“Quick HOWTO : Ch12 : Samba Security and Troubleshooting/zh”的版本间的差异
来自Ubuntu中文
| 第9行: | 第9行: | ||
== 测试 smb.conf文件 == | == 测试 smb.conf文件 == | ||
| − | Samba 有一个叫testparm的测试工具,它会对smb.conf文件中的错误进行警告.如果你用SWAT去编辑这个文件,通常你会成功通过测试,<br> | + | Samba 有一个叫testparm的测试工具,它会对smb.conf文件中的错误进行警告.如果你用SWAT去编辑这个文件,通常你会成功通过测试,<br> |
| − | 如下所示:<br> | + | 如下所示:<br> |
<pre>[root@bigboy tmp]# testparm -s | <pre>[root@bigboy tmp]# testparm -s | ||
Load smb config files from /etc/samba/smb.conf | Load smb config files from /etc/samba/smb.conf | ||
| 第20行: | 第20行: | ||
... | ... | ||
[root@bigboy tmp]# | [root@bigboy tmp]# | ||
| − | </pre> | + | </pre> |
| − | 测试成功只是意味着Samba会加载这个配置文件.Samba还有可能在别的地方出问题.<br> | + | 测试成功只是意味着Samba会加载这个配置文件.Samba还有可能在别的地方出问题.<br> |
| − | 注意: 你也可以用testparm命令来测试别的文件(默认是default /etc/samba/smb.conf).只要简单的把文件名作为第一个参数,格式如下:<br> | + | 注意: 你也可以用testparm命令来测试别的文件(默认是default /etc/samba/smb.conf).只要简单的把文件名作为第一个参数,格式如下:<br> |
<pre>[root@bigboy tmp]# testparm -s filename | <pre>[root@bigboy tmp]# testparm -s filename | ||
</pre> | </pre> | ||
| + | == Samba 和防火墙软件<br> == | ||
| + | |||
| + | 你的安了Windos系统的个人电脑和Samba 服务器上的防火墙软件都会是Samba失效.以下为这两种比较流行的防火墙数据包iptables 和ZoneAlarm提供解决这个问题的方案.<br> | ||
| + | |||
| + | === Linux iptables(ip表)<br> === | ||
| + | |||
| + | Fedora在安装过程中默认配置了ip表防火墙数据包.你有两个选择.你要在保证网络安全的前提下选择它被禁用,或者,你作如下配置:允许微软的NetBIOS协议(UDP 端口137 和138 TCP端口 139)还有不使用NetBIOS协议时通过TCP 445端口实现SMB文件共享.以下是一段脚本的摘要:<br> | ||
| + | <pre>#!/bin/bash | ||
| + | |||
| + | SAMBA_SERVER="192.168.1.100 " | ||
| + | NETWORK="192.168.1.0/24" # Local area network | ||
| + | BROADCAST="192.168.255.255" # Local area network Broadcast Address | ||
| + | |||
| + | iptables -A INPUT -i lo -j ACCEPT | ||
| + | iptables -A OUTPUT -o lo -j ACCEPT | ||
| + | iptables -A INPUT -p udp -s $NETWORK -d $SAMBA_SERVER \ | ||
| + | -m multiport --dports 137,138 -j ACCEPT | ||
| + | iptables -A INPUT -p tcp -s $NETWORK -d $SAMBA_SERVER -m multiport \ | ||
| + | --dports 139,445 -j ACCEPT | ||
| + | iptables -A INPUT -p udp -s $NETWORK -d $BROADCAST --dport 137 \ | ||
| + | -j ACCEPT | ||
| + | iptables -A INPUT -p udp -d $SAMBA_SERVER -m multiport \ | ||
| + | --dports 137,138 -j DROP | ||
| + | iptables -A INPUT -p tcp -d $SAMBA_SERVER -m multiport \ | ||
| + | --dports 139,445 -j DROP | ||
| + | iptables -A OUTPUT -s $SAMBA_SERVER -d $NETWORK -m state --state \ | ||
| + | ESTABLISHED,RELATED -j ACCEPT</pre> | ||
| + | For more information, please refer to Chapter 14, "Linux Firewalls Using iptables".<br>Windows-based Zone Alarm | ||
| + | |||
| + | The default installation of Zone Alarm assumes that your PC is directly connected to the Internet. This means that the software will deny all inbound connections that attempt to connect with your PC. The NetBIOS traffic that Samba uses to communicate with the PCs on the network therefore is considered as hostile traffic. | ||
| + | |||
| + | The easiest way around this is to configure Zone Alarm to consider your home network as a trusted network too. To do so click on the firewall tab and edit the settings for your home network; it will most likely have a 192.168.x.x/255.255.255.0 type entry. Make this network a trusted network, instead of an Internet network, and ZoneAlarm should cease to interfere with Samba.<br>The Windows XP Built In Firewall | ||
| + | |||
| + | You may also need to disable the firewall feature of Windows XP. Follow these steps: | ||
| + | |||
| + | 1. Bring up the Control Panel<br> 2. Double-click on the Network Connections icon.<br> 3. Right-click your on your LAN connection icon and select Properties<br> 4. Click on the Advanced tab and then on the Windows Firewall Settings button.<br> 5. Turn off the Internet Connection Firewall by clearing its check box. You may also leave the firewall on, but allow Windows file sharing traffic through this connection. This can be done by clicking on the Exceptions tab of the Windows Firewall dialog box and clicking on the File and Printer Sharing check box. | ||
| + | |||
| + | After you get SAMBA to work, you may want to experiment with the firewall software settings to optimize your security, keeping in mind the need to maintain a valid relationship with the Samba server. <br> | ||
| + | |||
| + | <br> | ||
2008年10月25日 (六) 23:05的版本
介绍
为你的办公室或家里配置Samba 协议会带来很多的好处.通过鼓励用户把文件存储在一个文件服务器上,在某些情况下会 使你的数据备份,软件安装和维护工作变得轻松起来.
