Server Berkas dan Cetak
Bab ini memandu Anda melalui instalasi dan konfigurasi dari Samba, suatu implementasi open source dari protokol Server Message Block (SMB) dan common Internet file system (CIFS
), dan vsftpd, server FTP primer yang dikemas dengan Fedora. Sebagai tambahan, itu menjelaskan bagaimana menggunakan perkakas Pencetak untuk mengonfigurasi pencetak.
Samba
Samba adalah keluarga program interoperabilitas Windows open source standar untuk Linux. Ini mengimplementasikan protokol server message block (SMB
). Versi modern dari protokol ini juga dikenal sebagai protokol common Internet file system (CIFS
). Ini memungkinkan jaringan Microsoft Windows, Linux, UNIX, dan sistem operasi lainnya bersama-sama, memungkinkan akses ke berbagi berkas dan pencetak berbasis Windows. Penggunaan SMB
oleh Samba memungkinkannya muncul sebagai server Windows untuk klien Windows.
Menginstal paket samba
Untuk menggunakan Samba, terlebih dahulu pastikan paket samba terpasang pada sistem Anda dengan menjalankan, sebagai ~]# dnf install samba For more information on installing packages with DNF, see Installing Packages. |
Pengantar Samba
Samba adalah komponen penting untuk mengintegrasikan Server Linux dan Desktop dengan mulus ke dalam lingkungan Active Directory (AD). Ini dapat berfungsi baik sebagai pengontrol domain (gaya NT4) atau sebagai anggota domain biasa (gaya NT4 atau AD). .Apa yang bisa dilakukan Samba:
-
Menyajikan pohon direktori dan pencetak ke klien Linux, UNIX, dan Windows
-
Membantu dalam penjelajahan jaringan (dengan NetBIOS)
-
Mengautentikasi login domain Windows
-
Berikan resolusi server nama Windows Internet Name Service (
WINS
) -
Bertindak sebagai Primary Domain Controller (PDC) gaya Windows NT
-
Bertindak sebagai Backup Domain Controller (BDC) untuk PDC berbasis Samba
-
Bertindak sebagai server anggota domain Active Directory
-
Bergabung dengan Windows NT/2000/2003/2008 PDC/Windows Server 2012
-
Bertindak sebagai BDC untuk Windows PDC (dan sebaliknya)
-
Bertindak sebagai pengontrol domain Active Directory
Daemon Samba dan Layanan Terkait
Samba terdiri dari tiga daemon (smbd
, nmbd
, dan winbindd
). Tiga layanan (smb
, nmb
, dan winbind
) mengontrol bagaimana daemon dimulai, dihentikan, dan fitur terkait layanan lainnya. Layanan ini bertindak sebagai skrip init yang berbeda. Setiap daemon tercantum secara rinci di bawah ini, serta layanan khusus mana yang memiliki kendali atasnya.
Daemon server smbd
menyediakan layanan berbagi dan pencetakan berkas untuk klien Windows. Selain itu, bertanggung jawab atas otentikasi pengguna, penguncian sumber daya, dan berbagi data melalui protokol SMB
. Port baku di mana server mendengarkan lalu lintas SMB
adalah port TCP
139 dan 445.
Daemon smbd
dikendalikan oleh layanan smb
.
Daemon server nmbd
memahami dan membalas permintaan layanan nama NetBIOS seperti yang dihasilkan oleh SMB/CIFS dalam sistem berbasis Windows. Sistem ini termasuk klien Windows 95/98/ME, Windows NT, Windows 2000, Windows XP, dan LanManager. Ini juga berpartisipasi dalam protokol penjelajahan yang membentuk tampilan Network Neighborhood
Windows. Port baku yang didengarkan server untuk lalu lintas NMB
adalah port UDP
137
.
Daemon nmbd
dikendalikan oleh layanan nmb
.
Layanan winbind
mengurai informasi pengguna dan grup yang diterima dari server yang menjalankan Windows NT, 2000, 2003, Windows Server 2008, atau Windows Server 2012. Ini membuat informasi pengguna dan grup Windows dapat dimengerti oleh platform UNIX. Hal ini dicapai dengan menggunakan panggilan Microsoft RPC, Pluggable Authentication Modules (PAM), dan Name Service Switch (NSS). Hal ini memungkinkan pengguna domain Windows NT dan Active Directory untuk muncul dan beroperasi sebagai pengguna UNIX pada mesin UNIX. Meskipun dibundel dengan distribusi Samba, layanan winbind
dikendalikan secara terpisah dari layanan smb
.
Daemon winbind
dikendalikan oleh layanan winbind
dan tidak memerlukan dimulainya layanan smb
untuk beroperasi. winbind
juga digunakan ketika Samba adalah anggota Active Directory, dan juga dapat digunakan pada pengontrol domain Samba (untuk menerapkan grup bersarang dan kepercayaan antar domain). Karena winbind
adalah layanan sisi klien yang digunakan untuk terhubung ke server berbasis Windows NT, diskusi lebih lanjut tentang winbind
berada di luar cakupan bab ini.
Mendapatkan daftar utilitas yang dikirim dengan Samba
Lihat Program Distribusi Samba untuk daftar utilitas yang termasuk dalam distribusi Samba. |
Connecting to a Samba Share
You can use either Nautilus or command line to connect to available Samba shares.
Mengait Share
Terkadang berguna untuk mengait share Samba ke direktori sehingga berkas dalam direktori dapat diperlakukan seolah-olah mereka adalah bagian dari sistem berkas lokal.
Untuk mengait share Samba ke direktori, buat direktori untuk mengaitnya (jika belum ada), dan jalankan perintah berikut sebagai root
:
mount -t cifs //servername/sharename /mnt/point/ -o username=username,password=password
Perintah ini mengait sharename dari servername di direktori lokal /mnt/point/.
Untuk informasi selengkapnya tentang mengait share samba, lihat halaman manual mount.cifs(8).
Menginstal paket cifs-utils
Utilitas mount.cifs adalah RPM terpisah (independen dari Samba). Untuk menggunakan mount.cifs, pertama kali pastikan paket cifs-utils terpasang pada sistem Anda dengan menjalankan, sebagai ~]# dnf install cifs-utils For more information on installing packages with DNF, see Installing Packages. Note that the cifs-utils package also contains the cifs.upcall binary called by the kernel in order to perform kerberized CIFS mounts. For more information on cifs.upcall, see the cifs.upcall(8) manual page. |
Server CIFS yang memerlukan kata sandi teks polos
Beberapa server CIFS memerlukan kata sandi teks polos untuk otentikasi. Dukungan untuk otentikasi kata sandi teks polos dapat diaktifkan menggunakan perintah berikut sebagai ~]# echo 0x37 > /proc/fs/cifs/SecurityFlags
|
Mengonfigurasi Server Samba
Berkas konfigurasi baku (/etc/samba/smb.conf
) memungkinkan pengguna untuk melihat direktori rumah mereka sebagai berbagi Samba. Ini juga berbagi semua pencetak yang dikonfigurasi untuk sistem sebagai pencetak bersama Samba. Anda dapat melampirkan pencetak ke sistem dan mencetaknya dari mesin Windows di jaringan Anda.
Graphical Configuration To configure Samba using a graphical interface, use one of the available Samba graphical user interfaces. A list of available GUIs can be found at http://www.samba.org/samba/GUI/.
Command-Line Configuration Samba uses /etc/samba/smb.conf
as its configuration file. If you change this configuration file, the changes do not take effect until you restart the Samba daemon with the following command, as root
:
~]# systemctl restart smb.service
Untuk menentukan grup kerja Windows dan deskripsi singkat tentang server Samba, edit baris berikut di berkas /etc/samba/smb.conf
Anda:
workgroup = NAMAWORKGROUP server string = KOMENTAR PENDEK TENTANG SERVER
Ganti NAMAWORKGROUP dengan nama workgroup Windows tempat mesin ini seharusnya berada. KOMENTAR PENDEK TENTANG SERVER adalah opsional dan digunakan sebagai komentar Windows tentang sistem Samba.
Untuk membuat direktori share Samba di sistem Linux Anda, tambahkan bagian berikut ke berkas /etc/samba/smb.conf
Anda (setelah memodifikasinya untuk mencerminkan kebutuhan dan sistem Anda):
[sharename] comment = Insert a comment here path = /home/share/ valid users = tfox carole writable = yes create mask = 0765
Contoh di atas memungkinkan pengguna tfox dan carole untuk membaca dan menulis ke direktori /home/share/
, di server Samba, dari klien Samba.
Memulai dan Menghentikan Samba
To start a Samba server, type the following command in a shell prompt, as root
:
~]# systemctl start smb.service
Menyiapkan server anggota domain
To set up a domain member server, you must first join the domain or Active Directory using the net join command before starting the |
To stop the server, type the following command in a shell prompt, as root
:
~]# systemctl stop smb.service
The restart
option is a quick way of stopping and then starting Samba. This is the most reliable way to make configuration changes take effect after editing the configuration file for Samba. Note that the restart option starts the daemon even if it was not running originally.
To restart the server, type the following command in a shell prompt, as root
:
~]# systemctl restart smb.service
The condrestart
(conditional restart) option only starts smb
on the condition that it is currently running. This option is useful for scripts, because it does not start the daemon if it is not running.
