samba4的負載均衡群集
1 架構簡介
1.1 負載均衡器層
此層提供負載均衡的排程服務,把負載分派到各個檔案系統伺服器。
1.2 檔案系統服務層
此層提供檔案系統的儲存、身份認證、許可權控制等服務等,由基於Linux系統的Samba實現,結合AD提供的身份認證服務,可以提供與Windows一樣的共享服務。
1.3 可擴充套件分散式儲存層
此層為第一層提供可無限擴充套件的資料存取服務、Quota,由基於linux的GlusterFS群集實現,一共有4個節點。
1.4 叢集工作流程分析
1)連線建立過程
step1 客戶端訪問負載均衡器的虛擬IP(10.10.2.90)
step2 負載均衡器檢測到客戶端訪問請求的是虛擬IP的目標埠445/tcp或139/tcp
step3 負載均衡器將虛擬IP的MAC地址改為連線數最小的samba伺服器MAC地址(ARP的解析過程)
step4 使用者與連線數最小的samba伺服器建立連線
2)資料上傳過程
step1 使用者上傳檔案到samba伺服器且被samba伺服器快取在本地
step2 samba伺服器將轉存資料儲存到後端儲存層
3)資料讀取過程
step1 使用者到samba伺服器取資料
step2 samba伺服器從後端儲存層將資料取出後再傳送給使用者
2 負載均衡器層
2.1 專案的簡介
官方地址:
Keepalived的作用是檢測伺服器的狀態,如果有一臺檔案伺服器宕機,或工作出現故障,Keepalived將檢測到,並將有故障的伺服器從系統中剔除,當伺服器工作正常後Keepalived自動將伺服器加入到伺服器群中,這些工作全部自動完成,不需要人工干涉,需要人工做的只是修復故障的伺服器。
2.2 工作原理
2.2.1 LVS的架構
1)排程層(Director):
2)叢集層(Real Server)
3)共享層
2.2.2 LVS的三種工作模式
1)DR模式
- MAC層實現
- Director將請求的資料包目標MAC改為Real Server的MAC地址
- 資料直接返回客戶端
2)NAT模式
- IP層實現
- Director將請求的目標IP改為Real Server的IP
- 資料返回在Director將源IP還原
3)TUN模式
- 類似於×××實現
- Director建立加密IP隧道轉發到Real Server
- 資料直接返回客戶端
2.2.3 LVS的IP分類
1)VIP(Virtual IP)
- VIP每臺機都需要配置
- IP用於內網通訊並對外提供服務
2)DIP(Driector IP)
- DIP設置於Driector伺服器
- 分內外網IP,內網IP用於內部通訊,外網IP用於NAT模式的外網
3)RIP(Real IP)
- RIP設置於Real伺服器
- 只有內網IP,IP只用於內網通訊
2.2.4 LVS的排程演算法
1)輪叫排程(Round Robin,簡稱RR)
2)加權輪叫(Weighted Round Robin,簡稱WRR)
3)最少連結(Least Connection,簡稱LC)
4)加權最少連結(Weighted Least Conncetions,簡稱WLC)
2.3 Keeplived的配置
2.3.1 環境配置
KeepLive{1-2}
hostname=Keeplive{1-2}.cmdschool.org
ipaddress=10.168.0.9{0-1}
OS=CentOS 6.8
2.3.2 配置NTP
In KeepLive{1-2} :
1)安裝ntp的相關包
yuminstall-ychrony
2)指定內網的NTP伺服器
vim/etc/chrony.conf
更改如下配置:
#server0.rhel.pool.ntp.orgiburst #server1.rhel.pool.ntp.orgiburst #server2.rhel.pool.ntp.orgiburst #server3.rhel.pool.ntp.orgiburst server10.168.0.154iburst
3)啟動服務並配置開機自啟動
/etc/init.d/chronydstart chkconfigchronydon
4)同步時間
chronycsources
2.3.3 配置Keepalived服務
1)軟體包安裝
In KeepLive{1-2} :
yuminstall-yipvsadmkeepalived
2)配置主伺服器
In KeepLive{1-2} :
cp/etc/keepalived/keepalived.conf/etc/keepalived/keepalived.conf.default echo"">/etc/keepalived/keepalived.conf vim/etc/keepalived/keepalived.conf
配置如下:
In KeepLive1 :
vrrp_instanceVI_1{
stateMASTER#備用伺服器上為BACKUP
interfaceeth0
virtual_router_id51
priority100#備用伺服器上為90
advert_int1
authentication{
auth_typePASS
auth_pass1111
}
virtual_ipaddress{
10.168.0.90
}
}
virtual_server10.168.0.90445{
delay_loop6#(每隔6秒查詢realserver狀態)
lb_algowlc#(lvs演算法)
lb_kindDR#(DirectRoute)
persistence_timeout7200#(同一IP的連線7200秒內被分配到同一臺realserver)
protocolTCP#(用TCP協議檢查realserver狀態)
real_server10.168.0.190445{
weight100#(權重)
TCP_CHECK{
connect_timeout10#(10秒無響應超時)
nb_get_retry3
delay_before_retry3
connect_port445
}
}
real_server10.168.0.191445{
weight100
TCP_CHECK{
connect_timeout10
nb_get_retry3
delay_before_retry3
connect_port445
}
}
}
virtual_server10.168.0.90139{
delay_loop6#(每隔6秒查詢realserver狀態)
lb_algowlc#(lvs演算法)
lb_kindDR#(DirectRoute)
persistence_timeout7200#(同一IP的連線7200秒內被分配到同一臺realserver)
protocolTCP#(用TCP協議檢查realserver狀態)
real_server10.168.0.190139{
weight100#(權重)
TCP_CHECK{
connect_timeout10#(10秒無響應超時)
nb_get_retry3
delay_before_retry3
connect_port139
}
}
real_server10.168.0.190139{
weight100
TCP_CHECK{
connect_timeout10
nb_get_retry3
delay_before_retry3
connect_port139
}
}
}In KeepLive2 :
vrrp_instanceVI_1{
stateBACKUP#主伺服器上為MASTER
interfaceeth0
virtual_router_id51
priority90#主伺服器上為100
advert_int1
authentication{
auth_typePASS
auth_pass1111
}
virtual_ipaddress{
10.168.0.90
}
}
virtual_server110.168.0.90445{
delay_loop6#(每隔6秒查詢realserver狀態)
lb_algowlc#(lvs演算法)
lb_kindDR#(DirectRoute)
persistence_timeout7200#(同一IP的連線7200秒內被分配到同一臺realserver)
protocolTCP#(用TCP協議檢查realserver狀態)
real_server10.168.0.190445{
weight100#(權重)
TCP_CHECK{
connect_timeout10#(10秒無響應超時)
nb_get_retry3
delay_before_retry3
connect_port445
}
}
real_server10.168.0.191445{
weight100
TCP_CHECK{
connect_timeout10
nb_get_retry3
delay_before_retry3
connect_port445
}
}
}
