我为 Samba 配置了几个共享(仍在测试),如果我写入整个路径(例如 \testserver\publicshare),我可以从 Windows 计算机访问共享,但如果我访问 \testserver\,我会收到权限错误,并且我无法看到该 samba 服务器中的所有共享。
怎么了?
这是我的配置文件:
# Samba configuration -- Managed by Ansible, please don't edit manually
# vim: ft=samba
#
# Ansible managed
[global]
# Server information
netbios name = testserver
workgroup = WORKGROUP
server string = Fileserver %m
fruit:aapl = yes
# Logging
logging = syslog
# Authentication
security = user
passdb backend = tdbsam
map to guest = Never
guest account = server
# Name resolution: make sure \\NETBIOS_NAME\ works
wins support = yes
local master = yes
domain master = yes
preferred master = yes
# Don't load printers
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# Fix for CVE-2017-7494 in Samba versions from 3.5.0 and before 4.6.4
# https://access.redhat.com/security/cve/cve-2017-7494
nt pipe support = no
## Make home directories accessible
[homes]
comment = Home Directories
browseable = no
writable = yes
## Shared directories
[publicshare]
comment = Public share, writeable by all members of group ‘users’
path = /home/server/samba/shares/public
public = yes
write list = +users
force group = users
browseable = yes
create mode = 0664
force create mode = 0664
directory mode = 0775
force directory mode = 0775
[TimeMachine]
comment = Share useable as a TimeMachine backup target on MacOS
vfs objects = fruit streams_xattr
fruit:time machine = yes
path = /home/server/samba/shares/tm
public = no
write list = server
force group = server
guest ok = no
browseable = no
create mode = 0664
force create mode = 0664
directory mode = 0775
force directory mode = 0775
我实际上正在使用 Ansible 来部署 Samba。这是我的 yaml 文件:
---
# samba.yml
- name: Samba
hosts: localhost
connection: local
become: true
roles:
- role: "bertvv.samba"
tags: ["system"]
vars:
samba_apple_extensions: "yes"
samba_guest_account: "server"
samba_load_homes: true
samba_netbios_name: "testserver"
samba_shares:
- name: publicshare
comment: 'Public share, writeable by all members of group ‘users’'
public: 'yes'
write_list: +users
group: users
setype: public_content_t
browseable: 'yes'
path: /home/server/samba/shares/public
- name: TimeMachine
comment: 'Share useable as a TimeMachine backup target on MacOS'
vfs_objects:
- name: fruit
options:
- name: time machine
value: 'yes'
- name: streams_xattr
path: /home/server/samba/shares/tm
write_list: server
owner: server
group: server
public: 'no'
guest_ok: 'no'
browseable: 'no'
samba_map_to_guest: Never
samba_users:
- name: server
password: -----
编辑: 找到了!就是这个参数:
nt pipe support = no
答案1
问题在于以下参数:
nt pipe support = no
这是从我正在使用的 Ansible samba 角色中提取的(https://galaxy.ansible.com/bertvv/samba)
CVE-2017-7494 远程代码执行漏洞可能会影响您的 Samba 服务器安装。 Samba 3.5.0 版及 4.6.4 之前版本受到影响。如果您的系统启用了 SELinux,那么它就不容易受到攻击。
该角色将检查已安装的 Samba 版本是否受该漏洞影响并应用建议的解决方法:添加 nt 管道支持 = 否到配置的 [global] 部分。请注意 这将禁用 Windows 客户端的共享浏览。
如有必要,您可以通过将角色变量 samba_mitigate_cve_2017_7494 设置为 false 来显式禁用修复。