Menerapkan perubahan pada konfigurasi
When the |
To conditionally restart the server, type the following command, as root
:
~]# systemctl try-restart smb.service
A manual reload of the /etc/samba/smb.conf
file can be useful in case of a failed automatic reload by the smb
service. To ensure that the Samba server configuration file is reloaded without restarting the service, type the following command, as root
:
~]# systemctl reload smb.service
By default, the smb
service does not start automatically at boot time. To configure Samba to start at boot time, type the following at a shell prompt as root
:
~]# systemctl enable smb.service
See Services and Daemons for more information regarding this tool.
Jenis Server Samba dan Berkas smb.conf
Samba configuration is straightforward. All modifications to Samba are done in the /etc/samba/smb.conf
configuration file. Although the default smb.conf
file is well documented, it does not address complex topics such as LDAP, Active Directory, and the numerous domain controller implementations.
The following sections describe the different ways a Samba server can be configured. Keep in mind your needs and the changes required to the /etc/samba/smb.conf
file for a successful configuration.
Stand-alone Server A stand-alone server can be a workgroup server or a member of a workgroup environment. A stand-alone server is not a domain controller and does not participate in a domain in any way. The following examples include several user-level security configurations. For more information on security modes, see Samba Security Modes.
The following /etc/samba/smb.conf
file shows a sample configuration needed to implement anonymous read-only file sharing. Two directives are used to configure anonymous access – map to guest = Bad user
and guest account = nobody
.
[global] workgroup = DOCS netbios name = DOCS_SRV security = user guest account = nobody # default value map to guest = Bad user [data] comment = Documentation Samba Server path = /export read only = yes guest ok = yes
The following /etc/samba/smb.conf
file shows a sample configuration needed to implement anonymous read/write file sharing. To enable anonymous read/write file sharing, set the read only
directive to no
. The force user
and force group
directives are also added to enforce the ownership of any newly placed files specified in the share.
Jangan gunakan server baca/tulis anonim
Although having an anonymous read/write server is possible, it is not recommended. Any files placed in the share space, regardless of user, are assigned the user/group combination as specified by a generic user ( |
[global] workgroup = DOCS security = user guest account = nobody # default value map to guest = Bad user [data] comment = Data path = /export guest ok = yes writeable = yes force user = user force group = group
The following /etc/samba/smb.conf
file shows a sample configuration needed to implement an anonymous print server. Setting browseable
to no
as shown does not list the printer in Windows Network Neighborhood
. Although hidden from browsing, configuring the printer explicitly is possible. By connecting to DOCS_SRV
using NetBIOS, the client can have access to the printer if the client is also part of the DOCS
workgroup. It is also assumed that the client has the correct local printer driver installed, as the use client driver
directive is set to yes
. In this case, the Samba server has no responsibility for sharing printer drivers to the client.
[global] workgroup = DOCS netbios name = DOCS_SRV security = user map to guest = Bad user printing = cups [printers] comment = All Printers path = /var/spool/samba guest ok = yes printable = yes use client driver = yes browseable = yes
The following /etc/samba/smb.conf
file shows a sample configuration needed to implement a secure read/write file and print server. Setting the security
directive to user
forces Samba to authenticate client connections. Notice the [homes]
share does not have a force user
or force group
directive as the [public]
share does. The [homes]
share uses the authenticated user details for any files created as opposed to the force user
and force group
in [public]
.
[global] workgroup = DOCS netbios name = DOCS_SRV security = user printcap name = cups disable spools = yes show add pencetak wizard = no printing = cups [homes] comment = Home Directories valid users = %S read only = no browseable = no [public] comment = Data path = /export force user = docsbot force group = users guest ok = yes [printers] comment = All Printers path = /var/spool/samba pencetak admin = john, ed, @admins create mask = 0600 guest ok = yes printable = yes use client driver = yes browseable = yes
Domain Member Server A domain member, while similar to a stand-alone server, is logged into a domain controller (either Windows or Samba) and is subject to the domain’s security rules. An example of a domain member server would be a departmental server running Samba that has a machine account on the Primary Domain Controller (PDC). All of the department’s clients still authenticate with the PDC, and desktop profiles and all network policy files are included. The difference is that the departmental server has the ability to control printer and network shares.
To implement an Active Directory domain member server, follow procedure below:
-
Create the
/etc/samba/smb.conf
configuration file on a member server to be added to the Active Directory domain. Add the following lines to the configuration file:[global] realm = EXAMPLE.COM security = ADS encrypt passwords = yes # Optional. Use only if Samba cannot determine the Kerberos server automatically. password server = kerberos.example.com
With the above configuration, Samba authenticates users for services being run locally but is also a client of the Active Directory. Ensure that your kerberos
realm
parameter is shown in all caps (for examplerealm = EXAMPLE.COM
). Since Windows 2000/2003/2008 requires Kerberos for Active Directory authentication, therealm
directive is required. If Active Directory and Kerberos are running on different servers, thepassword server
directive is required to help the distinction. -
Configure Kerberos on the member server. Create the
/etc/krb5.conf
configuration file with the following content:[logging] default = FILE:/var/log/krb5libs.log [libdefaults] default_realm = AD.EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d rdns = false forwardable = false [realms] # Define only if DNS lookups are not working # AD.EXAMPLE.COM = { # kdc = server.ad.example.com # admin_server = server.ad.example.com # master_kdc = server.ad.example.com # } [domain_realm] # Define only if DNS lookups are not working # .ad.example.com = AD.EXAMPLE.COM # ad.example.com = AD.EXAMPLE.COM
Uncomment the
[realms]
and[domain_realm]
sections if DNS lookups are not working.For more information on Kerberos, and the /etc/krb5.conf file, see the Using Kerberos section of the Red Hat Enterprise Linux 7 System Level Authentication Guide.
-
To join an Active Directory server, type the following command as
root
on the member server:~]# net ads join -U administrator%password
The net command authenticates as
Administrator
using the NT LAN Manager (NTLM) protocol and creates the machine account. Then net uses the machine account credentials to authenticate with Kerberos.Opsi keamananSince
security = ads
and notsecurity = user
is used, a local password back end such assmbpasswd
is not needed. Older clients that do not supportsecurity = ads
are authenticated as ifsecurity = domain
had been set. This change does not affect functionality and allows local users not previously in the domain.
The following /etc/samba/smb.conf
file shows a sample configuration needed to implement a Windows NT4-based domain member server. Becoming a member server of an NT4-based domain is similar to connecting to an Active Directory. The main difference is NT4-based domains do not use Kerberos in their authentication method, making the /etc/samba/smb.conf
file simpler. In this instance, the Samba member server functions as a pass through to the NT4-based domain server.
[global] workgroup = DOCS netbios name = DOCS_SRV security = domain [homes] comment = Home Directories valid users = %S read only = no browseable = no [public] comment = Data path = /export force user = docsbot force group = users guest ok = yes
Having Samba as a domain member server can be useful in many situations. There are times where the Samba server can have other uses besides file and printer sharing. It may be beneficial to make Samba a domain member server in instances where Linux-only applications are required for use in the domain environment. Administrators appreciate keeping track of all machines in the domain, even if not Windows-based. In the event the Windows-based server hardware is deprecated, it is quite easy to modify the /etc/samba/smb.conf
file to convert the server to a Samba-based PDC. If Windows NT-based servers are upgraded to Windows 2000/2003/2008 the /etc/samba/smb.conf
file is easily modifiable to incorporate the infrastructure change to Active Directory if needed.
Pastikan Anda bergabung dengan domain sebelum memulai Samba
Setelah mengonfigurasi berkas ~]# net rpc join -U administrator%password |
Perhatikan bahwa opsi -S
, yang menentukan nama host server domain, tidak perlu dinyatakan dalam perintah net rpc join. Samba menggunakan nama host yang ditentukan oleh direktif workgroup
dalam berkas /etc/samba/smb.conf
alih-alih dinyatakan secara eksplisit.
Domain Controller A domain controller in Windows NT is functionally similar to a Network Information Service (NIS) server in a Linux environment. Domain controllers and NIS servers both host user and group information databases as well as related services. Domain controllers are mainly used for security, including the authentication of users accessing domain resources. The service that maintains the user and group database integrity is called the Security Account Manager (SAM). The SAM database is stored differently between Windows and Linux Samba-based systems, therefore SAM replication cannot be achieved and platforms cannot be mixed in a PDC/BDC environment.
In a Samba environment, there can be only one PDC and zero or more BDCs.
A mixed Samba/Windows domain controller environment
Samba cannot exist in a mixed Samba/Windows domain controller environment (Samba cannot be a BDC of a Windows PDC or vice versa). Alternatively, Samba PDCs and BDCs can coexist. |
tdbsam
The simplest and most common implementation of a Samba PDC uses the new default tdbsam
password database back end. Replacing the aging smbpasswd
back end, tdbsam
has numerous improvements that are explained in more detail in Samba Account Information Databases. The passdb backend
directive controls which back end is to be used for the PDC.