virtual_server10.168.0.90139{
delay_loop6#(每隔6秒查詢realserver狀態)
lb_algowlc#(lvs演算法)
lb_kindDR#(DirectRoute)
persistence_timeout7200#(同一IP的連線7200秒內被分配到同一臺realserver)
protocolTCP#(用TCP協議檢查realserver狀態)
real_server10.168.0.190139{
weight100#(權重)
TCP_CHECK{
connect_timeout10#(10秒無響應超時)
nb_get_retry3
delay_before_retry3
connect_port139
}
}
real_server10.168.0.191139{
weight100
TCP_CHECK{
connect_timeout10
nb_get_retry3
delay_before_retry3
connect_port139
}
}
}3)啟動服務並配置開機啟動
In KeepLive{1-2} :
/etc/init.d/keepalivedstart chkconfigkeepalivedon
2.3.4 配置路由轉發
In KeepLive{1-2} :
1)臨時開啟路由轉發
echo1>/proc/sys/net/ipv4/ip_forward
2)永久開啟路由轉發
vim/etc/sysctl.conf
修改如下配置
net.ipv4.ip_forward=1
2.3.5 配置防火牆
In KeepLive{1-2} :
vim/etc/sysconfig/iptables
加入如下條目:
-AINPUT-mstate--stateNEW-mtcp-ptcp--dport139-jACCEPT -AINPUT-mstate--stateNEW-mtcp-ptcp--dport445-jACCEPT
重啟防火牆使配置生效
/etc/init.d/iptablesrestart
2.3.6 配置Real Server伺服器
InGlusterGW0{1-2} :
1)編輯配置指令碼
vim/usr/local/sbin/lvs_dr_rs.sh
輸入如下內容:
#!/bin/bash vip=10.168.0.90 ifconfiglo:0$vipbroadcast$vipnetmask255.255.255.255up routeadd-host$viplo:0 echo"1">/proc/sys/net/ipv4/conf/lo/arp_ignore echo"2">/proc/sys/net/ipv4/conf/lo/arp_announce echo"1">/proc/sys/net/ipv4/conf/all/arp_ignore echo"2">/proc/sys/net/ipv4/conf/all/arp_announce
2)執行配置指令碼
sh/usr/local/sbin/lvs_dr_rs.sh echo'sh/usr/local/sbin/lvs_dr_rs.sh'>>/etc/rc.local
3 檔案系統服務層
3.1 理論基礎
3.1.1 samba的簡介
Samba是在Linux和UNIX系統上實現SMB協議的一個免費軟體,由伺服器及客戶端程式構成。SMB(Server Messages Block,資訊服務塊)是一種在區域網上共享檔案和印表機的一種通訊協議,它為區域網內的不同計算機之間提供檔案及印表機等資源的共享服務。SMB協議是客戶機/伺服器型協議,客戶機通過該協議可以訪問伺服器上的共享檔案系統、印表機及其他資源。通過設定“NetBIOS over TCP/IP”使得Samba不但能與區域網絡主機分享資源,還能與全世界的電腦分享資源。
3.1.2 samba的起源
1991 年一個名叫Andrew Tridgwell 的大學生就有這樣的困擾,他手上有三部機器,分別是跑DOS 的個人計算機、DEC公司的 Digital Unix 系統以及 Sun 的 Unix 系統。在當時,DEC 公司有發展出一套稱為 PATHWORKS 的軟體,這套軟體可以用來分享 DEC 的Unix 與個人計算機的 DOS 這兩個作業系統的檔案資料,可惜讓 Tridgwell 覺得較困擾的是,Sun的 Unix 無法藉由這個軟體來達到資料分享的目的。這個時候 Tridgwell 就想說:『咦!既然這兩部系統可以相互溝通,沒道理Sun 就必需這麼苦命吧?可不可以將這兩部系統的運作原理找出來,然後讓 Sun這部機器也能夠分享檔案資料呢?』,為了解決這樣的的問題,這老兄就自行寫了個program 去偵測當 DOS 與 DEC 的 Unix 系統在進行資料分享傳送時所使用到的通訊協議資訊,然後將這些重要的資訊擷取下來,並且基於上述所找到的通訊協議而開發出ServerMessage Block (SMB) 這個檔案系統,而就是這套 SMB軟體能夠讓 Unix 與 DOS 互相的分享資料!( 注:再次的給他強調一次,在Unix Like 上面可以分享檔案資料的 file system 是 NFS,那麼在 Windows 上面使用的『網路鄰居』所使用的檔案系統則稱為Common Internet File System, CIFS )
3.2 推薦配置
3.2.1 Windows Server 2008 R2 server
- Deploy Windows Server 2008 R2
- Configure Active Directory Domain Services
3.2.2 Red Hat Enterprise Linux 6 systems
- Deploy Red Hat Enterprise Linux 6
- Configure SELinux Security Parameters
- Install/Configure Samba (Recommended Configurations 1, 2 only)
- Synchronize Time Services
- Configure DNS
- Install/Configure Kerberos Client
- Install oddjob-mkhomedir
3.3 Winbind Backends的分類
| Backend | Type | ID Mappings | Advantages | Disadvantages |
| idmap_tdb | Read/Write | Allocating (分配) | Simplest to implement 簡單實現 Default winbind backend 預設的winbind後端 | Limited scalability - not intended for consistent ID mappings across multiple RHEL servers 有限的伸縮性 - 沒有專為跨多個RHEL伺服器提供一致的ID對映 Cache corruption requires manual intervention to correct file ownership 快取損壞需要手動介入去修正檔案所有權 Static - 1 tdb entry for each SID(slower) 靜態 - 為每一個SID配置1個tdb條目 |
| idmap_rid | Read-only | Algorithmic (演算法) | User algorithmic ID mappings across multiple servers(faster) 使用者通過演算法將ID對映到多個伺服器(快) | Requires additional configuration work to support a forest of AD domains or multiple domain trees 需要額外的配置工作去支援一個AD域的森林或多個域樹 |
| idmap_ad | Read-only | Assigned by admin (由管理員指定) | Standardized user configuration (shell,home directory) 標準使用者配置(shell,家目錄) Centralized user account managenment 集中式使用者賬號管理 | Requires additional configuration work to support a forest of AD domains or multiple domain trees 需要額外的配置工作去支援一個AD域的森林或多個域樹 Requires additional user management tasks - user/group ID attributes mustbe specified within AD 需要額外的使用者管理任務 - 使用者/組ID屬性必須在AD內指定 |
