OpenWrt samba로 화일 공유하기

samba는 Windows, macOS를 사용하는 PC에서 *nix 서버에 접속하여 파일이나 프린터를 공유하여 사용할 수 있도록 해주는 소프트웨어로 OpenWrt에서 samba를 설치하고 Windows에서 접속하는 방법을 설명합니다.

사전준비

  • usb 저장장치에 다운로드 받은 화일을 저장하므로 usb 저장장치 및 마운트가 되어 있어야 합니다.
  • 원격 파일 공유시 vpn 연결이 필요합니다.
  • 대용량 화일 처리로 인한 메모리가 부족할 경우 swap 설정을 고려해 보세요.

samba 설치

opkg update
opkg install luci-app-samba4 samba4-server samba4-libs

시스템 사용자 계정 추가

samba 서버에 접속하기 위해서는 시스템 사용자 계정(/etc/passwd에 등록된)과 다른 samba 사용자를 추가해야 하며, samba 사용자는 시스템 사용자 계정에 이미 존재하는 사용자여야 합니다. 아래는 시스템 사용자 계정 smbuser 계정을 추가하는 과정으로 만약 다른 기존 시스템 사용자를 samba 사용자로 사용한다면 새롭게 시스템 사용자를 추가할 필요는 없습니다.

사용자명 smbuser, 그룹은 nogroup 에 속하는 시스템 사용자 계정을 생성하고 패스워드를 설정합니다.

echo "smbuser:x:1000:65534:smbuser:/mnt/sda1/share:/bin/false" >> /etc/passwd
echo "smbuser:x:0:0:99999:7:::" >> /etc/shadow
passwd smbuser

samba 사용자의 패스워드 생성

위에서 생성한 시스템 사용자 smbuser를 samba 사용자로 등록하고 패스워드를 설정합니다.

smbpasswd -a smbuser

옵션smbpasswd 옵션 설명
-a삼바사용자 추가, 시스템계정에 존재하는 사용자여야 합니다.
-d삼바사용자 비활성화
-e삼바사용자 활성화
-n패스워드 비설정
-x삼바사용자 삭제

공유 디렉토리 생성

공유할 디렉토리를 생성합니다. 본 예시는 usb 저장장치 루트디렉토리인 /mnt/sda1 공유해 사실 별도 디렉토리를 생성하지 않아도 되지만 추후 자료가 별도 저장되고 공유될 smbuser의 $HOME 디렉토리를 생성합니다.

mkdir /mnt/sda1/share
chmod 777 /mnt/sda1/share
chown -R smbuser.nogroup /mnt/sda1/share

samba4 설정

/etc/config/samba4

config samba
        option description 'Samba on OpenWrt'
        option charset 'UTF-8'
        option workgroup 'WORKGROUP'
config sambashare
        option name 'share'
        option create_mask '0666'
        option dir_mask '0777'
        option read_only 'no'
        option path '/mnt/sda1'
        option users 'smbuser'
        option guest_ok 'no'
Code language: Lua (lua)

/etc/samba/smb.conf.template

OpenWrt에서 samba의 기본설정 화일은 위의 /etc/config/samba4이며 /etc/samba/smb.conf.template은 samba의 추가적인 설정을 담은 화일로 samba서비스 시작시 /etc/init.d/samba4에 의해 samba의 설정화일인 /etc/samba/smb.conf 화일로 자동 생성되는 템플릿화일입니다.