The following /etc/samba/smb.conf
file shows a sample configuration needed to implement a tdbsam
password database back end.
tdbsam
[global] workgroup = DOCS netbios name = DOCS_SRV passdb backend = tdbsam security = user add user script = /usr/sbin/useradd -m "%u" delete user script = /usr/sbin/userdel -r "%u" add group script = /usr/sbin/groupadd "%g" delete group script = /usr/sbin/groupdel "%g" add user to group script = /usr/sbin/usermod -G "%g" "%u" add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null -g machines "%u" # The following specifies the default logon script # Per user logon scripts can be specified in the user # account using pdbedit logon script = logon.bat # This sets the default profile path. # Set per user paths with pdbedit logon drive = H: domain logons = yes os level = 35 preferred master = yes domain master = yes [homes] comment = Home Directories valid users = %S read only = no [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon/scripts browseable = no read only = no # For profiles to work, create a user directory under the # path shown. # mkdir -p /var/lib/samba/profiles/john [Profiles] comment = Roaming Profile Share path = /var/lib/samba/profiles read only = no browseable = no guest ok = yes profile acls = yes # Other resource shares ... ...
Untuk menyediakan sistem PDC fungsional yang menggunakan tdbsam
ikuti langkah-langkah berikut:
-
Adjust the
smb.conf
configuration file as shown in An Example Configuration of Primary Domain Controller (PDC) Usingtdbsam
. -
Add the
root
user to the Samba password database. You will be prompted to provide a new Samba password for theroot
user:~]# smbpasswd -a root New SMB password:
-
Mulai layanan
smb
:~]# service smb start
-
Pastikan semua direktori netlogon, pengguna, dan profil dibuat.
-
Menambahkan grup tempat pengguna dapat menjadi anggota:
~]# groupadd -f users ~]# groupadd -f nobody ~]# groupadd -f ntadmins
-
Asosiasikan grup UNIX dengan grup Windows masing-masing.
~]# net groupmap add ntgroup="Domain Users" unixgroup=users ~]# net groupmap add ntgroup="Domain Guests" unixgroup=nobody ~]# net groupmap add ntgroup="Domain Admins" unixgroup=ntadmins
-
Grant access rights to a user or a group. For example, to grant the right to add client machines to the domain on a Samba domain controller, to the members to the Domain Admins group, execute the following command:
~]# net rpc rights grant `DOCS\Domain Admins` SetMachineAccountPrivilege -S PDC -U root
Keep in mind that Windows systems prefer to have a primary group which is mapped to a domain group such as Domain Users.
Windows groups and users use the same namespace thus not allowing the existence of a group and a user with the same name like in UNIX.
Batasan back end autentikasi tdbsam
Jika Anda memerlukan lebih dari satu pengontrol domain atau memiliki lebih dari 250 pengguna, jangan gunakan back end otentikasi |
Meskipun Samba dimungkinkan untuk menjadi anggota Active Directory, Samba tidak mungkin untuk beroperasi sebagai pengontrol domain Active Directory.
Mode Keamanan Samba
There are only two types of security modes for Samba, share-level and user-level, which are collectively known as security levels. Share-level security is deprecated and has been removed from Samba. Configurations containing this mode need to be migrated to use user-level security. User-level security can be implemented in one of three different ways. The different ways of implementing a security level are called security modes.
User-Level Security User-level security is the default and recommended setting for Samba. Even if the security = user
directive is not listed in the /etc/samba/smb.conf
file, it is used by Samba. If the server accepts the client’s user name and password, the client can then mount multiple shares without specifying a password for each instance. Samba can also accept session-based user name and password requests. The client maintains multiple authentication contexts by using a unique UID for each logon.
In the /etc/samba/smb.conf
file, the security = user
directive that sets user-level security is:
[GLOBAL] ... security = user ...
As mentioned above, share-level security mode is deprecated. To configure a Samba guest share without using the security = share
parameter, follow the procedure below:
The following sections describe other implementations of user-level security.
In domain security mode, the Samba server has a machine account (domain security trust account) and causes all authentication requests to be passed through to the domain controllers. The Samba server is made into a domain member server by using the following directives in the /etc/samba/smb.conf
file:
[GLOBAL] ... security = domain workgroup = MARKETING ...
If you have an Active Directory environment, it is possible to join the domain as a native Active Directory member. Even if a security policy restricts the use of NT-compatible authentication protocols, the Samba server can join an ADS using Kerberos. Samba in Active Directory member mode can accept Kerberos tickets.
In the /etc/samba/smb.conf
file, the following directives make Samba an Active Directory member server:
[GLOBAL] ... security = ADS realm = EXAMPLE.COM password server = kerberos.example.com ...
Share-Level Security With share-level security, the server accepts only a password without an explicit user name from the client. The server expects a password for each share, independent of the user name. There have been recent reports that Microsoft Windows clients have compatibility issues with share-level security servers. This mode is deprecated and has been removed from Samba. Configurations containing security = share
should be updated to use user-level security. Follow the steps in Configuring Samba Guest Shares to avoid using the security = share
directive.
Samba Account Information Databases
The following is a list different back ends you can use with Samba. Other back ends not listed here may also be available.
- Teks Polos
-
Plain text back ends are nothing more than the
/etc/passwd
type back ends. With a plain text back end, all user names and passwords are sent unencrypted between the client and the Samba server. This method is very insecure and is not recommended for use by any means. It is possible that different Windows clients connecting to the Samba server with plain text passwords cannot support such an authentication method. smbpasswd
-
The
smbpasswd
back end utilizes a plain ASCII text layout that includes the MS Windows LanMan and NT account, and encrypted password information. Thesmbpasswd
back end lacks the storage of the Windows NT/2000/2003 SAM extended controls. Thesmbpasswd
back end is not recommended because it does not scale well or hold any Windows information, such as RIDs for NT-based groups. Thetdbsam
back end solves these issues for use in a smaller database (250 users), but is still not an enterprise-class solution. ldapsam_compat
-
The
ldapsam_compat
back end allows continued OpenLDAP support for use with upgraded versions of Samba. tdbsam
-
The default
tdbsam
password back end provides a database back end for local servers, servers that do not need built-in database replication, and servers that do not require the scalability or complexity of LDAP. Thetdbsam
back end includes all of thesmbpasswd
database information as well as the previously-excluded SAM information. The inclusion of the extended SAM data allows Samba to implement the same account and system access controls as seen with Windows NT/2000/2003/2008-based systems.The
tdbsam
back end is recommended for 250 users at most. Larger organizations should require Active Directory or LDAP integration due to scalability and possible network infrastructure concerns. ldapsam
-
The
ldapsam
back end provides an optimal distributed account installation method for Samba. LDAP is optimal because of its ability to replicate its database to any number of servers such as the Red Hat Directory Server or an OpenLDAP Server. LDAP databases are light-weight and scalable, and as such are preferred by large enterprises. Installation and configuration of directory servers is beyond the scope of this chapter. For more information on the Red Hat Directory Server, see the Red Hat Directory Server 10 Deployment Guide. For more information on LDAP, see OpenLDAP.If you are upgrading from a previous version of Samba to 3.0, note that the OpenLDAP schema file (
/usr/share/doc/samba-version/LDAP/samba.schema
) and the Red Hat Directory Server schema file (/usr/share/doc/samba-version/LDAP/samba-schema-FDS.ldif
) have changed. These files contain the attribute syntax definitions and objectclass definitions that theldapsam
back end needs in order to function properly.As such, if you are using the
ldapsam
back end for your Samba server, you will need to configureslapd
to include one of these schema file. See Extending Schema for directions on how to do this.Make sure the openldap-servers package is installedYou need to have the openldap-servers package installed if you want to use the
ldapsam
back end. To ensure that the package is installed, execute the following command asroots
:~]# dnf install openldap-servers
Penjelajahan Jaringan Samba
Network browsing enables Windows and Samba servers to appear in the Windows Network Neighborhood
. Inside the Network Neighborhood
, icons are represented as servers and if opened, the server’s shares and printers that are available are displayed.
Network browsing capabilities require NetBIOS over TCP
/IP
. NetBIOS-based networking uses broadcast (UDP
) messaging to accomplish browse list management. Without NetBIOS and WINS as the primary method for TCP
/IP
host name resolution, other methods such as static files (/etc/hosts
) or DNS
, must be used.
A domain master browser collates the browse lists from local master browsers on all subnets so that browsing can occur between workgroups and subnets. Also, the domain master browser should preferably be the local master browser for its own subnet.
Domain Browsing By default, a Windows server PDC for a domain is also the domain master browser for that domain. A Samba server must not be set up as a domain master server in this type of situation.
For subnets that do not include the Windows server PDC, a Samba server can be implemented as a local master browser. Configuring the /etc/samba/smb.conf
file for a local master browser (or no browsing at all) in a domain controller environment is the same as workgroup configuration (see Configuring a Samba Server).
WINS (Windows Internet Name Server) Either a Samba server or a Windows NT server can function as a WINS server. When a WINS server is used with NetBIOS enabled, UDP unicasts can be routed which allows name resolution across networks. Without a WINS server, the UDP broadcast is limited to the local subnet and therefore cannot be routed to other subnets, workgroups, or domains. If WINS replication is necessary, do not use Samba as your primary WINS server, as Samba does not currently support WINS replication.
In a mixed NT/2000/2003/2008 server and Samba environment, it is recommended that you use the Microsoft WINS capabilities. In a Samba-only environment, it is recommended that you use only one Samba server for WINS.