| idmap_ldap | Read/Write | Allocating (分配) | ID mappings stored in centralized,non-AD server(RHDS,OpenLDAP,etc.) ID對映集中儲存在非AD伺服器(RHDS,OpenLDAP,etc.) | Requires external LDAP server 需要外部的LDAP伺服器 Most complex configuration to implement due to Samba LDAP mapping limitations(UID/GID not store at POSIX level) 最複雜的配置去實現Samba的LDAP對映限制(UID/GID不儲存在POSIX級別) |
| idmap_adex | Read-only | Assigned by admin (由管理員指定) | Supports ID mappings using RFC2307 attributes 支援使用RFC2307屬性進行ID對映 | Not recommended for new deplyments(deprecated by latest versions of Samba) 不推薦用於新的部署(Samba最新版不推薦使用) |
| idmap_hash | Read-only | Algorithmic (演算法) | Similar to idmap_rid but generates UID/GID from full domain SID 類似idmap_rid但是從全域SID生成UID/GID Mappings consistent across RHEL systems 跨越RHEL系統的對映一致 | No additional configuration but potential risk of ID collisions 沒有額外的配置但存在ID衝突的風險 |
| idmap_tdb2 | Read/Write | Allocating (分配) | Script option availabel for performing ID mappings via an external program 指令碼選項可以通過一個外部程式執行ID對映 | For Samba clusters(CTDB) only 僅適用於Samba群集 |
| idmap_nss | Read-only | Pre-existing (預先存在的) | Uses existing UID/GID mappings 使用一個已存在的UID/GID對映 | No support for trusted domains 不支援信任域 Can't resolve mappings unless SID is available 不能解決對映除非SID是可用的 |
3.4 winbind
3.4.1 winbind的資料庫
ll/var/lib/samba/winbindd_*.tdb
顯示如下:
-rw-------.1rootroot32768Aug1001:12/var/lib/samba/winbindd_cache.tdb -rw-r--r--.1rootroot421888Aug1000:46/var/lib/samba/winbindd_idmap.tdb
3.4.2 資料庫的檢視
1)安裝工具
yuminstall-ytdb-tools
2)使用工具
tdbdump/var/lib/samba/winbindd_idmap.tdb tdbdump/var/lib/samba/winbindd_cache.tdb
3.5 環境配置
3.5.1 環境資訊
ad1 server(信任dg.cmdschool.org):
hostname = rootad.cmdschool.org
ipaddress = 10.168.0.154
OS = window server 2008 R2
ad2 server(信任rootad.cmdschool.org):
hostname = dg.cmdschool.org
ipaddress = 10.168.0.155
OS = window server 2008 R2
samba server:
hostname = GlusterGW0{1-2}.cmdschoolo.org
ipaddress = 10.168.0.19{0-1}
OS = CentOS 6.8
3.5.2 部署Windows 2008 Server R2
詳細請參閱:
https://technet.microsoft.com/en-us/library/dd283085.aspx
3.5.3 配置活動目錄域服務
詳細請參閱:
https://technet.microsoft.com/en-us/library/cc770946.aspx
3.5.4 配置分散式儲存
由於samba本身並不支援群集,故此層是samba負載均衡成敗的關鍵,故請務必注意:
1)擴充套件儲存需要使用含Gluster 3.8及以上版本,配置參閱:http://cmdschool.blog.51cto.com/2420395/1828450
2)分散式儲存需要開啟儲存鎖,配置請參閱:http://cmdschool.blog.51cto.com/2420395/1858776
利用儲存鎖解決多臺伺服器之間Excel的獨佔編輯問題,防止多使用者分佈到不同的samba伺服器同時編輯損壞檔案。
3.6 基礎配置
3.6.1 配置SElinux安全引數
InGlusterGW0{1-2} :
setenforce0 sed-i's/SELINUX=enforcing/SELINUX=disabled/g'/etc/selinux/config
3.6.2 名稱解析配置
InGlusterGW0{1-2} :
1)hosts配置
echo"10.168.0.190GlusterGW01.cmdschool.orgGlusterGW01">>/etc/hosts echo"10.168.0.191GlusterGW02.cmdschool.orgGlusterGW02">>/etc/hosts echo"10.168.0.192GlusterH01.cmdschool.org">>/etc/hosts echo"10.168.0.193GlusterH02.cmdschool.org">>/etc/hosts echo"10.168.0.194GlusterH03.cmdschool.org">>/etc/hosts echo"10.168.0.195GlusterH04.cmdschool.org">>/etc/hosts
2)DNS伺服器方式
echo"nameserver10.168.0.154">>/etc/resolv.conf echo"searchad.cmdschool.org">>/etc/resolv.conf
3.6.3 域伺服器驗證
InGlusterGW0{1-2} :
1)安裝DNS工具套件
yuminstall-ybind-utils
2)輸入如下命令測試
host-tAad.cmdschool.org
3.6.4 NTP配置
InGlusterGW0{1-2} :
1)rpm包的安裝
yuminstall-ychrony
2)配置NTP伺服器
vim/etc/chrony.conf
指定內網的NTP伺服器,更改如下配置
#server0.rhel.pool.ntp.orgiburst #server1.rhel.pool.ntp.orgiburst #server2.rhel.pool.ntp.orgiburst #server3.rhel.pool.ntp.orgiburst server10.168.0.154iburst
3)啟動服務
並配置開機自啟動
/etc/init.d/chronydstart chkconfigchronydon
4)同步時間
chronycsources
3.6.5 配置yum源
InGlusterGW0{1-2} :
yuminstall-yhttps://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm curlhttp://download.gluster.org/pub/gluster/glusterfs/3.7/LATEST/CentOS/glusterfs-epel.repo>/etc/yum.repos.d/glusterfs-epel.repo
3.6.6 配置防火牆
InGlusterGW0{1-2} :
/etc/init.d/iptablesstop chkconfigiptablesoff
3.6.7 安裝相關包
InGlusterGW0{1-2} :
1)安裝相關包
yum-yinstallsamba4samba4-clientsamba4-commonsamba4-winbindsamba4-winbind-clients
