给定今天的日期,运行Windows 10 或更高版本并连接到RHEL 8.8 或更高版本Linux系统目前有samba-4.17.5-3.el8_8
哪些是最佳实践对于参数应该有/etc/samba/smb.conf
以确保最安全可靠的连接通过该协议?
下面是我正在使用的。任何人都可以修改或添加它以使其更好吗?我正在使用security=user
和passdb backend = tdbsam
创建的简单本地密码进行简单的 samba 设置smbpasswd -a
。如果您有一个smb.conf
要共享的模板,涉及 Windows 域加入和 Active Directory 以及其他更复杂的事情,那也很酷。
我正在展示我几乎总是做的两个基本共享(家庭和数据),是否也应该有一些参数来提高安全性?
注意:不太关心日志记录部分,但如果您可以改进它或提供解释,以便管理员可以阅读并就如何配置做出合理决定,我们将不胜感激。
# /etc/samba/smb.conf template, RHEL 8.8
[global]
workgroup = SAMBA
security = user
passdb backend = tdbsam
printing = bsd
printcap name = /dev/null
load printers = no
disable spoolss = yes
log level = 0 vfs:10
log file = /var/log/samba/sambavfs.log
max log size = 0
smb encrypt = required
client min protocol = SMB3
client max protocol = SMB3
client signing = mandatory
server signing = mandatory
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
vfs objects = extd_audit
[data]
comment = data
inherit acls = Yes
read only = No
path = /data
directory mask = 770
create mask = 660
vfs objects = extd_audit
笔记:刚刚还发现FIPS=1in GRUB_CMDLINE_LINUX
in /etc/default/grub
(或fips-mode-setup --enable
RHEL-8 中可用的操作)会终止来自 Windows 的 samba 连接。看https://access.redhat.com/discussions/7022626。在 RHEL-7.9 中执行 FIPS=1 时不存在这种情况。
答案1
对于任何感兴趣的人,在浏览完 samba 的当前手册页后,我从中提取了似乎相关的内容。通过下面定义的全局部分,我可以从 Windows 10 到 RHEL-7.9 系统(我假设是 rhel 8.8+)进行 samba 连接。根据手册页描述,我认为其中大部分是默认设置,但了解实际效果是很漂亮的。
# /etc/samba/smb.conf
# https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html
[global]
server role = standalone
security = user
passdb backend = tdbsam
map to guest = Bad User
# turn off print stuff
printing = bsd
printcap name = /dev/null
load printers = no
disable spoolss = yes
# default deadtime to disconnect after N minutes of inactivity is 10080
deadtime = 5
server min prototcol = SMB3_11
server smb encrypt = required
server signing = mandatory
# server smb3 encryption algorithms = AES-128-GCM, AES-128-CCM, AES-256-GCM, AES-256-CCM
# server smb3 signing algorithms = AES-128-GMAC, AES-128-CMAC, HMAC-SHA256
server smb3 encryption algorithms = AES-256-GCM
server smb3 signing algorithms = AES-128-GMAC
client min protocol = SMB3_11
client smb encrypt = required
client signing = required
client ipc signing = required
client protection = encrypt
# client smb3 encryption algorithms = AES-128-GCM, AES-128-CCM, AES-256-GCM, AES-256-CCM
# client smb3 signing algorithms = AES-128-GMAC, AES-128-CMAC, HMAC-SHA256
client smb3 encryption algorithms = AES-256-GCM
client smb3 signing algorithms = AES-128-GMAC
# client use kerberos = < off | desired | required >
# kerberos encryption types = < all | strong | legacy >
# hosts allow = 192.168.1.0/255.255.255.0
max log size = 0
log level = 0 vfs:10
log file = /var/log/samba/sambavfs.log