The following is an example of the /etc/samba/smb.conf
file in which the Samba server is serving as a WINS server:
[global] wins support = yes
Menggunakan WINS
All servers (including Samba) should connect to a WINS server to resolve NetBIOS names. Without WINS, browsing only occurs on the local subnet. Furthermore, even if a domain-wide list is somehow obtained, hosts cannot be resolved for the client without WINS. |
Samba with CUPS Printing Support
Samba allows client machines to share printers connected to the Samba server. In addition, Samba also allows client machines to send documents built in Linux to Windows printer shares. Although there are other printing systems that function with Fedora, CUPS (Common UNIX Print System) is the recommended printing system due to its close integration with Samba.
Simple smb.conf
Settings The following example shows a very basic /etc/samba/smb.conf
configuration for CUPS support:
[global] load printers = yes printing = cups printcap name = cups [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = yes writable = no printable = yes pencetak admin = @ntadmins [print$] comment = Printer Drivers Share path = /var/lib/samba/drivers write list = ed, john pencetak admin = ed, john
Other printing configurations are also possible. To add additional security and privacy for printing confidential documents, users can have their own print spooler not located in a public path. If a job fails, other users would not have access to the file.
The print$
directive contains printer drivers for clients to access if not available locally. The print$
directive is optional and may not be required depending on the organization.
Setting browseable
to yes
enables the printer to be viewed in the Windows Network Neighborhood, provided the Samba server is set up correctly in the domain or workgroup.
Program Distribusi Samba
.net
net <protocol> <function> <misc_options> <target_options>
The net
utility is similar to the net
utility used for Windows and MS-DOS. The first argument is used to specify the protocol to use when executing a command. The protocol
option can be ads
, rap
, or rpc
for specifying the type of server connection. Active Directory uses ads
, Win9x/NT3 uses rap
, and Windows NT4/2000/2003/2008 uses rpc
. If the protocol is omitted, net
automatically tries to determine it.
The following example displays a list of the available shares for a host named wakko
:
~]$ net -l share -S wakko
Password:
Enumerating shared resources (exports) on remote server:
Share name Type Description
---------- ---- -----------
data Disk Wakko data share
tmp Disk Wakko tmp share
IPC$ IPC IPC Service (Samba Server)
ADMIN$ IPC IPC Service (Samba Server)
The following example displays a list of Samba users for a host named wakko
:
~]$ net -l user -S wakko
root password:
User name Comment
-----------------------------
andriusb Documentation
joe Marketing
lisa Sales
nmblookup
nmblookup <options> <netbios_name>
The nmblookup
program resolves NetBIOS names into IP
addresses. The program broadcasts its query on the local subnet until the target machine replies.
The following example displays the IP
address of the NetBIOS name trek
:
~]$ nmblookup trek querying trek on 10.1.59.255 10.1.56.45 trek<00>
pdbedit
pdbedit <options>
The pdbedit
program manages accounts located in the SAM database. All back ends are supported including smbpasswd
, LDAP, and the tdb database library.
The following are examples of adding, deleting, and listing users:
~]$ pdbedit -a kristin new password: retype new password: Unix username: kristin NT username: Account Flags: [U ] User SID: S-1-5-21-1210235352-3804200048-1474496110-2012 Primary Group SID: S-1-5-21-1210235352-3804200048-1474496110-2077 Full Name: Home Directory: \\wakko\kristin HomeDir Drive: Logon Script: Profile Path: \\wakko\kristin\profile Domain: WAKKO Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Mon, 18 Jan 2038 22:14:07 GMT Kickoff time: Mon, 18 Jan 2038 22:14:07 GMT Password last set: Thu, 29 Jan 2004 08:29:28 GMT Password can change: Thu, 29 Jan 2004 08:29:28 GMT Password must change: Mon, 18 Jan 2038 22:14:07 GMT ~]$ pdbedit -v -L kristin Unix username: kristin NT username: Account Flags: [U ] User SID: S-1-5-21-1210235352-3804200048-1474496110-2012 Primary Group SID: S-1-5-21-1210235352-3804200048-1474496110-2077 Full Name: Home Directory: \\wakko\kristin HomeDir Drive: Logon Script: Profile Path: \\wakko\kristin\profile Domain: WAKKO Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Mon, 18 Jan 2038 22:14:07 GMT Kickoff time: Mon, 18 Jan 2038 22:14:07 GMT Password last set: Thu, 29 Jan 2004 08:29:28 GMT Password can change: Thu, 29 Jan 2004 08:29:28 GMT Password must change: Mon, 18 Jan 2038 22:14:07 GMT ~]$ pdbedit -L andriusb:505: joe:503: lisa:504: kristin:506: ~]$ pdbedit -x joe ~]$ pdbedit -L andriusb:505: lisa:504: kristin:506:
rpcclient
rpcclient <server> <options>
The rpcclient
program issues administrative commands using Microsoft RPCs, which provide access to the Windows administration graphical user interfaces (GUIs) for systems management. This is most often used by advanced users that understand the full complexity of Microsoft RPCs.
smbcacls
smbcacls <//server/share> <filename> <options>
The smbcacls
program modifies Windows ACLs on files and directories shared by a Samba server or a Windows server.
smbclient
smbclient <//server/share> <password> <options>
The smbclient
program is a versatile UNIX client which provides functionality similar to the ftp
utility.
smbcontrol
smbcontrol -i <options>
smbcontrol <options> <destination> <messagetype> <parameters>
The smbcontrol
program sends control messages to running smbd
, nmbd
, or winbindd
daemons. Executing smbcontrol -i runs commands interactively until a blank line or a 'q'
is entered.
smbpasswd
smbpasswd <options> <username> <password>
The smbpasswd
program manages encrypted passwords. This program can be run by a superuser to change any user’s password and also by an ordinary user to change their own Samba password.
smbspool
smbspool <job> <user> <title> <copies> <options> <filename>
The smbspool
program is a CUPS-compatible printing interface to Samba. Although designed for use with CUPS printers, smbspool can work with non-CUPS printers as well.
smbstatus
smbstatus <options>
The smbstatus
program displays the status of current connections to a Samba server.
smbtar
smbtar <options>
The smbtar
program performs backup and restores of Windows-based share files and directories to a local tape archive. Though similar to the tar
utility, the two are not compatible.
testparm
testparm <options> <filename> <hostname IP_address>
The testparm
program checks the syntax of the /etc/samba/smb.conf
file. If your smb.conf
file is in the default location (/etc/samba/smb.conf
) you do not need to specify the location. Specifying the host name and IP
address to the testparm
program verifies that the hosts.allow
and host.deny
files are configured correctly. The testparm
program also displays a summary of your smb.conf
file and the server’s role (stand-alone, domain, etc.) after testing. This is convenient when debugging as it excludes comments and concisely presents information for experienced administrators to read. For example:
~]$ testparm Load smb config files from /etc/samba/smb.conf Processing section "[homes]" Processing section "[printers]" Processing section "[tmp]" Processing section "[html]" Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions <enter>
# Global parameters
[global]
workgroup = MYGROUP
server string = Samba Server
security = SHARE
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
[homes]
comment = Home Directories
read only = no
browseable = no
[printers]
comment = All Printers
path = /var/spool/samba
printable = yes
browseable = no
[tmp]
comment = Wakko tmp
path = /tmp
guest only = yes
[html]
comment = Wakko www
path = /var/www/html
force user = andriusb
force group = users
read only = no
guest only = yes
wbinfo
wbinfo <options>
The wbinfo
program displays information from the winbindd
daemon. The winbindd
daemon must be running for wbinfo
to work.
Sumber Daya Tambahan
The following sections give you the means to explore Samba in greater detail.
-
/usr/share/doc/samba-<version-number>/
— All additional files included with the Samba distribution. This includes all helper scripts, sample configuration files, and documentation. -
See the following man pages for detailed information specific Samba features:
-
smb.conf(5)
-
samba(7)
-
smbd(8)
-
nmbd(8)
-
winbindd(8)
-
-
http://www.samba.org/ — Homepage for the Samba distribution and all official documentation created by the Samba development team. Many resources are available in HTML and PDF formats, while others are only available for purchase. Although many of these links are not Fedora specific, some concepts may apply.
-
https://wiki.samba.org/index.php/User_Documentation — Samba 4.x official documentation.
-
http://samba.org/samba/archives.html — Active email lists for the Samba community. Enabling digest mode is recommended due to high levels of list activity.
-
Samba newsgroups — Samba threaded newsgroups, such as www.gmane.org, that use the
NNTP
protocol are also available. This an alternative to receiving mailing list emails.
FTP
File Transfer Protocol (FTP
) is one of the oldest and most commonly used protocols found on the Internet today. Its purpose is to reliably transfer files between computer hosts on a network without requiring the user to log directly into the remote host or have knowledge of how to use the remote system. It allows users to access files on remote systems using a standard set of simple commands.
This section outlines the basics of the FTP
protocol, as well as configuration options for the primary FTP
server shipped with Fedora, vsftpd.
The File Transfer Protocol
However, because FTP
is so prevalent on the Internet, it is often required to share files to the public. System administrators, therefore, should be aware of the FTP
protocol’s unique characteristics.
Multiple Ports, Multiple Modes Unlike most protocols used on the Internet, FTP
requires multiple network ports to work properly. When an FTP
client application initiates a connection to an FTP
server, it opens port 21 on the server — known as the command port. This port is used to issue all commands to the server. Any data requested from the server is returned to the client via a data port. The port number for data connections, and the way in which data connections are initialized, vary depending upon whether the client requests the data in active or passive mode.