2)啟動並校驗服務
/etc/init.d/smbstart /etc/init.d/smbstatus ps-aef|grepsmb
3)配置服務開機自動啟動
chkconfigsmbon chkconfig--listsmb
3.7 配置檔案系統服務
3.7.1 配置Kerberos服務端
In AD Server :
1)關閉UAC並重啟系統
2)新建認證使用者
注:賬號只需要一個即可實現多臺伺服器認證
3)生成證書到D盤根目錄
命令列範例
setspn-Ahost/[email protected]client setspn-Lclient ktpass/princhost/[email protected]/outclient-host.keytab/cryptoall/ptypeKRB5_NT_PRINCIPAL-desonly/mapuserAD\client$+setupn+rndPass+setpass+answer
注:加證書只需要按照以上命令格式生成新的證書即可
實際操作
setspn-AGLUSTERGW02/[email protected]authuser setspn-Lauthuser ktpass/princGLUSTERGW02/[email protected]/outauthuser-GLUSTERGW02.keytab/cryptoall/ptypeKRB5_NT_PRINCIPAL-desonly/mapuserCMDSCHOOL\authuser+setupn+rndPass+setpass+answer setspn-AGLUSTERGW01/[email protected]authuser setspn-Lauthuser ktpass/princGLUSTERGW01/[email protected]/outauthuser-GLUSTERGW01.keytab/cryptoall/ptypeKRB5_NT_PRINCIPAL-desonly/mapuserCMDSCHOOL\authuser+setupn+rndPass+setpass+answer
3.7.2 配置Kerberos客戶端
In GlusterGW0{1-2} :
1)證書安裝
將Kerberos伺服器端生成的證書分別複製到名稱對應的客戶端的/root目錄下並執行以下命令:
cpauthuser-GLUSTERGW*.keytab/etc/krb5.keytab chownroot:root/etc/krb5.keytab chmod0600/etc/krb5.keytab restorecon/etc/krb5.keytab
2)安裝Kerberos客戶端rpm包
yuminstall-ykrb5-workstation
3)編輯krb5配置檔案
cp/etc/krb5.conf/etc/krb5.conf.default echo"">/etc/krb5.conf vim/etc/krb5.conf
內容修改如下:
[logging]
default=FILE:/var/log/krb5libs.log
kdc=FILE:/var/log/krb5kdc.log
admin_server=FILE:/var/log/kadmind.log
[libdefaults]
default_realm=CMDSCHOOL.ORG
dns_lookup_realm=false
dns_lookup_kdc=false
ticket_lifetime=24h
renew_lifetime=7d
forwardable=true
[realms]
CMDSCHOOL.ORG={
kdc=rootad.cmdschool.org
admin_server=rootad.cmdschool.org
}
DG.CMDSCHOOL.ORG={
kdc=dg.cmdschool.org:88
admin_server=dg.cmdschool.org:749
}
[domain_realm]
.cmdschool.org=ROOTAD.CMDSCHOOL.ORG
cmdschool.org=ROOTAD.CMDSCHOOL.ORG
.dg.cmdschool.org=DG.CMDSCHOOL.ORG
dg.cmdschool.org=DG.CMDSCHOOL.ORG4)測試證書是否生效
kdestroy klist
可以看到如下提示:
klist:Nocredentialscachefound(ticketcacheFILE:/tmp/krb5cc_0)
5)初始化krb5
kinit[email protected]
確認是否成功
klist
成功可以看到如下資訊:
Ticketcache:FILE:/tmp/krb5cc_0 Defaultprincipal:[email protected] ValidstartingExpiresServiceprincipal 08/28/1608:59:1208/28/1618:59:17krbtgt/[email protected] renewuntil09/04/1608:59:12
3.7.3 加域並測試
1)增加加域資訊
InGlusterGW0{1-2} :
cp/etc/samba/smb.conf/etc/samba/smb.conf.default echo"">/etc/samba/smb.conf vim/etc/samba/smb.conf
修改如下資訊:
[global] workgroup=CMDSCHOOL clientsigning=yes clientusespnego=yes kerberosmethod=secretsandkeytab logfile=/var/log/samba/%m.log maxlogsize=50 passwordserver=* allowtrusteddomains=yes realm=CMDSCHOOL.ORG security=ads idmapuid=10000-19999 idmapgid=10000-19999 idmapconfigCMDSCHOOL:backend=rid idmapconfigCMDSCHOOL:range=10000000-19999999 idmapconfigDG:backend=rid idmapconfigDG:range=20000000-29999999 winbindenumusers=no winbindenumgroups=no
2)測試配置檔案
InGlusterGW0{1-2} :
testparm
3)備份快取資訊
InGlusterGW0{1-2} :
/etc/init.d/smbstop /etc/init.d/winbindstop tar-cvf/var/tmp/samba-cache-backup.tar/var/lib/samba ls-l/var/tmp/samba-cache-backup.tar
4)清理快取檔案
InGlusterGW0{1-2} :
rm-f/var/lib/samba/*
4)確認清理
InGlusterGW0{1-2} :
kdestroy
正常顯示如下或無輸出:
kdestroy:Nocredentialscachefoundwhiledestroyingcache
執行
klist
正常顯示如下:
klist:Nocredentialscachefound(ticketcacheFILE:/tmp/krb5cc_0)
5)成員服務為加域
InGlusterGW0{1-2} :
netadsjoin-Uadministrator
或者
netadsjoin-Uadministrator-Srootad.cmdschool.org
6)測試與域控的連線
InGlusterGW0{1-2} :
netadstestjoin
正常顯示如下:
JoinisOK
或
netadsinfo
顯示如下:
LDAPserver:10.168.0.154 LDAPservername:RootAD.cmdschool.org Realm:CMDSCHOOL.ORG BindPath:dc=CMDSCHOOL,dc=ORG LDAPport:389 Servertime:Sun,28Aug201609:04:08CST KDCserver:10.168.0.154 Servertimeoffset:0
7)配置密碼認證
InGlusterGW0{1-2} :
vim/etc/nsswitch.conf
修改內容如下:
passwd:fileswinbind group:fileswinbind
8)初始化Kerberos連線
InGlusterGW0{1-2} :
kinit[email protected]
9)啟動winbind服務並配置服務自動啟動
In Samba{1-2} :
/etc/init.d/winbindstart chkconfigwinbindon
