. Even so, there is still a certain security problem. GUEST ACCOUNT Description: This parameter specifies the username of the guest level account, which can be Nobody, FTP, and guest-level users who can access the given guest service. Host Allow Description: This parameter specifies that those machines can access Samba, such as Host Allow = 192.168.1. 127. Specify all machines in 192.168.1.0 to access. If you do not allow a machine access in the subnet, you can set it: host allow = 192.168.1. Except 192.168.1.33 Prohibition 192.168.1.33 Access Host Deny Description: And Host Allow is the specified machine that cannot be accessed, the format is the same. 2.3 Log Record Parameters Log File Description: This parameter specifies the name of the log file, the path is usually placed in / var / log / samba, and the macro% of the macro can be added after the file name indicates that a log is recorded separately for each access Samba. file. For example: log file = /var/log/samba/log.%M, if Host1, Host2 This machine accesses Samba, leaves log.host1, log.host2 two log files. Max log size Description: This parameter specifies the size of the maximum log file, in KB. For example: max log size = 50k 2.4 protocol parameter Announce version Description: Specify the server's announcement version number, the default is 4.2, if you view the properties of the Samba server in Windows, you can see Windows NT 4.2 Server in the type. The words. Never change it, if you want Samba to simulate NT, you can change it to 4.0.
2.5 Computer Browsing Parameters OS Level Description: The value of OS Level is an integer, which determines whether NMBD has a chance to become a local browser in the working group of the local broadcast area. The default value is zero, and the zero means that NMBD will lose browsing. If you want NMBD to become a local master's browser, you can set it to 65. Preferred Master Description: This parameter specifies whether NMBD is the primary browser in the working group. If you specify Yes, NMBD enforces a browsing option when starting. It is best to specify this parameter as YES to specify Domain Master as Yes. When using this parameter, it is important to be a primary browser if there is a primary browser if there is a primary browser in the subnet where the Samba Server is located (regardless of Windows NT or another Samba server). In the network, it is broadcast, causing unnecessary network performance degradation. Local Master Description: This parameter specifies whether NMBD tries to become a local master browser. The default value is YES. If you set it to No, the Samba server will never be a local master browser. But even if Yes is set, it is not equal to the Samba server to become a local master browser. Just participate in local master browser selection. Domain Master Description: This parameter allows NMBD to become a domain browser, obtain the list of browsing of the local host browser, and submit the browse list of the entire domain to each site browser. The default is NO. If there is a NT PDC on the network, don't set this parameter to Yes, but you can't make NT PDC. In addition, if you are not very clear about computer browsing services, you can refer to NT network management information. 2.6 Shared Resource Setting Parameters Comment Description: It is a description of the sharing, which can be any string, for example: comment = share stuff. PATH Description: Path is the path to providing a shared service, which can be used with a macro like the% U% M instead of the UNIX user and client's NetBIOS name. For example: If we don't plan to use the Home section as a customer's share, but in / home / share / under the top of each Linux user, take a directory as his username, so that Path can be written: PATH = / home / share /% u; When the user is connected to this shared, the specific path will be replaced by his username. Note that this username path must exist. Otherwise, the client will not find the network path when visiting. Similarly, if we are not dividing the directory in a client, it is divided by a client, and each built a machine that can access Samba on the network each builds a path to its NetBios name, as a shared resource of different machines, Write this path: path = / home / share /% m. Writeable Description: Specify if the shared path can be written, the value is YES or no browseable description: Specify if the shared can be browsed, the default is YES Available Description: Specify whether the shared resource is available, the default is YES, set to No, close the resource sharing service The user cannot connect to the resource.
Exec and POSTEXEC ROOT PREEXEC and ROOT POSTEXEC Description: Specifies to execute a command on the server when the user and shared resource is connected and disconnected, and the two pairs of parameters are useful, and the difference is that root preexec and root preexec are run with root permissions. For example, the server is shared by the server, but the CDROM cannot always be assembled. We can set this [CDROM] comment = server CDROM PATH = / mnt / cdrom public = yes browseable = yes root preexec = / bin / mount -t iso9660 / dev / cd0 / mnt / cdrom root posteec = / bin / umount / mnt / CDROM PUBLIC Description: This parameter indicates whether guest account is allowed, the value of YES or NO, the other and public the same parameters are Guest OK. Print Share Some dedicated print parameters, as follows: load printers Specifies whether all printers in the printCap file are automatically loaded at Samba, so you can see all printers in the browse list, default Yes printable Specify users Can not Print, the default is NO, let a print share allow users to use, must be set to your version of the printer's drive type, this parameter allows Windows to know the type on the remote printer, the specific value can be referred to in Windows Install the printer type when the printer appears in the printer type. For example, ESPON LQ1600K printer: Printer Driver = ESPON LQ-1600K is some common configurations of Samba, through which we can create a general application file server. Although there are still many parameters that are not mentioned, Samba itself can use the default value. Start Samba, you can start Samba with / usr / sbin / samba start, or you can start with NTSYSV. Third, SAMBA Advanced The following is a configuration of some advanced parameters, which if applied, can apply Samba on the network more flexibly 1. Macro in the basic configuration, some parameters can be used, and% U,% m, this is the macro defined in Samba, and the macro is represented by a character, and the actual parameters are used in the specific operation. Common macro% s = current service name% P = current service root path% u = current service user name% g = given the main working group name% h = given% u Catalog% V = Samba version number% h = host name% m m = client's NetBIOS name% l = server NetBIOS name% T = current date and time flexible application macro can be easily managed Complex network. 2. Some common advanced configuration parameters 2.1 Global parameters config file Description: This parameter is a global parameter that allows you to overwrite the default configuration file with another profile. If the file does not exist, the item is invalid.