The following defines these modes:
- mode aktif
-
Active mode is the original method used by the
FTP
protocol for transferring data to the client application. When an active mode data transfer is initiated by theFTP
client, the server opens a connection from port 20 on the server to theIP
address and a random, unprivileged port (greater than 1024) specified by the client. This arrangement means that the client machine must be allowed to accept connections over any port above 1024. With the growth of insecure networks, such as the Internet, the use of firewalls to protect client machines is now prevalent. Because these client-side firewalls often deny incoming connections from active modeFTP
servers, passive mode was devised. - mode pasif
-
Passive mode, like active mode, is initiated by the
FTP
client application. When requesting data from the server, theFTP
client indicates it wants to access the data in passive mode and the server provides theIP
address and a random, unprivileged port (greater than 1024) on the server. The client then connects to that port on the server to download the requested information.While passive mode resolves issues for client-side firewall interference with data connections, it can complicate administration of the server-side firewall. You can reduce the number of open ports on a server by limiting the range of unprivileged ports on the
FTP
server. This also simplifies the process of configuring firewall rules for the server. See Network Options for more information about limiting passive ports.
vsftpd
The Very Secure FTP Daemon (vsftpd) is designed from the ground up to be fast, stable, and, most importantly, secure. vsftpd is the only stand-alone FTP
server distributed with Fedora, due to its ability to handle large numbers of connections efficiently and securely.
The security model used by vsftpd has three primary aspects:
-
Strong separation of privileged and non-privileged processes — Separate processes handle different tasks, and each of these processes run with the minimal privileges required for the task.
-
Tasks requiring elevated privileges are handled by processes with the minimal privilege necessary — By leveraging compatibilities found in the
libcap
library, tasks that usually require fullroot
privileges can be executed more safely from a less privileged process. -
Most processes run in a chroot jail — Whenever possible, processes are change-rooted to the directory being shared; this directory is then considered a chroot jail. For example, if the directory /var/ftp/ is the primary shared directory, vsftpd reassigns /var/ftp/ to the new root directory, known as /. This disallows any potential malicious hacker activities for any directories not contained below the new root directory.
Use of these security practices has the following effect on how vsftpd deals with requests:
-
The parent process runs with the least privileges required — The parent process dynamically calculates the level of privileges it requires to minimize the level of risk. Child processes handle direct interaction with the
FTP
clients and run with as close to no privileges as possible. -
All operations requiring elevated privileges are handled by a small parent process — Much like the Apache
HTTP
Server, vsftpd launches unprivileged child processes to handle incoming connections. This allows the privileged, parent process to be as small as possible and handle relatively few tasks. -
All requests from unprivileged child processes are distrusted by the parent process — Communication with child processes are received over a socket, and the validity of any information from child processes is checked before being acted on.
-
Most interaction with
FTP
clients is handled by unprivileged child processes in a chroot jail — Because these child processes are unprivileged and only have access to the directory being shared, any crashed processes only allows the attacker access to the shared files.
Files Installed with vsftpd
The vsftpd
RPM installs the daemon (/usr/sbin/vsftpd
), its configuration and related files, as well as FTP
directories onto the system. The following lists the files and directories related to vsftpd configuration:
-
/etc/rc.d/init.d/vsftpd
— The initialization script (initscript) used by the systemctl command to start, stop, or reload vsftpd. See Starting and Stopping vsftpd for more information about using this script. -
/etc/pam.d/vsftpd
— The Pluggable Authentication Modules (PAM) configuration file for vsftpd. This file specifies the requirements a user must meet to login to theFTP
server. For more information on PAM, refer to the Using Pluggable Authentication Modules (PAM) chapter of the Fedora 27 Managing Single Sign-On and Smart Cards guide. -
/etc/vsftpd/vsftpd.conf
— The configuration file for vsftpd. See vsftpd Configuration Options for a list of important options contained within this file. -
/etc/vsftpd/ftpusers
— A list of users not allowed to log into vsftpd. By default, this list includes theroot
,bin
, anddaemon
users, among others. -
/etc/vsftpd/user_list
— This file can be configured to either deny or allow access to the users listed, depending on whether the userlist_deny directive is set to YES (default) or NO in/etc/vsftpd/vsftpd.conf
. If/etc/vsftpd/user_list
is used to grant access to users, the usernames listed must not appear in/etc/vsftpd/ftpusers
. -
/var/ftp/
— The directory containing files served by vsftpd. It also contains the/var/ftp/pub/
directory for anonymous users. Both directories are world-readable, but writable only by theroot
user.
Starting and Stopping vsftpd
The vsftpd
RPM installs the /etc/rc.d/init.d/vsftpd
script, which can be accessed using the systemctl command.
Untuk memulai server, sebagai root
ketikkan:
systemctl start vsftpd.service
Untuk menghentikan server, sebagai root
ketikkan:
systemctl stop vsftpd.service
The restart
option is a shorthand way of stopping and then starting vsftpd. This is the most efficient way to make configuration changes take effect after editing the configuration file for vsftpd.
Untuk me-restart server, sebagai root
ketikkan:
systemctl restart vsftpd.service
The condrestart
(conditional restart) option only starts vsftpd if it is currently running. This option is useful for scripts, because it does not start the daemon if it is not running.
To conditionally restart the server, as root
type:
systemctl condrestart vsftpd.service
By default, the vsftpd service does not start automatically at boot time. To configure the vsftpd service to start at boot time, use a service manager such as systemctl. See Services and Daemons for more information on how to configure services in Fedora.
Starting Multiple Copies of vsftpd Sometimes one computer is used to serve multiple FTP
domains. This is a technique called multihoming. One way to multihome using vsftpd is by running multiple copies of the daemon, each with its own configuration file.
To do this, first assign all relevant IP
addresses to network devices or alias network devices on the system. For more information about configuring network devices, device aliases, and additional information about network configuration scripts, refer to the Fedora Networking Guide.
Next, the DNS server for the FTP
domains must be configured to reference the correct machine. For information about BIND and its configuration files, refer to the Fedora Networking Guide.
If there is more configuration files present in the /etc/vsftpd
directory, calling systemctl start vsftpd.service results in the /etc/rc.d/init.d/vsftpd
initscript starting the same number of processes as the number of configuration files. Each configuration file must have a unique name in the /etc/vsftpd/
directory and must be readable and writable only by root
.
vsftpd Opsi Konfigurasi
Although vsftpd may not offer the level of customization other widely available FTP
servers have, it offers enough options to fill most administrator’s needs. The fact that it is not overly feature-laden limits configuration and programmatic errors.
All configuration of vsftpd is handled by its configuration file, /etc/vsftpd/vsftpd.conf
. Each directive is on its own line within the file and follows the following format:
directive=value
For each directive, replace directive with a valid directive and value with a valid value.
Jangan gunakan spasi
There must not be any spaces between the directive, equal symbol, and the value in a directive. |
Comment lines must be preceded by a hash sign (#) and are ignored by the daemon.
For a complete list of all directives available, refer to the man page for vsftpd.conf
.
Securing the vsftpd service
For an overview of ways to secure vsftpd, see the Red Hat Enterprise Linux 7 Security Guide. |
The following is a list of some of the more important directives within /etc/vsftpd/vsftpd.conf
. All directives not explicitly found or commented out within vsftpd's configuration file are set to their default value.
Daemon Options The following is a list of directives which control the overall behavior of the vsftpd daemon.
-
listen — When enabled, vsftpd runs in stand-alone mode. Fedora sets this value to YES. This directive cannot be used in conjunction with the listen_ipv6 directive.
Nilai bakunya adalah NO.
-
listen_ipv6 — When enabled, vsftpd runs in stand-alone mode, but listens only to
IPv6
sockets. This directive cannot be used in conjunction with the listen directive.Nilai bakunya adalah NO.
-
session_support — When enabled, vsftpd attempts to maintain login sessions for each user through Pluggable Authentication Modules (PAM). For more information, refer to the Using Pluggable Authentication Modules (PAM) chapter of the Red Hat Enterprise Linux 6 Managing Single Sign-On and Smart Cards and the PAM man pages. . If session logging is not necessary, disabling this option allows vsftpd to run with less processes and lower privileges.
Nilai bakunya adalah YES.
Log In Options and Access Controls The following is a list of directives which control the login behavior and access control mechanisms.
-
anonymous_enable — When enabled, anonymous users are allowed to log in. The usernames
anonymous
andftp
are accepted.Nilai bakunya adalah YES.
See Anonymous User Options for a list of directives affecting anonymous users.
-
banned_email_file — If the deny_email_enable directive is set to YES, this directive specifies the file containing a list of anonymous email passwords which are not permitted access to the server.
Nilai bakunya adalah
/etc/vsftpd/banned_emails
. -
banner_file — Specifies the file containing text displayed when a connection is established to the server. This option overrides any text specified in the ftpd_banner directive.
Tidak ada nilai baku untuk direktif ini.
-
cmds_allowed — Specifies a comma-delimited list of
FTP
commands allowed by the server. All other commands are rejected.Tidak ada nilai baku untuk direktif ini.