10)測試
InGlusterGW0{1-2} :
獲取使用者:
wbinfo-u wbinfo-u--domainDG.CMDSCHOOL.ORG
顯示如下:
CMDSCHOOL\administrator CMDSCHOOL\guest CMDSCHOOL\krbtgt CMDSCHOOL\user1 CMDSCHOOL\user2 CMDSCHOOL\user3 CMDSCHOOL\authuser CMDSCHOOL\dg$ DG\administrator DG\guest DG\krbtgt DG\cmdschool$
獲取組資訊:
wbinfo-g wbinfo-g--domainDG.CMDSCHOOL.ORG
顯示如下:
CMDSCHOOL\domaincomputers CMDSCHOOL\domaincontrollers CMDSCHOOL\schemaadmins CMDSCHOOL\enterpriseadmins CMDSCHOOL\certpublishers CMDSCHOOL\domainadmins CMDSCHOOL\domainusers CMDSCHOOL\domainguests CMDSCHOOL\grouppolicycreatorowners CMDSCHOOL\rasandiasservers CMDSCHOOL\allowedrodcpasswordreplicationgroup CMDSCHOOL\deniedrodcpasswordreplicationgroup CMDSCHOOL\read-onlydomaincontrollers CMDSCHOOL\enterpriseread-onlydomaincontrollers CMDSCHOOL\dnsadmins CMDSCHOOL\dnsupdateproxy CMDSCHOOL\gp1 CMDSCHOOL\gp2 CMDSCHOOL\gps DG\domaincomputers DG\domaincontrollers DG\domainadmins DG\domainusers DG\domainguests DG\grouppolicycreatorowners DG\read-onlydomaincontrollers DG\dnsupdateproxy
11)單使用者身份測試
id"CMDSCHOOL\administrator" id"DG\administrator"
顯示如下:
uid=10000500(CMDSCHOOL\administrator)gid=10000513(CMDSCHOOL\domainusers)groups=10000513(CMDSCHOOL\domainusers),10000500(CMDSCHOOL\administrator),10000572(CMDSCHOOL\deniedrodcpasswordreplicationgroup),10000518(CMDSCHOOL\schemaadmins),10000519(CMDSCHOOL\enterpriseadmins),10000512(CMDSCHOOL\domainadmins),10000520(CMDSCHOOL\grouppolicycreatorowners) uid=20000500(DG\administrator)gid=20000513(DG\domainusers)groups=20000513(DG\domainusers),20000500(DG\administrator),20000572(DG\deniedrodcpasswordreplicationgroup),20000512(DG\domainadmins),20000520(DG\grouppolicycreatorowners)
12)顯示所有域
wbinfo--all-domains
顯示如下:
BUILTIN GLUSTERGW01 CMDSCHOOL DG
13)啟動samba服務
InGlusterGW0{1-2} :
/etc/init.d/smbstart
3.7.4 掛載共享儲存
1)安裝客戶端yum包
InGlusterGW0{1-2} :
yuminstall-yglusterfs-fuse
2)手動掛載測試
InGlusterGW0{1-2} :
mount-tglusterfsGlusterH01.cmdschool.org:/gv0/mnt mount umount/mnt
3)自動掛載測試
InGlusterGW0{1-2} :
mkdir/data
編輯掛載點:
InGlusterGW01 :
echo'GlusterH01.cmdschool.org:/gv0/dataglusterfsdefaults,acl00'>>/etc/fstab
InGlusterGW02 :
echo'GlusterH02.cmdschool.org:/gv0/dataglusterfsdefaults,acl00'>>/etc/fstab
4)嘗試掛載
InGlusterGW0{1-2} :
mount-a&mount
5)檢查掛載
InGlusterGW0{1-2} :
df-h
顯示如下:
FilesystemSizeUsedAvailUse%Mountedon /dev/mapper/VG_OS-lv_root 18G912M16G6%/ tmpfs1.5G01.5G0%/dev/shm /dev/sda1488M37M426M8%/boot GlusterH01.cmdschool.org:/gv0 400G5.0G395G2%/data
3.7.5 配置根據組授權的共享
目標:實現根據組授權的共享
優點:使用者可以通過微軟的ADMINPACK工具簡單地修改組成員授予使用者讀寫許可權
缺點:使用者無法自定修改檔案的ACL授權
1)建立使用者目錄
InGlusterGW01 :
mkdir-p/data/share{1,2}2)目錄授權
InGlusterGW01 :
chmod777/data/share1 chmod777/data/share2
3)建立samba配置目錄
InGlusterGW01 :
mkdir-p/data/samba.d/
注:本目錄用於儲存samba的配置檔案,所有samba伺服器到此載入共享配置,需嚴格備份此資料夾的配置
4)修改配置檔案
InGlusterGW01 :
vim/data/samba.d/share1.smb.conf
加入如下配置:
[share1] path=/data/share1 validusers="@CMDSCHOOL\gp1" writelist="@CMDSCHOOL\gp1" createmask=666 directorymask=777
注:以上share1授權給gp1組(具有讀寫許可權)
InGlusterGW01 :
vim/data/samba.d/share2.smb.conf
加入如下配置:
[share2] path=/data/share2 validusers="@CMDSCHOOL\gp2" writelist="@CMDSCHOOL\gp2" createmask=666 directorymask=777
注: 以上share2授權給gp2組(具有讀寫許可權)
4)引入配置samba配置
InGlusterGW0{1-2} :
echo"include=/data/samba.d/share1.smb.conf">>/etc/samba/smb.conf echo"include=/data/samba.d/share2.smb.conf">>/etc/samba/smb.conf
注:如果你想隱藏其他的共享,只顯示當前載入的共享請使用如下配置
echo"configfile=/data/samba.d/share1.smb.conf">>/etc/samba/smb.conf echo"configfile=/data/samba.d/share2.smb.conf">>/etc/samba/smb.conf
重啟服務:
/etc/init.d/smbrestart
3.7.6 配置檔案ACL控制的共享
目標:實現根據檔案ACL授權的共享
優點:使用者可以通過編輯檔案的ACL來定義員授予使用者讀寫許可權
缺點:由於許可權是使用者定義,管理上會增加運維人員工作量
1)建立使用者目錄
InGlusterGW01 :
mkdir-p/data/share3
2)目錄授權
chmod700/data/share3
3)指定目錄的管理員
InGlusterGW01 :
chown"CMDSCHOOL\user3":/data/share3/
4)修改配置檔案
InGlusterGW01 :
vim/data/samba.d/share3.smb.conf
加入如下配置:
