第17周作业

1、利用SAMBA实现指定目录共享
服务端安装
yum install -y samba
useradd -s /sbin/nologin smbuser1
smbpasswd -a smbuser1

mkdir /tesrdir/smbshare
chown -R smbuser1.smbuser1 /testdir/smbshare

vim /etc/samba/smb.conf
最后加
[share]
path = /testdir/smbshare
writable = no
valid users = smbuser1

systemctl enable --now smb nmb
客户端
yum install -y cifs-utils
mkdir /mnt/smbshare
mount -o username=smbuser1 //smbserver/share /mnt/smbshare
2、实现不同samba用户访问相同的samba共享，实现不同的配置
useradd -s /sbin/nologin smb1
useradd -s /sbin/nologin smb2
smbpasswd -a smb1
smbpasswd -a smb2
vim /etc/samba/smb.conf
config file = /etc/samba/conf.d/%U
vim /etc/samba/conf.d/smb1
[share]
path = /data/dir1
read only = no
create mask = 0644
vim /etc/samba/conf.d/smb2
[share]
path = /data/dir2

setfacl -R -m u:smb1:rwx /data/dir1
setfacl -R -m u:smb2:rwx /data/dir2
systemctl restart smb nmb

客户端
smbclient //sambaserver/share -U smb1@123456
smbclient //sambaserver/share -U smb2@123456

get下载测试
put上传测试
!ls 查看本地文件

3、远程主机通过链接openvpn修复内网里 httpd 服务主机，假如现在 httpd 宕机了，我们需要链接进去让 httpd 启动
yum install -y openvpn easy-rsa
cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/
cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-server
cp /usr/share/doc/easy-rsa/vars.example /etc/openvpn/easy-rsa-server/3/vars
vim /etc/openvpn/easy-rsa-server/3/vars
set_var EASYRSA_CERT_EXPIRE   3650
cd /etc/openvpn/easy-rsa-server/3/
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-req server nopass
./easyrsa help sign
./easyrsa sign server server
./easyrsa gen-dh
cat pki/dh.pem 查看生成的文件
配置客户端证书
cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-client
cp /usr/share/doc/easy-rsa/vars.example /etc/openvpn//easy-rsa-client/3/vars
./easyrsa init-pki
./easyrsa gen-req lz nopass
./easyrsa import-req /etc/openvpn/easy-rsa-client/3/pki/reqs/lz.req lz
vim vars
set_var EASYRSA_CERT_EXPIRE 90
./easyrsa sign client lz
mkdir /etc/openvpn/certs
cp /etc/openvpn/easy-rsa-server/3/pki/ca.crt /etc/openvpn/certs/
cp /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt /etc/openvpn/certs/
cp /etc/openvpn/easy-rsa-server/3/pki/private/server.key /etc/openvpn/certs/ cp /etc/openvpn/easy-rsa-server/3/pki/dh.pem /etc/openvpn/certs/
mkdir /etc/openvpn/client/lz/
find /etc/openvpn/ \( -name "lz.key" -o -name "lz.crt" -o -name ca.crt \) -exec cp {} /etc/openvpn/client/lz \;
vim /etc/openvpn/server.conf
port 1194
proto tdp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh.pem
server 10.8.0.0 255.255.255.0
push "route 172.30.0.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 2048
user openvpn
group openvpn
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
mute 200
mkdir /var/log/openvpn
chown openvpn.openvpn /var/log/openvpn
echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf
sysctl -p
net.ipv4.ip_forward = 1
复制文件
scp /lib/systemd/system/openvpn@.service 10.0.0.8:/lib/systemd/system/
systemctl daemon-reload
systemctl enable --now openvpn@server
验证客户端配置文件
vim /etc/openvpn/client/lz/client.ovpn
client
dev tun
proto tcp
remote  123.56.172.xx  1194
resolv-retry infinite
nobind
ca ca.crt
cert lz.crt
key lz.key
remote-cert-tls server
#tls-auth ta.key 1
cipher AES-256-CBC
verb 3
compress lz4-v2
保存证书到openvpn 客户端安装目录：C:\Program Files\OpenVPN\config
cd /etc/openvpn/client/lz/
tar cf lz.tar ./
查看日志
吊销
cat /etc/openvpn/easy-rsa/3.0.7/pki/index.txt
cd /etc/openvpn/easy-rsa/3.0.7/
./easyrsa revoke lz
./easyrsa gen-crl
vim /etc/openvpn/server.conf
crl-verify /etc/openvpn/easy-rsa/3.0.7/pki/crl.pem
systemctl restart openvpn@server