-
deny_email_enable — When enabled, any anonymous user utilizing email passwords specified in the
/etc/vsftpd/banned_emails
are denied access to the server. The name of the file referenced by this directive can be specified using the banned_email_file directive.Nilai bakunya adalah NO.
-
ftpd_banner — When enabled, the string specified within this directive is displayed when a connection is established to the server. This option can be overridden by the banner_file directive.
By default vsftpd displays its standard banner.
-
local_enable — When enabled, local users are allowed to log into the system.
Nilai bakunya adalah YES.
See Local User Options for a list of directives affecting local users.
-
pam_service_name — Specifies the PAM service name for vsftpd.
Nilai bakunya adalah ftp. Catatan, dalam Fedora, nilai diatur ke vsftpd.
-
Nilai bakunya adalah NO. Catatan, di Fedora, nilai diatur ke YES.
-
userlist_deny — When used in conjunction with the userlist_enable directive and set to NO, all local users are denied access unless the username is listed in the file specified by the userlist_file directive. Because access is denied before the client is asked for a password, setting this directive to NO prevents local users from submitting unencrypted passwords over the network.
Nilai bakunya adalah YES.
-
userlist_enable — When enabled, the users listed in the file specified by the userlist_file directive are denied access. Because access is denied before the client is asked for a password, users are prevented from submitting unencrypted passwords over the network.
Nilai bakunya adalah NO, namun di bawah Fedora nilai diatur ke YES.
-
userlist_file — Specifies the file referenced by vsftpd when the userlist_enable directive is enabled.
Nilai bakunya adalah /etc/vsftpd/user_list dan dibuat selama instalasi.
Anonymous User Options The following lists directives which control anonymous user access to the server. To use these options, the anonymous_enable directive must be set to YES.
-
anon_mkdir_write_enable — When enabled in conjunction with the write_enable directive, anonymous users are allowed to create new directories within a parent directory which has write permissions.
Nilai bakunya adalah NO.
-
anon_root — Specifies the directory vsftpd changes to after an anonymous user logs in.
Tidak ada nilai baku untuk direktif ini.
-
anon_upload_enable — When enabled in conjunction with the write_enable directive, anonymous users are allowed to upload files within a parent directory which has write permissions.
Nilai bakunya adalah NO.
-
anon_world_readable_only — When enabled, anonymous users are only allowed to download world-readable files.
Nilai bakunya adalah YES.
-
ftp_username — Specifies the local user account (listed in
/etc/passwd
) used for the anonymousFTP
user. The home directory specified in/etc/passwd
for the user is the root directory of the anonymousFTP
user.Nilai bakunya adalah ftp.
-
no_anon_password — When enabled, the anonymous user is not asked for a password.
Nilai bakunya adalah NO.
-
secure_email_list_enable — When enabled, only a specified list of email passwords for anonymous logins are accepted. This is a convenient way to offer limited security to public content without the need for virtual users.
Anonymous logins are prevented unless the password provided is listed in /etc/vsftpd/email_passwords. The file format is one password per line, with no trailing white spaces.
Nilai bakunya adalah NO.
Local User Options The following lists directives which characterize the way local users access the server. To use these options, the local_enable directive must be set to YES.
-
chmod_enable — When enabled, the
FTP
command SITE CHMOD is allowed for local users. This command allows the users to change the permissions on files.Nilai bakunya adalah YES.
-
chroot_list_enable — When enabled, the local users listed in the file specified in the chroot_list_file directive are placed in a chroot jail upon log in.
If enabled in conjunction with the chroot_local_user directive, the local users listed in the file specified in the chroot_list_file directive are not placed in a chroot jail upon log in.
Nilai bakunya adalah NO.
-
chroot_list_file — Specifies the file containing a list of local users referenced when the chroot_list_enable directive is set to YES.
Nilai bakunya adalah /etc/vsftpd/chroot_list.
-
chroot_local_user — When enabled, local users are change-rooted to their home directories after logging in.
Nilai bakunya adalah NO.
Avoid enabling the chroot_local_user optionEnabling chroot_local_user opens up a number of security issues, especially for users with upload privileges. For this reason, it is not recommended.
-
guest_enable — When enabled, all non-anonymous users are logged in as the user guest, which is the local user specified in the guest_username directive.
Nilai bakunya adalah NO.
-
guest_username — Specifies the username the guest user is mapped to.
Nilai bakunya adalah ftp.
-
local_root — Specifies the directory vsftpd changes to after a local user logs in.
Tidak ada nilai baku untuk direktif ini.
-
local_umask — Specifies the umask value for file creation. Note that the default value is in octal form (a numerical system with a base of eight), which includes a "0" prefix. Otherwise the value is treated as a base-10 integer.
Nilai bakunya adalah 022.
-
passwd_chroot_enable — When enabled in conjunction with the chroot_local_user directive, vsftpd change-roots local users based on the occurrence of the /./ in the home directory field within
/etc/passwd
.Nilai bakunya adalah NO.
-
user_config_dir — Specifies the path to a directory containing configuration files bearing the name of local system users that contain specific setting for that user. Any directive in the user’s configuration file overrides those found in
/etc/vsftpd/vsftpd.conf
.Tidak ada nilai baku untuk direktif ini.
Directory Options The following lists directives which affect directories.
-
dirlist_enable — When enabled, users are allowed to view directory lists.
Nilai bakunya adalah YES.
-
dirmessage_enable — When enabled, a message is displayed whenever a user enters a directory with a message file. This message resides within the current directory. The name of this file is specified in the message_file directive and is
.message
by default.Nilai bakunya adalah NO. Catatan, di Fedora, nilai diatur ke YES.
-
force_dot_files — When enabled, files beginning with a dot (
.
) are listed in directory listings, with the exception of the.
and..
files.Nilai bakunya adalah NO.
-
hide_ids — When enabled, all directory listings show
ftp
as the user and group for each file.Nilai bakunya adalah NO.
-
message_file — Specifies the name of the message file when using the dirmessage_enable directive.
Nilai bakunya adalah .message.
-
text_userdb_names — When enabled, text usernames and group names are used in place of UID and GID entries. Enabling this option may slow performance of the server.
Nilai bakunya adalah NO.
-
use_localtime — When enabled, directory listings reveal the local time for the computer instead of GMT.
Nilai bakunya adalah NO.
File Transfer Options The following lists directives which affect directories.
-
download_enable — When enabled, file downloads are permitted.
Nilai bakunya adalah YES.
-
chown_uploads — When enabled, all files uploaded by anonymous users are owned by the user specified in the chown_username directive.
Nilai bakunya adalah NO.
-
chown_username — Specifies the ownership of anonymously uploaded files if the chown_uploads directive is enabled.
Nilai bakunya adalah root.
-
write_enable — When enabled,
FTP
commands which can change the file system are allowed, such as DELE, RNFR, and STOR.Nilai bakunya adalah YES.
Logging Options The following lists directives which affect vsftpd's logging behavior.
-
dual_log_enable — When enabled in conjunction with xferlog_enable, vsftpd writes two files simultaneously: a wu-ftpd-compatible log to the file specified in the xferlog_file directive (
/var/log/xferlog
by default) and a standard vsftpd log file specified in the vsftpd_log_file directive (/var/log/vsftpd.log
by default).Nilai bakunya adalah NO.
-
log_ftp_protocol — When enabled in conjunction with xferlog_enable and with xferlog_std_format set to NO, all
FTP
commands and responses are logged. This directive is useful for debugging.Nilai bakunya adalah NO.
-
syslog_enable — When enabled in conjunction with xferlog_enable, all logging normally written to the standard vsftpd log file specified in the vsftpd_log_file directive (
/var/log/vsftpd.log
by default) is sent to the system logger instead under theFTPD
facility.Nilai bakunya adalah NO.
-
vsftpd_log_file — Specifies the vsftpd log file. For this file to be used, xferlog_enable must be enabled and xferlog_std_format must either be set to NO or, if xferlog_std_format is set to YES, dual_log_enable must be enabled. It is important to note that if syslog_enable is set to YES, the system log is used instead of the file specified in this directive.
Nilai bakunya adalah
/var/log/vsftpd.log
. -
xferlog_enable — When enabled, vsftpd logs connections (vsftpd format only) and file transfer information to the log file specified in the vsftpd_log_file directive (
/var/log/vsftpd.log
by default). If xferlog_std_format is set to YES, file transfer information is logged but connections are not, and the log file specified in xferlog_file (/var/log/xferlog
by default) is used instead. It is important to note that both log files and log formats are used if dual_log_enable is set to YES.Nilai bakunya adalah NO. Catatan, di Fedora, nilai diatur ke YES.
-
xferlog_file — Specifies the wu-ftpd-compatible log file. For this file to be used, xferlog_enable must be enabled and xferlog_std_format must be set to YES. It is also used if dual_log_enable is set to YES.
Nilai bakunya adalah
/var/log/xferlog
. -
xferlog_std_format — When enabled in conjunction with xferlog_enable, only a wu-ftpd-compatible file transfer log is written to the file specified in the xferlog_file directive (
/var/log/xferlog
by default). It is important to note that this file only logs file transfers and does not log connections to the server.Nilai bakunya adalah NO. Catatan, di Fedora, nilai diatur ke YES.