[share3] path=/data/share3 validusers="@CMDSCHOOL\domainusers" writelist="@CMDSCHOOL\domainusers" createmask=660 directorymask=770
5)引入配置samba配置並使配置生效
InGlusterGW0{1-2} :
echo"include=/data/samba.d/share3.smb.conf">>/etc/samba/smb.conf /etc/init.d/smbrestart
6)管理員成員授權
注:
1)亦可授權給組,根據具體情況定義
2)如果不支援,請參閱3.2.16的配置
從Linux系統底層可發現是通過檔案的ACL實現的
3.7.7 配置使用者私有的共享
目標:使用使用者觸發式自動配置滿足使用者私有目錄的需求
1)建立指令碼存放目錄
InGlusterGW01 :
mkdir-p/data/samba.d/scripts
注:本目錄用於儲存samba的配置指令碼檔案,所有samba伺服器到此載入,需嚴格備份此資料夾的配置
2)建立使用者目錄配置指令碼
InGlusterGW01 :
vim/data/samba.d/scripts/domain_add_user.sh
輸入如下內容
#!/bin/bash domain=$1 user=$2 rootdir="/data/$domain" homedir="/data/$domain/$user" if[!-d"$rootdir"];then /bin/mkdir-p"$rootdir" /bin/chmod777"$rootdir" fi if[!-d"$homedir"];then /bin/mkdir-p"$homedir" /bin/chown"$domain\\$user":"$homedir" /bin/chmod700"$homedir" fi
3)授予指令碼執行許可權
InGlusterGW01 :
chmod755/data/samba.d/scripts/domain_add_user.sh
4)測試指令碼
InGlusterGW01 :
/data/samba.d/scripts/domain_add_user.shCMDSCHOOLuser1
ls -l /data/
顯示效果如下:
total20 drwxrwxrwx3rootroot4096Aug282016CMDSCHOOL drwxr-xr-x3rootroot4096Aug282016samba.d drwxrwxrwx2rootroot4096Aug282016share1 drwxrwxrwx2rootroot4096Aug282016share2 drwxrwx---+2CMDSCHOOL\user3CMDSCHOOL\domainusers4096Aug282016share3
清理使用者資料夾:
rm-rf/data/CMDSCHOOL/*
注:由於“/data”目錄下的資料夾只能由“root”使用者建立,故不能刪除“/data/CMDSCHOOL”資料夾
5)建立samba配置檔案
InGlusterGW01 :
vim/data/samba.d/homes.smb.conf
測試指令碼
[homes] comment=HomeDirectories browseable=no validusers="@CMDSCHOOL\gp2","@CMDSCHOOL\gp1" writelist="@CMDSCHOOL\gp2","@CMDSCHOOL\gp1" path="/data/%D/%U" createmask=600 directorymask=700 preexec=/data/samba.d/scripts/domain_add_user.sh%D%U [%D] validusers="@CMDSCHOOL\gp2","@CMDSCHOOL\gp1" writelist="@CMDSCHOOL\gp2","@CMDSCHOOL\gp1" path="/data/%D" createmask=600 directorymask=700 preexec=/data/samba.d/scripts/domain_add_user.sh%D%U
6)引入配置samba配置並使配置生效
InGlusterGW0{1-2} :
echo"include=/data/samba.d/homes.smb.conf">>/etc/samba/smb.conf /etc/init.d/smbrestart
3.7.8 配置複雜的共享
目標:實現共享的根下包含使用者的各個組資料夾和使用者私有資料夾
1)建立使用者目錄
InGlusterGW01 :
mkdir-p/data/share4
mkdir-p/data/share4/gp{1,2,s}2)目錄授權
InGlusterGW01 :
建立底層管理(排他)許可權:
chownroot:root/data/share4 chmod700/data/share4
允許特定的組訪問讀寫執行
setfacl-mg:"CMDSCHOOL\gp1":rx/data/share4 setfacl-mg:"CMDSCHOOL\gp2":rx/data/share4
配置特定組資料夾訪問許可權
chownroot:"CMDSCHOOL\gp1"/data/share4/gp1 chownroot:"CMDSCHOOL\gp2"/data/share4/gp2 chownroot:"CMDSCHOOL\gpS"/data/share4/gps chmod770/data/share4/gp*
配置特定組資料夾組許可權自動繼承
chmodg+s/data/share4/gp*
3)修改配置檔案
InGlusterGW01 :
vim/data/samba.d/share4.smb.conf
加入如下配置:
[share4] path=/data/share4 validusers="@CMDSCHOOL\gps" writelist="@CMDSCHOOL\gps" createmask=660 directorymask=770
6)引入配置samba配置並使配置生效
InGlusterGW0{1-2} :
echo"include=/data/samba.d/share4.smb.conf">>/etc/samba/smb.conf /etc/init.d/smbrestart
3.7.9 增加windows的ACL支援
InGlusterGW0{1-2} :
[global] ... ntaclsupport=yes
注:以上配置完成使用者可自行在windows下編輯檔案的acl
3.7.10 檔案型別過濾
1)建立型別庫
InGlusterGW01 :
mkdir-p/data/samba.d/veto_files_type
2)建立視訊規律規則
InGlusterGW01 :
vim/data/samba.d/veto_files_type/video.smb.conf
輸入如下內容:
vetofiles=/*.264/*.3G2/*.3GP/*.3GP2/*.3GPP/*.3GPP2/*.3MM/*.3P2/*.60D/*.787/*.890/*.AAF/*.AEC/*.AEP/*.AEPX/*.AET/*.AETX/*.AJP/*.ALE/*.AM/*.AMC/*.AMV/*.AMX/*.ANIM/*.ANX/*.AQT/*.ARCUT/*.ARF/*.ASF/*.ASX/*.AVB/*.AVC/*.AVCHD/*.AVD/*.AVI/*.AVM/*.AVP/*.AVS/*.AVS/*.AVV/*.AWLIVE/*.AXM/*.AXV/*.BDM/*.BDMV/*.BDT2/*.BDT3/*.BIK/*.BIN/*.BIX/*.BMC/*.BMK/*.BNP/*.BOX/*.BS4/*.BSF/*.BU/*.BVR/*.BYU/*.CAMPROJ/*.CAMREC/*.CAMV/*.CED/*.CEL/*.CINE/*.CIP/*.CLK/*.CLPI/*.CMMP/*.CMMTPL/*.CMPROJ/*.CMREC/*.CMV/*.CPI/*.CPVC/*.CST/*.CVC/*.CX3/*.D2V/*.D3V/*.DASH/*.DAT/*.DAV/*.DB2/*.DCE/*.DCK/*.DCR/*.DCR/*.DDAT/*.DIF/*.DIR/*.DIVX/*.DLX/*.DMB/*.DMSD/*.DMSD3D/*.DMSM/*.DMSM3D/*.DMSS/*.DMX/*.DNC/*.DPA/*.DPG/*.DREAM/*.DSY/*.DV/*.DV-AVI/*.DV4/*.DVDMEDIA/*.DVR/*.DVR-MS/*.DVX/*.DXR/*.DZM/*.DZP/*.DZT/*.EDL/*.EVO/*.EVO/*.EXO/*.EYE/*.EYETV/*.EZT/*.F4F/*.F4P/*.F4V/*.FBR/*.FBR/*.FBZ/*.FCARCH/*.FCP