Part3) 네트워크 및 서비스의 활용 - 네트워크 서비스 | 파일관련 서비스 | 삼바서버

III. 파일 관련 서비스

삼바(Samba) 서버 관리

1) 삼바 서버의 정의

•SMB 프로토콜을 유닉스 컴퓨터에 구현한 프리웨어로, 국립 호주대학의 '앤드루 트리젤'이 유닉스용으로 개발한 것이다.

•윈도우 클라이언트에서 유닉스 서버에 있는 파일들이나 프린터를 공유할 수 있게 해 준다.

•무료이며 라이선스를 얻을 필요가 없고, GPL 정책을 따르는 공개 소스 소프트웨어이다.

•SMB 프로토콜은 현재 IETF에서 CIFS로 표준화가 이루어진 상태이다.

2) 삼바 서버의 활용

•리눅스와 윈도우의 폴더 공유

•네트워크를 통하여 프린터 공유

•CD/DVD-ROM, USB 저장 장치 공유

•백업 시스템 활용

3) 삼바 서버 설정하기

①삼바 서버 설치

[1] 시스템에 삼바가 설치되어 있는지 확인

root@bjkim:~# rpm -qa | grep samba
samba-winbind-3.6.23-51.el6.x86_64
samba-client-3.6.23-51.el6.x86_64
samba4-libs-4.2.10-6.el6_7.x86_64
samba-common-3.6.23-51.el6.x86_64
samba-3.6.23-51.el6.x86_64
samba-winbind-clients-3.6.23-51.el6.x86_64

[2] 설치가 안되어 있다면 yum으로 설치

root@bjkim:~# yum install samba

②삼바 서버 환경 설정: /etc/samba/smb.conf [전역설정/공유 정의]

[root@bjkim samba]# cat smb.conf 
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# For a step to step guide on installing, configuring and using samba, 
# read the Samba-HOWTO-Collection. This may be obtained from:
#  http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
#
# Many working examples of smb.conf files can be found in the 
# Samba-Guide which is generated daily and can be downloaded from: 
#  http://www.samba.org/samba/docs/Samba-Guide.pdf
#
# Any line which starts with a ; (semi-colon) or a # (hash) 
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors. 
#
#---------------
# SELINUX NOTES:
#
# If you want to use the useradd/groupadd family of binaries please run:
# setsebool -P samba_domain_controller on
#
# If you want to share home directories via samba please run:
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory you want to share you should mark it as
# "samba_share_t" so that selinux will let you write into it.
# Make sure not to do that on system directories as they may already have
# been marked with othe SELinux labels.
#
# Use ls -ldZ /path to see which context a directory has
#
# Set labels only on directories you created!
# To set a label use the following: chcon -t samba_share_t /path
#
# If you need to share a system created directory you can use one of the
# following (read-only/read-write):
# setsebool -P samba_export_all_ro on
# or
# setsebool -P samba_export_all_rw on
#
# If you want to run scripts (preexec/root prexec/print command/...) please
# put them into the /var/lib/samba/scripts directory so that smbd will be
# allowed to run them.
# Make sure you COPY them and not MOVE them so that the right SELinux context
# is applied, to check all is ok use restorecon -R -v /var/lib/samba/scripts
#
#--------------
#
#======================= Global Settings =====================================    
	
[global]
	
# ----------------------- Network Related Options -------------------------
#
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
#
# server string is the equivalent of the NT Description field
#
# netbios name can be used to specify a server name not tied to the hostname
#
# Interfaces lets you configure Samba to use multiple interfaces
# If you have multiple network interfaces then you can list the ones
# you want to listen on (never omit localhost)
#
# Hosts Allow/Hosts Deny lets you restrict who can connect, and you can
# specifiy it as a per share option as well
#
	workgroup = MYGROUP
	server string = Samba Server Version %v
	
;	netbios name = MYSERVER
	
;	interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24 
;	hosts allow = 127. 192.168.12. 192.168.13.
	
# --------------------------- Logging Options -----------------------------
#
# Log File let you specify where to put logs and how to split them up.
#
# Max Log Size let you specify the max size log files should reach
	
	# logs split per machine
	log file = /var/log/samba/log.%m
	# max 50KB per log file, then rotate
	max log size = 50
	
# ----------------------- Standalone Server Options ------------------------
#
# Scurity can be set to user, share(deprecated) or server(deprecated)
#
# Backend to store user information in. New installations should 
# use either tdbsam or ldapsam. smbpasswd is available for backwards 
# compatibility. tdbsam requires no further configuration.

	security = user
	passdb backend = tdbsam


# ----------------------- Domain Members Options ------------------------
#
# Security must be set to domain or ads
#
# Use the realm option only with security = ads
# Specifies the Active Directory realm the host is part of
#
# Backend to store user information in. New installations should 
# use either tdbsam or ldapsam. smbpasswd is available for backwards 
# compatibility. tdbsam requires no further configuration.
#
# Use password server option only with security = server or if you can't
# use the DNS to locate Domain Controllers
# The argument list may include:
#   password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
#   password server = *
	