Mempertahankan kompatibilitas dengan format berkas log yang lebih lama
To maintain compatibility with log files written by the older wu-ftpd To both log connections in vsftpd format and maintain a wu-ftpd-compatible file transfer log, set dual_log_enable to YES. If maintaining a wu-ftpd-compatible file transfer log is not important, either set xferlog_std_format to NO, comment the line with a hash sign (#), or delete the line entirely. |
Network Options The following lists directives which affect how vsftpd interacts with the network.
-
accept_timeout — Specifies the amount of time for a client using passive mode to establish a connection.
Nilai bakunya adalah 60.
-
anon_max_rate — Specifies the maximum data transfer rate for anonymous users in bytes per second.
Nilai bakunya adalah 0, yang tidak membatasi kecepatan transfer.
-
connect_from_port_20 When enabled, vsftpd runs with enough privileges to open port 20 on the server during active mode data transfers. Disabling this option allows vsftpd to run with less privileges, but may be incompatible with some
FTP
clients.Nilai bakunya adalah NO. Catatan, di Fedora, nilai diatur ke YES.
-
connect_timeout — Specifies the maximum amount of time a client using active mode has to respond to a data connection, in seconds.
Nilai bakunya adalah 60.
-
data_connection_timeout — Specifies maximum amount of time data transfers are allowed to stall, in seconds. Once triggered, the connection to the remote client is closed.
Nilai bakunya adalah 300.
-
ftp_data_port — Specifies the port used for active data connections when connect_from_port_20 is set to YES.
Nilai bakunya adalah 20.
-
idle_session_timeout — Specifies the maximum amount of time between commands from a remote client. Once triggered, the connection to the remote client is closed.
Nilai bakunya adalah 300.
-
listen_address — Specifies the
IP
address on which vsftpd listens for network connections.Tidak ada nilai baku untuk direktif ini.
Running multiple copies of vsftpdIf running multiple copies of vsftpd serving different
IP
addresses, the configuration file for each copy of the vsftpd daemon must have a different value for this directive. See Starting Multiple Copies of vsftpd for more information about multihomedFTP
servers. -
listen_address6 — Specifies the
IPv6
address on which vsftpd listens for network connections when listen_ipv6 is set to YES.Tidak ada nilai baku untuk direktif ini.
Running multiple copies of vsftpdIf running multiple copies of vsftpd serving different
IP
addresses, the configuration file for each copy of the vsftpd daemon must have a different value for this directive. See Starting Multiple Copies of vsftpd for more information about multihomedFTP
servers. -
listen_port — Specifies the port on which vsftpd listens for network connections.
Nilai bakunya adalah 21.
-
local_max_rate — Specifies the maximum rate data is transferred for local users logged into the server in bytes per second.
Nilai bakunya adalah 0, yang tidak membatasi kecepatan transfer.
-
max_clients — Specifies the maximum number of simultaneous clients allowed to connect to the server when it is running in standalone mode. Any additional client connections would result in an error message.
Nilai bakunya adalah 0, yang tidak membatasi koneksi.
-
max_per_ip — Specifies the maximum of clients allowed to connected from the same source
IP
address.Nilai bakunya adalah 0, yang tidak membatasi koneksi.
-
pasv_address — Specifies the
IP
address for the public facingIP
address of the server for servers behind Network Address Translation (NAT) firewalls. This enables vsftpd to hand out the correct return address for passive mode connections.Tidak ada nilai baku untuk direktif ini.
-
pasv_enable — When enabled, passive mode connects are allowed.
Nilai bakunya adalah YES.
-
pasv_max_port — Specifies the highest possible port sent to the
FTP
clients for passive mode connections. This setting is used to limit the port range so that firewall rules are easier to create.Nilai bakunya adalah 0, yang tidak membatasi rentang port pasif tertinggi. Nilai tidak boleh melebihi 65535.
-
pasv_min_port — Specifies the lowest possible port sent to the
FTP
clients for passive mode connections. This setting is used to limit the port range so that firewall rules are easier to create.Nilai bakunya adalah 0, yang tidak membatasi rentang port pasif terendah. Nilainya tidak boleh lebih kurang dari 1024.
-
pasv_promiscuous — When enabled, data connections are not checked to make sure they are originating from the same
IP
address. This setting is only useful for certain types of tunneling.Avoid enabling the pasv_promiscuous optionDo not enable this option unless absolutely necessary as it disables an important security feature which verifies that passive mode connections originate from the same
IP
address as the control connection that initiates the data transfer.Nilai bakunya adalah NO.
-
port_enable — When enabled, active mode connects are allowed.
Nilai bakunya adalah YES.
Sumber Daya Tambahan
For more information about vsftpd, refer to the following resources.
Installed Documentation
-
The
/usr/share/doc/vsftpd/
directory — This directory contains aREADME
with basic information about the software. TheTUNING
file contains basic performance tuning tips and theSECURITY/
directory contains information about the security model employed by vsftpd. -
vsftpd related man pages — There are a number of man pages for the daemon and configuration files. The following lists some of the more important man pages.
- Aplikasi Server
-
-
man vsftpd — Describes available command line options for vsftpd.
-
- Berkas Konfigurasi
-
-
man vsftpd.conf — Contains a detailed list of options available within the configuration file for vsftpd.
-
man 5 hosts_access — Describes the format and options available within the TCP wrappers configuration files:
hosts.allow
andhosts.deny
.
-
Useful Websites
-
https://security.appspot.com/vsftpd.html — Halaman proyek vsftpd adalah tempat yang tepat untuk menemukan dokumentasi terbaru dan menghubungi penulis perangkat lunak.
-
http://slacksite.com/other/ftp.html — This website provides a concise explanation of the differences between active and passive mode
FTP
. -
http://www.ietf.org/rfc/rfc0959.txt — The original Request for Comments (RFC) of the
FTP
protocol from the IETF.
Konfigurasi Pencetak
Alat konfigurasi Pencetak berfungsi untuk mengonfigurasi pencetak, pemeliharaan berkas konfigurasi pencetak, direktori spool cetak dan filter cetak, dan manajemen kelas pencetak.
Alat ini didasarkan pada Common Unix Printing System (CUPS). Jika Anda memutakhirkan sistem dari versi Fedora sebelumnya yang menggunakan CUPS, proses peningkatan mempertahankan pencetak yang dikonfigurasi.
Menggunakan aplikasi web atau alat baris perintah CUPS
Anda dapat melakukan operasi yang sama dan tambahan pada pencetak langsung dari aplikasi web atau baris perintah CUPS. Untuk mengakses aplikasi, di peramban web, buka http://localhost:631/. Untuk manual CUPS, lihat tautan pada tab |
Memulai Alat Konfigurasi Pencetak
Dengan alat konfigurasi Pencetak, Anda dapat melakukan berbagai operasi pada pencetak yang ada dan menyiapkan pencetak baru. Anda juga dapat menggunakan CUPS secara langsung (buka http://localhost:631/ untuk mengakses aplikasi web CUPS).
Untuk memulai alat konfigurasi Pencetak jika menggunakan desktop GNOME, tekan tombol Super untuk memasukkan Ringkasan Aktivitas, ketik Pencetak, lalu tekan Enter. Alat konfigurasi Pencetak muncul. Tombol Super muncul dalam berbagai bentuk, tergantung pada papan ketik dan perangkat keras lainnya, tetapi sering kali sebagai tombol Windows atau Command, dan biasanya di sebelah kiri Spacebar.
Jendela Pencetak
yang digambarkan dalam Jendela Konfigurasi Pencetak muncul.
Memulai Penyiapan Pencetak
Proses penyiapan pencetak bervariasi tergantung pada jenis antrian pencetak.
Jika Anda mengatur pencetak lokal yang terhubung dengan USB, pencetak akan ditemukan dan ditambahkan secara otomatis. Anda akan diminta untuk mengonfirmasi paket yang akan dipasang dan memberikan kata sandi pengguna root
atau administrator. Pencetak lokal yang terhubung dengan jenis port lain dan pencetak jaringan perlu diatur secara manual.
Ikuti prosedur ini untuk memulai penyiapan pencetak manual:
-
Jalankan alat konfigurasi Pencetak (lihat Memulai Alat Konfigurasi Pencetak).
-
Pilih
Buka Kunci
untuk mengaktifkan perubahan yang akan dilakukan. Di kotakAutentikasi Diperlukan
, ketikkata sandi penggunaroot
atau administrator dan konfirmasikan. -
Pilih tanda plus untuk membuka dialog
Tambahkan Pencetak Baru
. Pilih pencetak dari daftar atau masukkan alamatnya di bawah ini.
Menambahkan Pencetak Lokal
Ikuti prosedur ini untuk menambahkan pencetak lokal yang terhubung dengan selain port serial:
-
Buka dialog
Tambhkan Pencetak Baru
(lihat Memulai Penyiapan Pencetak). -
Jika perangkat tidak muncul secara otomatis, pilih port tempat pencetak terhubung dalam daftar di sebelah kiri (seperti
Serial Port #1
atauLPT #1
). -
Di sebelah kanan, masukkan properti koneksi:
- untuk
Masukkan URI
-
URI
(misalnya file:/dev/lp0) - untuk
Port Serial
-
Baud Rate
- untuk
Paritas
Data Bit
Kendali Alir
-
Klik Maju.