/*.FCPROJECT/*.FFD/*.FFM/*.FLC/*.FLH/*.FLI/*.FLV/*.FLX/*.FPDX/*.FTC/*.G64/*.GCS/*.GFP/*.GIFV/*.GL/*.GOM/*.GRASP/*.GTS/*.GVI/*.GVP/*.GXF/*.H264/*.HDMOV/*.HDV/*.HKM/*.IFO/*.IMOVIELIBRARY/*.IMOVIEMOBILE/*.IMOVIEPROJ/*.IMOVIEPROJECT/*.INP/*.INT/*.IRCP/*.IRF/*.ISM/*.ISMC/*.ISMCLIP/*.ISMV/*.IVA/*.IVF/*.IVR/*.IVS/*.IZZ/*.IZZY/*.JMV/*.JSS/*.JTS/*.JTV/*.K3G/*.KDENLIVE/*.KMV/*.KTN/*.LREC/*.LRV/*.LSF/*.LSX/*.LVIX/*.M15/*.M1PG/*.M1V/*.M21/*.M21/*.M2A/*.M2P/*.M2T/*.M2TS/*.M2V/*.M4E/*.M4U/*.M4V/*.M75/*.MANI/*.META/*.MGV/*.MJ2/*.MJP/*.MJPEG/*.MJPG/*.MK3D/*.MKV/*.MMV/*.MNV/*.MOB/*.MOD/*.MODD/*.MOFF/*.MOI/*.MOOV/*.MOV/*.MOVIE/*.MP21/*.MP21/*.MP2V/*.MP4/*.MP4.INFOVID/*.MP4V/*.MPE/*.MPEG/*.MPEG1/*.MPEG2/*.MPEG4/*.MPF/*.MPG/*.MPG2/*.MPG4/*.MPGINDEX/*.MPL/*.MPL/*.MPLS/*.MPROJ/*.MPSUB/*.MPV/*.MPV2/*.MQV/*.MSDVD/*.MSE/*.MSH/*.MSWMM/*.MT2S/*.MTS/*.MTV/*.MVB/*.MVC/*.MVD/*.MVE/*.MVEX/*.MVP/*.MVP/*.MVY/*.MXF/*.MXV/*.MYS/*.NCOR/*.NSV/*.NTP/*.NUT/*.NUV/*.NVC/*.OGM/*.OGV/*.OGX/*.ORV/*.OSP/*.OTRKEY/*.PAC/*.PAR/*.PDS/*.PGI/*.PHOTOSHOW/*.PIV/*.PJS/*.PLAYLIST/*.PLPROJ/*.PMF/*.PMV/*.PNS/*.PPJ/*.PREL/*.PRO/*.PRO4DVD/*.PRO5DVD/*.PROQC/*.PRPROJ/*.PRTL/*.PSB/*.PSH/*.PSSD/*.PVA/*.PVR/*.PXV/*.QT/*.QTCH/*.QTINDEX/*.QTL/*.QTM/*.QTZ/*.R3D/*.RCD/*.RCPROJECT/*.RCREC/*.RCUT/*.RDB/*.REC/*.RM/*.RMD/*.RMD/*.RMP/*.RMS/*.RMV/*.RMVB/*.ROQ/*.RP/*.RSX/*.RTS/*.RTS/*.RUM/*.RV/*.RVID/*.RVL/*.SAN/*.SBK/*.SBT/*.SBZ/*.SCC/*.SCM/*.SCM/*.SCN/*.SCREENFLOW/*.SDV/*.SEC/*.SEC/*.SEDPRJ/*.SEQ/*.SFD/*.SFERA/*.SFVIDCAP/*.SIV/*.SMI/*.SMI/*.SMIL/*.SMK/*.SML/*.SMV/*.SNAGPROJ/*.SPL/*.SQZ/*.SRT/*.SSF/*.SSM/*.STL/*.STR/*.STX/*.SVI/*.SWF/*.SWI/*.SWT/*.TDA3MT/*.TDT/*.TDX/*.THEATER/*.THP/*.TID/*.TIVO/*.TIX/*.TOD/*.TP/*.TP0/*.TPD/*.TPR/*.TREC/*.TRP/*.TS/*.TSP/*.TTXT/*.TVLAYER/*.TVRECORDING/*.TVS/*.TVSHOW/*.USF/*.USM/*.VBC/*.VC1/*.VCPF/*.VCR/*.VCV/*.VDO/*.VDR/*.VDX/*.VEG/*.VEM/*.VEP/*.VF/*.VFT/*.VFW/*.VFZ/*.VGZ/*.VID/*.VIDEO/*.VIEWLET/*.VIV/*.VIVO/*.VIX/*.VLAB/*.VMLF/*.VMLT/*.VOB/*.VP3/*.VP6/*.VP7/*.VPJ/*.VRO/*.VS4/*.VSE/*.VSP/*.VTT/*.W32/*.WCP/*.WEBM/*.WFSP/*.WGI/*.WLMP/*.WM/*.WMD/*.WMMP/*.WMV/*.WMX/*.WOT/*.WP3/*.WPL/*.WSVE/*.WTV/*.WVE/*.WVX/*.WXP/*.XEJ/*.XEL/*.XESC/*.XFL/*.XLMV/*.XML/*.XMV/*.XVID/*.Y4M/*.YOG/*.YUV/*.ZEG/*.ZM1/*.ZM2/*.ZM3/*.ZMV/
3)建立音訊規則
InGlusterGW01 :
vim /data/samba.d/veto_files_type/audio.smb.conf
輸入如下內容:
vetofiles=/*.3GA/*.4MP/*.5XB/*.5XE/*.5XS/*.669/*.8SVX/*.A2B/*.A2I/*.A2M/*.A2P/*.A2T/*.A2W/*.AA/*.AA3/*.AAC/*.AAX/*.ABC/*.ABM/*.AC3/*.ACD/*.ACD-BAK/*.ACD-ZIP/*.ACM/*.ACT/*.ADG/*.ADT/*.ADTS/*.AFC/*.AGM/*.AGR/*.AHX/*.AIF/*.AIFC/*.AIFF/*.AIMPPL/*.AKP/*.ALAW/*.ALC/*.ALS/*.AMF/*.AMR/*.AMS/*.AMS/*.AMXD/*.AMZ/*.ANG/*.AOB/*.APE/*.APF/*.APL/*.ASD/*.AT3/*.AU/*.AU/*.AUD/*.AUP/*.AVASTSOUNDS/*.AXA/*.BAND/*.BAP/*.BDD/*.BIDULE/*.BMML/*.BNK/*.BRR/*.BUN/*.BWF/*.BWG/*.BWW/*.CAF/*.CAFF/*.CDA/*.CDDA/*.CDLX/*.CDO/*.CDR/*.CEL/*.CFA/*.CGRP/*.CIDB/*.CKB/*.CKF/*.CMF/*.CONFORM/*.COPY/*.CPR/*.CPT/*.CSH/*.CTS/*.CWB/*.CWP/*.CWS/*.CWT/*.DCF/*.DCM/*.DCT/*.DEWF/*.DF2/*.DFC/*.DFF/*.DIG/*.DIG/*.DJR/*.DLS/*.DM/*.DMC/*.DMF/*.DMSA/*.DMSE/*.DRA/*.DRG/*.DS2/*.DSF/*.DSM/*.DSS/*.DTM/*.DTS/*.DTSHD/*.DVF/*.DW/*.DWD/*.EFA/*.EFE/*.EFK/*.EFQ/*.EFS/*.EFV/*.EMD/*.EMP/*.EMX/*.EMY/*.EOP/*.ERB/*.ESPS/*.F2R/*.F32/*.F3R/*.F4A/*.F64/*.FAR/*.FDP/*.FEV/*.FLAC/*.FLM/*.FLP/*.FLP/*.FPA/*.FRG/*.FSB/*.FSC/*.FSM/*.FTI/*.FTM/*.FTM/*.FTMX/*.FUZ/*.FZF/*.FZV/*.G721/*.G723/*.G726/*.GBS/*.GIG/*.GMC/*.GP5/*.GPBANK/*.GPK/*.GPX/*.GROOVE/*.GSF/*.GSFLIB/*.GSM/*.GYM/*.H0/*.H3B/*.H3E/*.H4B/*.H4E/*.H5B/*.H5E/*.H5S/*.HBB/*.HBE/*.HBS/*.HDP/*.HMA/*.HPS/*.HSB/*.IAA/*.ICS/*.IFF/*.IGP/*.IMP/*.INS/*.INS/*.ISMA/*.IT/*.ITI/*.ITLS/*.JSPF/*.K26/*.KAR/*.KFN/*.KOZ/*.KOZ/*.KPL/*.KRZ/*.KSD/*.KSF/*.KT3/*.LA/*.LOGIC/*.LOGICX/*.LSO/*.LVP/*.LWV/*.M/*.M2/*.M3U/*.M3U8/*.M4A/*.M4B/*.M4P/*.M4R/*.MA1/*.MBR/*.MDC/*.MDR/*.MED/*.MGV/*.MID/*.MIDI/*.MINIGSF/*.MINIPSF/*.MINIPSF2/*.MINIUSF/*.MKA/*.MMF/*.MMLP/*.MMM/*.MMP/*.MMP/*.MMPZ/*.MO3/*.MOD/*.MOGG/*.MP2/*.MP3/*.