[global]
        netbios name = |NAME|
        interfaces = |INTERFACES|
        server string = |DESCRIPTION|
        unix charset = |CHARSET|
        workgroup = |WORKGROUP|
        ## This global parameter allows the Samba admin to limit what interfaces on a machine will serve SMB requests.
        bind interfaces only = yes
        ## time for inactive connections to-be closed in minutes
        deadtime = 15
        ## disable core dumps
        enable core files = no
        ## set security (auto, user, domain, ads)
        security = user
        ## This parameter controls whether a remote client is allowed or required to use SMB encryption.
        ## It has different effects depending on whether the connection uses SMB1 or SMB2 and newer:
    ## If the connection uses SMB1, then this option controls the use of a Samba-specific extension to the SMB protocol introduced in Samba 3.2 that makes use of the Unix extensions.
        ## If the connection uses SMB2 or newer, then this option controls the use of the SMB-level encryption that is supported in SMB version 3.0 and above and available in Windows 8 and newer.
        ## (default/auto,desired,required,off)
        #smb encrypt = default
        ## set invalid users
        invalid users = root
        ## map unknow users to guest
        map to guest = Bad User
        ## allow client access to accounts that have null passwords.
        null passwords = yes
        ## The old plaintext passdb backend. Some Samba features will not work if this passdb backend is used. (NOTE: enabled for size reasons)
        ## (tdbsam,smbpasswd,ldapsam)
        passdb backend = smbpasswd
        ## Set location of smbpasswd ('smbd -b' will show default compiled location)
        #smb passwd file = /etc/samba/smbpasswd
        ## LAN (IPTOS_LOWDELAY TCP_NODELAY) WAN (IPTOS_THROUGHPUT) WiFi (SO_KEEPALIVE) try&error for buffer sizes (SO_RCVBUF=65536 SO_SNDBUF=65536)
        socket options = IPTOS_LOWDELAY TCP_NODELAY
        ## If this integer parameter is set to a non-zero value, Samba will read from files asynchronously when the request size is bigger than this value.
        ## Note that it happens only for non-chained and non-chaining reads and when not using write cache.
        ## The only reasonable values for this parameter are 0 (no async I/O) and 1 (always do async I/O).
        ## (1/0)
        #aio read size = 0
        #aio write size = 0
        ## If Samba has been built with asynchronous I/O support, Samba will not wait until write requests are finished before returning the result to the client for files listed in this parameter.
        ## Instead, Samba will immediately return that the write request has been finished successfully, no matter if the operation will succeed or not.
        ## This might speed up clients without aio support, but is really dangerous, because data could be lost and files could be damaged.
        #aio write behind = /*.tmp/
        ## lower CPU useage if supported and aio is disabled (aio read size = 0 ; aio write size = 0)
        ## is this still broken? issue is from 2019 (NOTE: see https://bugzilla.samba.org/show_bug.cgi?id=14095 )
        ## (no, yes)
        #use sendfile = yes
        ## samba will behave as previous versions of Samba would and will fail the lock request immediately if the lock range cannot be obtained.
        #blocking locks = No
        ## disable loading of all printcap printers by default (iprint, cups, lpstat)
        load printers = No
        printcap name = /dev/null
        ## Enabling this parameter will disable Samba's support for the SPOOLSS set of MS-RPC's.
        disable spoolss = yes
        ## This parameters controls how printer status information is interpreted on your system.
        ## (BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, SOFTQ)
        printing = bsd
        ## Disable that nmbd is acting as a WINS server for unknow netbios names
        #dns proxy = No
        ## win/unix user mapping backend
        #idmap config * : backend = tdb
        ## Allows the server name that is advertised through MDNS to be set to the hostname rather than the Samba NETBIOS name.
        ## This allows an administrator to make Samba registered MDNS records match the case of the hostname rather than being in all capitals.
        ## (netbios, mdns)
        mdns name = mdns
        ## Clients that only support netbios won't be able to see your samba server when netbios support is disabled.
        disable netbios = Yes
        ## Setting this value to no will cause nmbd never to become a local master browser.
        local master = Yes
        ## (auto, yes) If this is set to yes, on startup, nmbd will force an election, and it will have a slight advantage in winning the election. It is recommended that this parameter is used in conjunction with domain master = yes, so that nmbd can guarantee becoming a domain master.
        preferred master = Yes
        ## (445 139) Specifies which ports the server should listen on for SMB traffic.
        ## 139 is netbios/nmbd
        #smb ports = 445 139
        ## This is a list of files and directories that are neither visible nor accessible.
        ## Each entry in the list must be separated by a '/', which allows spaces to be included in the entry. '*' and '?' can be used to specify multiple files or directories as in DOS wildcards.
        veto files = /Thumbs.db/.DS_Store/._.DS_Store/.apdisk/
        ## If a directory that is to be deleted contains nothing but veto files this deletion will fail unless you also set the delete veto files parameter to yes.
        delete veto files = yes
################ Filesystem and creation rules ################
        ## reported filesystem type (NTFS,Samba,FAT)
        fstype = Samba
        ## Allows a user who has write access to the file (by whatever means, including an ACL permission) to modify the permissions (including ACL) on it.
        #dos filemode = Yes
        ## file/dir creating rules
        #create mask = 0666
        #directory mask = 0777
        #force group = root
        #force user = root
        #inherit owner = windows and unix
################################################################
Code language: TOML, also INI (ini)

방화벽 설정

/etc/config/firewall 을 삼바가 사용하는 포트를 개방합니다.

  • udp 137 - NetBIOS Name Service
  • udp 138 - NETBIOS Datagram Service
  • tcp 139 - NETBIOS Session Service
  • tcp 445 - Microsoft Directory Services
...
config rule
        option name 'Allow-samba(nns/nds)'
        option src 'lan'
        option proto 'udp'
        option dest_port '137-138'
        option target 'ACCEPT'
        option enabled '1'
config rule
        option name 'Allow-samba(nss)'
        option src 'lan'
        option proto 'tcp'
        option dest_port '139'
        option target 'ACCEPT'
        option enabled '1'
config rule
        option name 'Allow-samba(mds)'
        option src 'lan'
        option proto 'tcp'
        option dest_port '445'
        option target 'ACCEPT'
        option enabled '1'
Code language: Lua (lua)

서비스 재시작

/etc/init.d/firewall restart
/etc/init.d/samba4 restart

windows 10 설정

samba 서버에 접근할 수 있도록 smbuser 와 smbpasswd로 설정한 암호를 windows 자격증명에 등록합니다.

  • 제어판 > 사용자계정 > 자격증명관리자 > windows 자격증명 > windows 자격증명 추가
    • 인터넷 또는 네트워크 주소 : 192.168.1.1
    • 사용자이름 : 192.168.1.1\smbuser
    • 암호 : ********
samba conf

연결

웹브라우저에 \\192.168.1.1\share 로 연결

samba connect

참고사이트

Leave a Comment