	
;	security = domain
;	passdb backend = tdbsam
;	realm = MY_REALM

;	password server = 


# ----------------------- Domain Controller Options ------------------------
#
# Security must be set to user for domain controllers
#
# Backend to store user information in. New installations should 
# use either tdbsam or ldapsam. smbpasswd is available for backwards 
# compatibility. tdbsam requires no further configuration.
#
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
#
# Domain Logons let Samba be a domain logon server for Windows workstations. 
#
# Logon Scrpit let yuou specify a script to be run at login time on the client
# You need to provide it in a share called NETLOGON
#
# Logon Path let you specify where user profiles are stored (UNC path)
#
# Various scripts can be used on a domain controller or stand-alone
# machine to add or delete corresponding unix accounts
#
;	security = user
;	passdb backend = tdbsam
	
;	domain master = yes 
;	domain logons = yes
	
	# the login script name depends on the machine name
;	logon script = %m.bat
	# the login script name depends on the unix user used
;	logon script = %u.bat
;	logon path = \\%L\Profiles\%u
	# disables profiles support by specifing an empty path
;	logon path =          
	
;	add user script = /usr/sbin/useradd "%u" -n -g users
;	add group script = /usr/sbin/groupadd "%g"
;	add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
;	delete user script = /usr/sbin/userdel "%u"
;	delete user from group script = /usr/sbin/userdel "%u" "%g"
;	delete group script = /usr/sbin/groupdel "%g"
	
	
# ----------------------- Browser Control Options ----------------------------
#
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
#
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
#
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
;	local master = no
;	os level = 33
;	preferred master = yes
	
#----------------------------- Name Resolution -------------------------------
# Windows Internet Name Serving Support Section:
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
#
# - WINS Support: Tells the NMBD component of Samba to enable it's WINS Server
#
# - WINS Server: Tells the NMBD components of Samba to be a WINS Client
#
# - WINS Proxy: Tells Samba to answer name resolution queries on
#   behalf of a non WINS capable client, for this to work there must be
#   at least one	WINS Server on the network. The default is NO.
#
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups.
	
;	wins support = yes
;	wins server = w.x.y.z
;	wins proxy = yes
	
;	dns proxy = yes
	
# --------------------------- Printing Options -----------------------------
#
# Load Printers let you load automatically the list of printers rather
# than setting them up individually
#
# Cups Options let you pass the cups libs custom options, setting it to raw
# for example will let you use drivers on your Windows clients
#
# Printcap Name let you specify an alternative printcap file
#
# You can choose a non default printing system using the Printing option
	
	load printers = yes
	cups options = raw

;	printcap name = /etc/printcap
	#obtain list of printers automatically on SystemV
;	printcap name = lpstat
;	printing = cups

# --------------------------- Filesystem Options ---------------------------
#
# The following options can be uncommented if the filesystem supports
# Extended Attributes and they are enabled (usually by the mount option
# user_xattr). Thess options will let the admin store the DOS attributes
# in an EA and make samba not mess with the permission bits.
#
# Note: these options can also be set just per share, setting them in global
# makes them the default for all shares

;	map archive = no
;	map hidden = no
;	map read only = no
;	map system = no
;	store dos attributes = yes


#============================ Share Definitions ==============================
	
[homes]
	comment = Home Directories
	browseable = no
	writable = yes
;	valid users = %S
;	valid users = MYDOMAIN\%S
	
[printers]
	comment = All Printers
	path = /var/spool/samba
	browseable = no
	guest ok = no
	writable = no
	printable = yes
	
# Un-comment the following and create the netlogon directory for Domain Logons
;	[netlogon]
;	comment = Network Logon Service
;	path = /var/lib/samba/netlogon
;	guest ok = yes
;	writable = no
;	share modes = no
	
	
# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
;	[Profiles]
;	path = /var/lib/samba/profiles
;	browseable = no
;	guest ok = yes
	
	
# A publicly accessible directory, but read only, except for people in
# the "staff" group
;	[public]
;	comment = Public Stuff
;	path = /home/samba
;	public = yes
;	writable = yes
;	printable = no
;	write list = +staff

[1] 전역 설정(Global Configuration)