MP_/*.MPA/*.MPC/*.MPDP/*.MPGA/*.MPU/*.MSCX/*.MSCZ/*.MSV/*.MTE/*.MTF/*.MTI/*.MTM/*.MTP/*.MTS/*.MU3/*.MUI/*.MUS/*.MUS/*.MUS/*.MUSX/*.MUX/*.MUX/*.MX3/*.MX4/*.MX5/*.MX5TEMPLATE/*.MXL/*.MXMF/*.MYR/*.NARRATIVE/*.NBS/*.NCW/*.NKB/*.NKC/*.NKI/*.NKM/*.NKS/*.NKX/*.NML/*.NMSV/*.NOTE/*.NRA/*.NRT/*.NSA/*.NST/*.NTN/*.NWC/*.OBW/*.ODM/*.OGA/*.OGG/*.OKT/*.OMA/*.OMF/*.OMG/*.OMX/*.OPUS/*.OTS/*.OVE/*.OVW/*.PANDORA/*.PCA/*.PCAST/*.PCG/*.PCM/*.PEAK/*.PEK/*.PJUNOXL/*.PK/*.PKF/*.PLA/*.PLS/*.PLST/*.PLY/*.PNA/*.PPC/*.PSF/*.PSF1/*.PSF2/*.PSM/*.PTCOP/*.PTF/*.PTM/*.PTS/*.PTT/*.PTX/*.PTXT/*.PVC/*.Q1/*.Q2/*.QCP/*.R1M/*.RA/*.RAD/*.RAM/*.RAX/*.RBS/*.REX/*.RFL/*.RGRP/*.RIP/*.RMI/*.RMJ/*.RMX/*.RNG/*.RNS/*.ROL/*.RSF/*.RSN/*.RSO/*.RTA/*.RTI/*.RX2/*.S3I/*.S3M/*.SAF/*.SAP/*.SBG/*.SBI/*.SC2/*.SCS11/*.SD/*.SD/*.SD2/*.SDAT/*.SDS/*.SEQ/*.SES/*.SESX/*.SF2/*.SFK/*.SFL/*.SFPACK/*.SFZ/*.SGP/*.SHN/*.SIB/*.SLP/*.SLX/*.SMA/*.SMF/*.SMP/*.SMP/*.SMPX/*.SND/*.SND/*.SNG/*.SNG/*.SNS/*.SOU/*.SPH/*.SPPACK/*.SPRG/*.SSEQ/*.SSEQ/*.SSM/*.SSND/*.STAP/*.STM/*.STX/*.STY/*.SVD/*.SVQ/*.SVX/*.SWA/*.SXT/*.SYH/*.SYN/*.SYW/*.SYX/*.TAK/*.TD0/*.TG/*.THX/*.TOC/*.TRAK/*.TSP/*.TTA/*.TXW/*.U/*.UAX/*.UB/*.ULT/*.UNI/*.USF/*.USFLIB/*.UST/*.UW/*.UWF/*.V2M/*.VAG/*.VAP/*.VC3/*.VCE/*.VIP/*.VLC/*.VMD/*.VMF/*.VMO/*.VOC/*.VOX/*.VOXAL/*.VPL/*.VPM/*.VPW/*.VQF/*.VRF/*.VSQ/*.VSQX/*.VTX/*.VYF/*.W01/*.W64/*.WAV/*.WAV/*.WAVE/*.WAX/*.WEM/*.WFB/*.WFD/*.WFM/*.WFP/*.WMA/*.WOW/*.WPK/*.WPP/*.WPROJ/*.WRK/*.WUS/*.WUT/*.WV/*.WVC/*.WVE/*.WWU/*.XA/*.XA/*.XBMML/*.XFS/*.XM/*.XMI/*.XMS/*.XMU/*.XPF/*.XRNS/*.XSP/*.XSPF/*.YOOKOO/*.ZGR/*.ZPL/*.ZVD/
4)匯入過濾規則
InGlusterGW0{1-2} :
vim/etc/samba/smb.conf
修改配置如下:
[global] ... include=/data/samba.d/veto_files_type/video.smb.conf include=/data/samba.d/veto_files_type/audio.smb.conf
重啟服務是配置生效
/etc/init.d/smbrestart
5)其他文型別請參閱
----------------------------------------------------------------
參閱文件
----------------------------------------------------------------
官方文件
----------
使用者文件:
https://wiki.samba.org/index.php/Main_Page
企業samba的安裝包:
https://samba.plus/older-packages/
https://samba.plus/samba-3/red-hats-rhel/
http://ftp.sernet.de/pub/samba/3.4/rhel/6/x86_64/
Samba+的源
https://portal.enterprisesamba.com/
官方配置文件:
https://wiki.samba.org/index.php/User_Documentation
配置samba成為域成員:
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
https://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html
配置一個sambaAD域控制器:
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
加一個額外的DC到現有的活動目錄:
https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory
本地samba資料庫資訊:
https://wiki.samba.org/index.php/Frequently_Asked_Questions
紅帽的資料:
winbind的離線登入
https://wiki.samba.org/index.php/PAM_Offline_Authentication
-----------
非官方文件
-----------
理論文章:
http://www.tuicool.com/articles/ie6fue
samba的搭建:
http://www.toxingwang.com/linux-unix/linux-admin/584.html
samba的許可權控制:
http://os.51cto.com/art/201101/243960.htm
AD使用者數量統計:
http://jankie.blog.51cto.com/6640/104269
--------
samba 叢集
-----------
https://wiki.samba.org/index.php/Clustered_Samba
http://www.tuicool.com/articles/rYJBZb
https://wiki.samba.org/index.php/CTDB_Setup#Critical_smb.conf_parameters
kerberos
http://blog.csdn.net/wulantian/article/details/42418231
http://www.cnblogs.com/artech/archive/2011/01/24/kerberos.html
http://blog.sina.com.cn/s/blog_716c1cc8010119ne.html
http://blog.scottlowe.org/2007/07/09/uac-and-ktpassexe/
http://www.tuicool.com/articles/ie6fue
常見的Krb5錯誤訊息:
http://joshuasabrina.iteye.com/blog/1895281
IBM的文章
http://www.ibm.com/developerworks/cn/linux/l-lpic3-313-3/
smb.conf的配置
https://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html
SSSD
https://fedorahosted.org/sssd/
https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server
SETSPN.exe命令的用法
http://blog.csdn.net/wzhwho/article/details/6169624
Windows SID的修改
http://www.youranshare.com/push/topics/softuse/502.html
轉載於:https://blog.51cto.com/cmdschool/1829675