{{tag>Brouillon FS Windows Réseau}}
= Serveur Samba SMB CIFS
Voir aussi
* [[Samba-client SMB CIFS]]
* https://github.com/cisagov/samba-packer
* ksmbd: un nouveau serveur SMB intégré au noyau (mais problématique de sécurité)
== Notes
RHEL6 ne supporte pas le protocole SMB2 et +
== Configuration
rlimit_max (1024) below minimum Windows limit (16384)
''/etc/security/limits.d/30-samba.conf''
root - nofile 16385
Défaut est ''max open files = 16385''
Voir https://www.tecmint.com/install-samba-on-rhel-8-for-file-sharing-on-windows/
''/etc/samba/smb.conf''
[global]
workgroup = WORKGROUP
server string = Samba
netbios name = SAMBA
client ipc min protocol = SMB3
client min protocol = SMB3
server min protocol = SMB2
disable netbios = Yes
disable spoolss = Yes
domain master = No
load printers = No
local master = No
log file = /var/log/samba/log.%m
# Size in KB
max log size = 200000
name resolve order = host
printcap name = /dev/null
security = USER
smb ports = 445
idmap config * : backend = tdb
passdb backend = tdbsam
cups options = raw
printing = bsd
#log level = 3
#restrict anonymous = 2
#nt pipe support = no
#interfaces = eth* lo
#bind interfaces only = yes
#fstype = Samba
host msdfs = no
server services = -s3fs, -rpc, -nbt, -wrepl, -ldap, -cldap, -kdc, -drepl, -winbindd, -ntp_signd, -kcc, -dnsupdate, -dns
[public]
comment = Public
read only = Yes
path = /data/shared/public
[shared]
#guest ok = Yes
#browseable = No
comment = Shared
path = /mnt/shared
read only = No
#force user = jean
valid users = jean
write list = jean
#[IPC$]
# hosts allow = 192.168.115.0/24 127.0.0.1
# hosts deny = 0.0.0.0/0
Nul besoin de redémarrer le service, les modifications sont automatiquement prises en compte.
Pour vérifier
testparm
Pour tester la connexion
smbclient -N -L 127.0.0.1
smbclient -N //127.0.0.1/shared
smbclient -U user%password //127.0.0.1/shared
Si besion modifier ''/etc/sysconfig/iptables'' ou **firewalld**
#iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
Exemple :
''/etc/samba/smb.conf''
[partage]
comment = Commentaires...
path = /var/www
force user = web
#valid users = web
browseable = yes
writable = yes
Valider la configuration
testparm
Reload de la conf sans redémarrer
smbcontrol all reload-config
Redémarrer le service
systemctl restart smb
=== Faire un include d'un fichier de config.
C'est une fausse bonne idée car pas de reload automatique
''/etc/samba/smb.conf''
[global]
path = /dev/null
[includes]
available = No
include = /etc/samba/smb.d/shared.conf
''/etc/samba/smb.d/shared.conf''
[shared]
comment = Shared
path = /mnt/shared
read only = No
== Authentification / comptes
Comment c'est configuré
testparm -sv /dev/null | grep auth
Autoriser un utilisateur / définition du MDP
#pdbedit -a utilisateur
smbpasswd -a utilisateur
Suppression d'un compte (retour arrière à précédent)
smbpasswd -x supervision
Liste tous les comptes
pdbedit -L
Vérif l’existence de l'utilisateur **pirate**
pdbedit -u pirate
== Désactiver l'impression
''/etc/samba/smb.conf''
[global]
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
Source : http://mugurel.sumanariu.ro/linux/linux-how-to-disable-printing-in-samba/
== Debug
''/etc/samba/smb.conf''
[global]
log level = 3
Pas besoin de redémarrer le service, le reload est auto
== Notes
smbstatus
== Pb
=== Receiving SMB: Server stopped responding - Call returned zero bytes (EOF) opening remote
smb: \> get plop
Receiving SMB: Server stopped responding
Call returned zero bytes (EOF) opening remote file \plop
==== Solution
Le pb venait du fait que la partition ''/var'' était pleine.
=== Pb de connection depuis windows err NT_STATUS_WRONG_PASSWORD
Voir https://bgstack15.wordpress.com/2017/10/01/samba-and-ntlm-for-windows-clients/
==== Solution 1 (insecure)
''/etc/samba/smb.conf''
[global]
ntlm auth = yes
#client ntlmv2 auth = yes
-----------------------
Exemple de conf
Install sous RedHat / CentOS
cp -p /etc/samba/smb.conf /etc/samba/smb.conf.bak
egrep -v '^$|^#|^;' /etc/samba/smb.conf.bak > /etc/samba/smb.conf
''/etc/samba/smb.conf''
[global]
workgroup = WORKGROUP
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
server role = standalone server
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = yes
[tmp]
path = /tmp
comment = TEMP
browseable = yes
read only = no
create mask = 0660
directory mask = 0770
guest ok = yes
[partage]
comment = Partage
path = /data/
force user = utilisateur1
#public = yes
valid users = @groupe1, jean
write list = @groupe1, jean
browseable = yes
writable = yes
read only = no
== Autres
Pour conteneurs
/usr/sbin/smbd -F -S