Network Related Options - 네트워크 관련 옵션
workgroup = MYGROUP	윈도우의 작업그룹과 같으며, 공유하고자 하는 작업 그룹의 이름을 작성한다.
server string = Samba Server Version %v	윈도우 네트워크 환경에서 삼바 서버가 검색되었을 때 보여주는 삼바 서버에 대한 설명이다. [%v: 버전]
interface = lo eth0 192.168.12.2/24 192.168.13.2/24	IP/Netmast 형태로 지정하여 두 개 이상의 인터페이스가 존재할 때 설정한다.
hosts allow = 192.168.0.14	보안을 위하여 삼바 서버에 접속 가능한 클라이언트의 네트워크를 지정한다.
Logging Options - 로깅 옵션
log file = /var/log/samba/%m.log	로그 파일 위치를 지정한다. [%m: 클라이언트의 넷바이오스 이름]
max log size = 50	로그 파일의 최대 크기를 지정하는 옵션으로 Kbyte 단위로 설정한다. [0 설정 시 파일 크기 제한 없음]
Standalone Server Options -  Standalone 서버 옵션
security = user	클라이언트가 삼바 서버에 접근할 때의 보안 레벨을 설정한다.   •user: 기본 보안 정책으로 삼바 서버에서 생성한 계정으로 인증을 거쳐야 접근 가능  •share: 삼바 서버에 인증을 거치지 않고 서버에 접근을 가능하도록 해줌  •server: 다른 삼바 서버를 통하여 인증을 하는 방식  •ads: 윈도우 AD 서버를 통하여 인증을 거치는 방식
passdb backend = tdbsam	삼바의 패스워드 처리를 위한 방식을 지정한다. ['tdbsam' or 'smbpasswd']
Domain Controller Options - 도메인 컨트롤러 옵션
domain master = yes	삼바가 도메인 마스터 브라우저가 될 수 있는지 여부를 결정
domain logons = yes	삼바 서버가 워크그룹에 윈도우 도메인 로그온 역할을 할 것인지 여부를 지정
logon script = %U.bat	사용자가 성공적으로 로그인 시 다운로드 하여 실행할 수 있는 배치 파일을 지정
logon path = \\%L\Profiles\%u	로밍 프로필을 어디에 저장할 것인가를 지정
Browser Control Options - 브라우저 컨트롤 옵션
local master = no	삼바 서버가 nmbd에 의해서 서브넷상에서 로컬 마스터 브라우저가 될 수 있도록 허용할지 설정
os level = 33	삼바 서버가 자신을 알릴 수 있는 레벨을 설정
perferred master = yes	삼바가 구동될 시 마스터의 선택을 강요하여 선택에서 우선순위를 얻을 수 있도록 보다 많은 가능성을 부여
Name Resolution - 이름 확인
dns proxy = no	dns 프록시를 사용할지를 결정하는 것으로 NetBIOS 이름을 찾아 줄때 DNS Server를 사용 여부 지정
Printing Options - 프린팅 옵션
load printers = yes	프린터 목록을 자동으로 표시되게 할 것인지 설정 [no: 직접 설정]

[2] 공유 정의(Share Definitions)

comment = Home Directories	공유 디렉터리에 관한 설정을 적음
path = /home/public	공유 디렉터리의 위치를 지정
writalbe = yes	공유 디렉터리에 쓰기권한을 부여
read only = no	공유 디렉터리를 읽기 전용으로 설정
valid users	공유 디렉터리에 로그인할 수 있는 사용자를 지정
printable = no	공유 디렉터리에 스풀 파일을 지정할 것인지 지정
browseable =yes	공유 디렉터리의 공유리스트들을 보여 줄 것인가를 지정

4) 삼바 서버 작동 확인

①삼바 실행과 테스트

[1] 삼바 데몬 실행

root@bjkim:~# /etc/rc.d/init.d/smb restart
SMB 서비스를 종료함:                                       [  OK  ]
SMB 서비스를 시작하고 있습니다:                             [  OK  ]

[2] 삼바 사용자 추가

root@bjkim:~# useradd samtest
root@bjkim:~# passwd samtest
Changing password for user samtest.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

root@bjkim:~# smbpasswd -a samtest.
New SMB password:
Retype new SMB password:
Added user samtest.

[3] 삼바 서버 테스트 - testparm, smbstatus, smbclient

testparm: smb.conf 파일의 설정 오류를 점검할 때 사용

root@bjkim:~# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
	workgroup = MYGROUP
	server string = Samba Server Version %v
	log file = /var/log/samba/log.%m
	max log size = 50
	client signing = required
	idmap config * : backend = tdb
	cups options = raw

[homes]
	comment = Home Directories
	read only = No
	browseable = No

[printers]
	comment = All Printers
	path = /var/spool/samba
	printable = Yes
	print ok = Yes
	browseable = No

smbstatus: 현재 삼바 서버 상태 확인

root@bjkim:~# smbstatus

Samba version 3.6.23-51.el6
PID     Username      Group         Machine                        
-------------------------------------------------------------------
16380  bjkim            bjkim         KIM-pc

Service      pid     machine       Connected at
-------------------------------------------------------
public        16380 KIM-pc        Mon Aug 27 04:16:33 2018

~~...

②삼바 서버 접속하기

[1] 리눅스 클라이언트에서 리눅스 삼바 서버 접속하기

smbclient service <password> [option] ◀ 현재 사바 서버의 정보를 확인

smbclient //호스트명/공유디렉터리 -U 사용자 ◀ smbclient로 삼바 접속하기

＊접속 예시

root@bjkim:~# smbclient //192.168.0.160/public -U samtest
Password:
Domain=[BJIM] OS=[UNIX] Server=[Samba 3.6.23-51.el6]
smb: \> ls
 .                             D       0  Mon Aug 27 02:51:35 2018
 ..                            D       0  Mon Aug 27 01:33:43 2018
 test                                  0  Mon Aug 27 01:55:33 2018

            33584 blocks of size 524288. 30785 blocks available 

5) 삼바 서버 보안

*삼바 보안 모델 기준

•사용자 레벨 설정

•공유 레벨 설정

•서버 레벨 설정

•도메인 레벨 설정