令人遗憾的是,Samba的初始配置有些棘手.要按照正确的顺序执行许多短小的操作,如果有一个地方出了错,都会带来严重的错误.本章讲的是帮助你从那些你不能避免的错误中恢复.
测试 smb.conf文件
Samba 有一个叫testparm的测试工具,它会对smb.conf文件中的错误进行警告.如果你用SWAT去编辑这个文件,通常你会成功通过测试,
如下所示:
[root@bigboy tmp]# testparm -s Load smb config files from /etc/samba/smb.conf Processing section "[homes]" Processing section "[printers]" Loaded services file OK. ... ... [root@bigboy tmp]#
测试成功只是意味着Samba会加载这个配置文件.Samba还有可能在别的地方出问题.
注意: 你也可以用testparm命令来测试别的文件(默认是default /etc/samba/smb.conf).只要简单的把文件名作为第一个参数,格式如下:
[root@bigboy tmp]# testparm -s filename
Samba 和防火墙软件
你的安了Windos系统的个人电脑和Samba 服务器上的防火墙软件都会是Samba失效.以下为这两种比较流行的防火墙数据包iptables 和ZoneAlarm提供解决这个问题的方案.
Linux iptables(ip表)
Fedora在安装过程中默认配置了ip表防火墙数据包.你有两个选择.你要在保证网络安全的前提下选择它被禁用,或者,你作如下配置:允许微软的NetBIOS协议(UDP 端口137 和138 TCP端口 139)还有不使用NetBIOS协议时通过TCP 445端口实现SMB文件共享.以下是一段脚本的摘要:
#!/bin/bash
SAMBA_SERVER="192.168.1.100 "
NETWORK="192.168.1.0/24" # Local area network
BROADCAST="192.168.255.255" # Local area network Broadcast Address
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -p udp -s $NETWORK -d $SAMBA_SERVER \
-m multiport --dports 137,138 -j ACCEPT
iptables -A INPUT -p tcp -s $NETWORK -d $SAMBA_SERVER -m multiport \
--dports 139,445 -j ACCEPT
iptables -A INPUT -p udp -s $NETWORK -d $BROADCAST --dport 137 \
-j ACCEPT
iptables -A INPUT -p udp -d $SAMBA_SERVER -m multiport \
--dports 137,138 -j DROP
iptables -A INPUT -p tcp -d $SAMBA_SERVER -m multiport \
--dports 139,445 -j DROP
iptables -A OUTPUT -s $SAMBA_SERVER -d $NETWORK -m state --state \
ESTABLISHED,RELATED -j ACCEPT
For more information, please refer to Chapter 14, "Linux Firewalls Using iptables".
Windows-based Zone Alarm
The default installation of Zone Alarm assumes that your PC is directly connected to the Internet. This means that the software will deny all inbound connections that attempt to connect with your PC. The NetBIOS traffic that Samba uses to communicate with the PCs on the network therefore is considered as hostile traffic.
The easiest way around this is to configure Zone Alarm to consider your home network as a trusted network too. To do so click on the firewall tab and edit the settings for your home network; it will most likely have a 192.168.x.x/255.255.255.0 type entry. Make this network a trusted network, instead of an Internet network, and ZoneAlarm should cease to interfere with Samba.
The Windows XP Built In Firewall
You may also need to disable the firewall feature of Windows XP. Follow these steps:
1. Bring up the Control Panel
2. Double-click on the Network Connections icon.
3. Right-click your on your LAN connection icon and select Properties
4. Click on the Advanced tab and then on the Windows Firewall Settings button.
5. Turn off the Internet Connection Firewall by clearing its check box. You may also leave the firewall on, but allow Windows file sharing traffic through this connection. This can be done by clicking on the Exceptions tab of the Windows Firewall dialog box and clicking on the File and Printer Sharing check box.
After you get SAMBA to work, you may want to experiment with the firewall software settings to optimize your security, keeping in mind the need to maintain a valid relationship with the Samba server.
