Samba

SMB

Tips

load printers = no
printing = bsd
printcap name = /dev/null
  • 允许访客登陆
    • guest ok = yes
    • smbclient //127.0.0.1/public -U guest
  • smb.conf
  • 默认端口
    • 137 netbios-ns NETBIOS Name Service
    • 138 netbios-dgm NETBIOS Datagram Service
    • 139/udp/tcp netbios-ssn NETBIOS Session Service
    • 445/tcp NetBIOS was moved to 445 after 2000 and beyond, (CIFS)
  • 相关端口
    • 901 SWAT service (not related to client communication)
    • 445 microsoft-ds 域控
# 带 samba 的镜像
docker run --rm -it -p 139:139 -p 445:445 -v $PWD:/share -w /share wener/samba sh
# 或者 APK 安装
apk add samba samba-dc

Quick start

  • guest 需要 map to guest = Bad User
# Debian: apt-get install samba samba-client
mkdir -p ~/temp/share && cd $_
mkdir private state usershare public
chmod 755 public
cat <<CONF > smbd.ini
[global]
log file = $PWD/log.%m
idmap config * : backend = tdb
state directory = $PWD/state
usershare path = $PWD/usershare
private dir = $PWD/private
smb passwd file = $PWD/private/smbpasswd
[public]
comment = Public share
path = $PWD/public
valid users = wener
read only = No
CONF
# 新建用户, 密码不需要和系统密码相同, 但需要存在该用户
# -s /sbin/nologin -d /dev/null
# 默认 state 路径为 /var/lib/samba/ 后端默认为 tdb
adduser wener -DH
smbpasswd -L -c smbd.ini -a wener
# 检测配置正确
testparm smbd.ini
# 输出最终配置
testparm -v smbd.ini
# 启动服务
smbd -s smbd.ini
# 例举所有共享
smbclient -L //127.0.0.1/public -U wener
# 连接
smbclient //127.0.0.1/public -U wener
# Linux: smb://<HOST_IP_OR_NAME>/<folder_name>/
# Windows: \\<HOST_IP_OR_NAME>\<folder_name>\
# 挂载 smb, 修改密码为之前输入的密码
mount -t smbfs //wener:[email protected]/public ~/mnt/smb/
mount –t smbfs //localhost/public ~/mnt/smb/ –o username=wener

https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html

smb.conf

tdb (idmap_tdb(8)), tdb2 (idmap_tdb2(8)), ldap (idmap_ldap(8)), rid (idmap_rid(8)), hash (idmap_hash(8)), autorid (idmap_autorid(8)), ad (idmap_ad(8)), nss (idmap_nss(8)), and rfc2307 (idmap_rfc2307(8)).

idmap_tdb Samba's idmap_tdb Backend for Winbind

The idmap_tdb plugin is the default backend used by winbindd for storing SID/uid/gid mapping tables.

In contrast to read only backends like idmap_rid, it is an allocating backend: This means that it needs to allocate new user and group IDs in order to create new mappings.

range = low - high Defines the available matching uid and gid range for which the backend is authoritative.

idmap_tdb2 — Samba's idmap_tdb2 Backend for Winbind The idmap_tdb2 plugin is a substitute for the default idmap_tdb backend used by winbindd for storing SID/uid/gid mapping tables in clustered environments with Samba and CTDB.

script This option can be used to configure an external program for performing id mappings instead of using the tdb counter. The mappings are then stored int tdb2 idmap database. For details see the section on IDMAP SCRIPT below.

idmap config * : script = /usr/local/samba/bin/idmap_script.sh

不建议使用 hash

The idmap_ad plugin provides a way for Winbind to read id mappings from an AD server that uses RFC2307/SFU schema extensions.

"map to guest = Bad User" will reject a user if that user is in the server's samba password database but has the wrong password. But if the client user name doesn't exist in the samba password database he is converted to the guest account and then it's up to a given share definition to determine if he can gain access.

"map to guest = Never" makes the exact same comparison to the database but if it doesn't find that user it doesn't convert the user to the guest account it just rejects him and that user isn't even allowed to view the share list.

Don't pass a username and the "map to guest" logic is never used at the browse level and that's what a Linux client does unless you force it..

Starting with v4.0, Samba is (or can be):

a file server a DNS server an LDAP server a Kerberos server an AD server

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

Create an Active Directory Infrastructure with Samba4 on Ubuntu https://www.tecmint.com/install-samba4-active-directory-ubuntu/

Windows 7 Service Pack 1 (SP1) 远程服务器管理工具 https://www.microsoft.com/zh-cn/download/details.aspx?id=7887

Alpine Linux based container (aka Docker) for Samba 4 Active Directory https://github.com/tkaefer/alpine-samba-ad-container

https://github.com/dperson/samba

https://github.com/cptactionhank/docker-netatalk

# 全局配置
# 其他 sestion 的默认配置
[global]
security = domain
workgroup = MAIN
state directory = ${prefix}/var/locks
usershare path = ${prefix}/var/locks/usershares
# 服务返回信息
server string = server %h
# 不起名匿名
map to guest = never
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
idmap config MAIN : backend = rid
idmap config MAIN : range = 5000000-5999999
idmap config TRUSTED : backend = rid
idmap config TRUSTED : range = 6000000-6999999
# 服务会在链接是创建主目录
[homes]
path = /data/pchome/%S
# 和 [homes] 类似, 但是针对打印机的
[printers]
path = /usr/spool/public
guest ok = yes
printable = yes
[foo]
# 备注
comment = Public share
# 路径
path = /data/share/public
# 用户
valid users = wener
# 是否只读
read only = No

socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536

docker run --rm -it --cap-add SYS_ADMIN --cap-add DAC_READ_SEARCH -v $PWD:/share -w /share wener/samba sh

mount -t cifs //10.88.2.202/share $PWD/mnt -o user=user,password=pass

smbd --help

Usage: smbd [OPTION...]
-D, --daemon Become a daemon (default)
-i, --interactive Run interactive (not a daemon) and log to stdout
-F, --foreground Run daemon in foreground (for daemontools, etc.)
--no-process-group Don't create a new process group
-S, --log-stdout Log to stdout
-b, --build-options Print build options
-p, --port=STRING Listen on the specified ports
-P, --profiling-level=PROFILE_LEVEL Set profiling level
Help options:
-?, --help Show this help message
--usage Display brief usage message
Common samba options:
-d, --debuglevel=DEBUGLEVEL Set debug level
-s, --configfile=CONFIGFILE Use alternate configuration file
-l, --log-basename=LOGFILEBASE Base name for log files
-V, --version Print version
--option=name=value Set smb.conf option from command line

FAQ

CIFS vs SMB

  • CIFS vs SMB

  • CIFS 是 SMB 的方言

  • 建议统一使用 SMB

  • Windows Vista/Windows 2006 SMBv2

  • Windows 8/Windows 2012 SMBv3

NT_STATUS_BAD_NETWORK_NAME

可能是因为目录没有权限

MacOS 下无法使用

https://community.spiceworks.com/topic/2085366-can-samba-active-directory-and-afp-run-simultaneously

NT_STATUS_INVALID_NETWORK_RESPONSE

可能是 min protocol 导致的 https://www.linuxquestions.org/questions/linux-networking-3/samba-min-protocol-%3D-smb2-causes-protocol-negotiation-failed-nt_status_invalid_network_response-4175597669/

mounting cifs: “Operation not supported”

尝试添加 vers=3.0 选项

mount -t cifs //192.168.1.1/share /mnt -o user=username,password=passwordd,vers=3.0