This parameter is very useful, making the Samba configuration more flexible, let a Linux server simulate multiple different configuration NT servers to meet different needs. For example, you want to let the name on the network are Host1 machine with its own profile, first configure a file called SMB.Conf.host1 in / etc / down, in the default SMB.conf This line: config file = /etc/smb.conf.%M This time when Host1 requests to connect, SMB.conf.% M is replaced with SMB.Conf.host1, for Host1, it's seeing Samba It is defined by SMB.conf.host1. And other machines still use SMB.CONF. DeadTime Description: This parameter value is an integer, the unit is minutes, used to cut off an inactive connection. When an inactive time that does not open any file exceeds the time specified by the DateTime, Samba automatically cuts off this connection. This parameter saves the resource consumption of the server, especially if there is a large number of connections. The default value is zero, zero represents Samba does not automatically cut any connection. Time Server Description: This parameter makes NMBD a time server for WindOS customers. The default is NO. 2.2 Shared Resource Parameters Admin Users This parameter is used to give users administrator privileges for shared resources, meaning that these users can perform all file operations like root, of course only on this shared resource. This option should be used with caution because any such user can operate freely of the files on the shared. The default is admin users = NO. For example: admin users = su_27 Then SU_27 This user is administrator of this shared resource. Valid UserS Description: Specifies the valid user of the shared resource, that is, the user who is allowed to access the resource. For example: Valid users = user1, User2 Then USER1 and USER2 are valid users invalid users description: Contrary to Valid Users, specify those users who are not accessible to this shared resource. Max Connections (s) Description: Specifies the maximum number of connections for a service. When the user is connected to the service, the number of connections for this service has reached the specified value, and the new connection request will be rejected. For example: max connections = 100 The maximum number of connections is 100 or more is some SAMBA's advanced configuration parameters, but the parameters of Samba have a lot, this chapter cannot be detailed, such as file creation permission settings, code page, file name case Sensitive, etc., you can refer to Samba documents. Fourth, what is NFS NFS is a referusion of Network File System. It is an integral part of the distributed computing system to achieve a remote file system on a heterogeneous network. From a user's perspective, it is in these remote There is no difference between file system operation and local file system. NFS is developed by Sun Microsystem (INC), which has been developed and is accepted by IETF, incorporating RFC, a standard for file services (RFC1904, RFC1813).
NFS is based on a client / server structure, implemented by RPC (remote process call), all NFS operations are performed by the RPC process. The NFS server exports the local directory to remote NFS customers, NFS customers call the file operating system to redirect to remote systems. In Linux, NFS services are typically implemented with knfsd, which is a background daemon running at the core space, relative to the NFS program with user space, has high response performance. 5. Configuring NFS 1. Creating or modifying each line of / etc / exports exports consists of an export path, a client name list, and a visiting option after each client name, and the access option is optional. Directory Hostname (Options) .. . Options is optional, if Options are not specified, NFS will use the default option. Hostname can also be empty, and the representative gives an accident to provide services. For example: / usr ws1.mydomain.com Export Path / USR is provided to ws1.mydomain.com Access / usr ws1.mydomain.com (rw) is also accessible to WS1.Mydomain.com, but has write permissions. / Pub (Ro, INSECURE, All_SQUSH) Export / PUB, any machine can be accessed, allowed to connect with ports greater than 1024, and map all connection IDs to Nobody. The host name can contain wildcards * and? For example, * .mydomain.com, represents all the machines in Mydomain.com, but note that wildcard cannot match the point in the host name, so the above * .Domain.com does not include the machine such as WS1.Subdomain.mydomain.com. You can also use the IP network / subnet mask to specify the accessible machines on the network. For example: 192.168.1.0/255.255.255.0 After modifying / etc / exports, you need to tell the NFS process Recheck configuration information, you can use commands: exportfs or restart NFS Some common option INSECURE allows users to connect from ports greater than 1024. Restricting the user can only connect RO read-only from a port number of less than 1024, pay attention to handle if there is no specified RO. NoAccess allows all subdirectories of the export path to be invisible to customers. The user can be seen after the user is connected to a blue directory. The ROOT_SQUSH option can map requests from the client's UID 0 into nobody no_root_squash, and the opposite of the above, the UID is not mapped, which is default. RW can be written, which is default.