-
Pilih model pencetak. Lihat Memilih Model pencetak dan Finishing untuk detailnya.
Menambahkan pencetak AppSocket/HP JetDirect
Ikuti prosedur ini untuk menambahkan pencetak AppSocket/HP JetDirect:
-
Buka dialog
Tambahkan Pencetak Baru
(lihat Memulai Alat Konfigurasi Pencetak). -
Dalam daftar di sebelah kiri, pilih
. -
Di sebelah kanan, masukkan pengaturan koneksi:
Nama host
-
Nama host pencetak atau alamat
IP
. Nomor Port
-
Port tempat pencetak mendengarkan pekerjaan pencetakan (
9100
secara baku).
-
Klik Maju.
-
Pilih model pencetak. Lihat Memilih Model pencetak dan Finishing untuk detailnya.
Menambahkan Pencetak IPP
Pencetak IPP
adalah pencetak yang terpasang pada sistem yang berbeda pada jaringan TCP/IP yang sama. Sistem tempat pencetak ini terpasang mungkin menjalankan CUPS atau hanya dikonfigurasi untuk menggunakan IPP
.
Jika firewall diaktifkan pada server pencetak, maka firewall harus dikonfigurasi untuk memungkinkan koneksi TCP
masuk pada port 631
. Perhatikan bahwa protokol penjelajahan CUPS memungkinkan komputer klien untuk menemukan antrean CUPS bersama secara otomatis. Untuk mengaktifkan ini, firewall pada komputer klien harus dikonfigurasi untuk memungkinkan paket UDP
masuk pada port 631
.
Ikuti prosedur ini untuk menambahkan pencetak IPP
:
-
Buka dialog
Pencetak
(lihat Memulai Penyiapan Pencetak). -
Dalam daftar perangkat di sebelah kiri, pilih Pencetak Jaringan dan
Internet Printing Protocol (ipp)
atauInternet Printing Protocol (https)
. -
Di sebelah kanan, masukkan pengaturan koneksi:
Host
-
Nama host pencetak
IPP
. Antrian
-
Nama antrian yang akan diberikan ke antrian baru (jika kotak dibiarkan kosong, nama berdasarkan node perangkat akan digunakan).
-
Secara opsional, klik Verifikasi untuk mendeteksi pencetak.
-
Klik Maju untuk melanjutkan.
-
Pilih model pencetak. Lihat Memilih Model pencetak dan Finishing untuk detailnya.
Menambahkan Host atau Pencetak LPD/LPR
Ikuti prosedur ini untuk menambahkan host atau pencetak LPD/LPR:
-
Buka dialog
Pencetak Baru
(lihat Memulai Penyiapan Pencetak). -
Dalam daftar perangkat di sebelah kiri, pilih
. -
Di sebelah kanan, masukkan pengaturan koneksi:
Host
-
Nama host pencetak atau host LPD/LPR.
Secara opsional, klik Probe untuk menemukan antrean pada host LPD.
Antrian
-
Nama antrian yang akan diberikan ke antrian baru (jika kotak dibiarkan kosong, nama berdasarkan node perangkat akan digunakan).
-
Klik Maju untuk melanjutkan.
-
Pilih model pencetak. Lihat Memilih Model pencetak dan Finishing untuk detailnya.
Menambahkan pencetak Samba (SMB)
Ikuti prosedur ini untuk menambahkan pencetak Samba:
Memasang paket samba-client
Perhatikan bahwa untuk menambahkan pencetak Samba, Anda harus memasang paket samba-client. Anda dapat melakukannya dengan menjalankan, sebagai dnf install samba-client
For more information on installing packages with DNF, refer to Installing Packages. |
-
Buka dialog
Pencetak Baru
(lihat Memulai Penyiapan Pencetak). -
Dalam daftar di sebelah kiri, pilih
. -
Masukkan alamat SMB di bidang
smb://
. Gunakan format nama komputer/share pencetak. Dalam Menambahkan pencetak SMB, nama komputer adalah dellbox dan share pencetak adalah r2.
-
Klik Ramban untuk melihat grup/domain kerja yang tersedia. Untuk menampilkan hanya antrean host tertentu, ketik nama host (nama NetBios) dan klik Ramban.
-
Pilih salah satu opsi:
-
Minta pengguna jika autentikasi diperlukan
: nama pengguna dan kata sandi dikumpulkan dari pengguna saat mencetak dokumen. -
Atur detail autentikasi sekarang
: berikan informasi autentikasi sekarang sehingga tidak diperlukan nanti. Di bidangNama pengguna
, masukkan nama pengguna untuk mengakses pencetak. Pengguna ini harus ada pada sistem SMB, dan pengguna harus memiliki izin untuk mengakses pencetak. Nama pengguna baku biasanya adalahguest
untuk server Windows, ataunobody
untuk server Samba.
-
-
Masukkan
Kata Sandi
(jika diperlukan) untuk pengguna yang ditentukan di bidangNama Pengguna
.
Berhati-hatilah saat memilih kata sandi
Nama pengguna dan kata sandi pencetak Samba disimpan di server pencetak sebagai berkas yang tidak terenkripsi yang dapat dibaca oleh Oleh karena itu, ketika Anda memilih nama pengguna dan kata sandi untuk mengakses pencetak Samba, disarankan agar Anda memilih kata sandi yang berbeda dari apa yang Anda gunakan untuk mengakses sistem Fedora lokal Anda. Jika ada berkas yang dibagikan di server cetak Samba, disarankan agar mereka juga menggunakan kata sandi yang berbeda dari apa yang digunakan oleh antrian cetak. |
-
Klik Verifikasi untuk menguji koneksi. Setelah verifikasi berhasil, kotak dialog muncul mengonfirmasi aksesibilitas berbagi pencetak.
-
Klik Maju.
-
Pilih model pencetak. Lihat Memilih Model pencetak dan Finishing untuk detailnya.
Memilih Model Pencetak dan Menyelesaikan
Setelah Anda memilih jenis koneksi pencetak dengan benar, sistem mencoba untuk mendapatkan driver. Jika proses gagal, Anda dapat menemukan atau mencari sumber daya driver secara manual.
Ikuti prosedur ini untuk menyediakan driver pencetak dan menyelesaikan instalasi:
-
Di jendela yang ditampilkan setelah deteksi driver otomatis gagal, pilih salah satu opsi berikut:
-
Pilih pencetak dari basis data
— sistem memilih driver berdasarkan merek pencetak Anda yang dipilih dari daftarMerek
. Jika model pencetak Anda tidak tercantum, pilihGenerik
. -
Sediakan berkas PPD
— sistem menggunakan berkas PostScript Printer Description (PPD) yang disediakan untuk instalasi. Berkas PPD juga dapat dikirimkan dengan pencetak Anda seperti yang biasanya disediakan oleh pabrikan. Jika berkas PPD tersedia, Anda dapat memilih opsi ini dan menggunakan bilah peramban di bawah deskripsi opsi untuk memilih berkas PPD. -
Cari driver pencetak untuk diunduh
— masukkan merek dan model pencetak Anda ke dalam bidangMerek dan model
untuk mencari di OpenPrinting.org untuk paket yang sesuai.
-
-
Tergantung pada pilihan Anda sebelumnya, berikan detail di area yang ditampilkan di bawah ini:
-
Merek pencetak untuk opsi
Pilih pencetak dari basis data
. -
Lokasi berkas PPD untuk opsi
Berikan berkas PPD
. -
Merek dan model pencetak untuk opsi
Cari driver pencetak untuk diunduh
.
-
-
Klik Maju untuk melanjutkan.
-
Jika berlaku untuk opsi Anda, jendela yang ditampilkan di Memilih model pencetak akan muncul. Pilih model yang sesuai di kolom
Model
di sebelah kiri.
Memilih driver pencetak
Di sebelah kanan, driver pencetak yang disarankan dipilih secara otomatis; namun, Anda dapat memilih driver lain yang tersedia. Driver cetak memproses data yang ingin Anda cetak ke dalam format yang dapat dipahami pencetak. Karena pencetak lokal terpasang langsung ke komputer Anda, Anda memerlukan driver pencetak untuk memproses data yang dikirim ke pencetak. |
-
Klik Maju.
-
Di bawah
Jelaskan Pencetak
masukkan nama unik untuk pencetak di bidangNama Pencetak
. Nama pencetak dapat berisi huruf, angka, tanda hubung (-), dan garis bawah (_); itu tidak boleh berisi spasi apa pun. Anda juga dapat menggunakan bidangDeskripsi
danLokasi
untuk menambahkan informasi pencetak lebih lanjut. Kedua bidang bersifat opsional, dan mungkin berisi spasi.
-
Klik Terapkan untuk mengonfirmasi konfigurasi pencetak Anda dan menambahkan antrean cetak jika pengaturannya benar. Klik Mundur untuk mengubah konfigurasi pencetak.
-
Setelah perubahan diterapkan, kotak dialog muncul yang memungkinkan Anda mencetak halaman pengujian. Klik Cetak Halaman Uji untuk mencetak halaman pengujian sekarang. Atau, Anda dapat mencetak halaman pengujian nanti seperti yang dijelaskan dalam Mencetak Halaman Uji.
Mencetak Halaman Uji
Setelah Anda menyiapkan pencetak atau mengubah konfigurasi pencetak, cetak halaman pengujian untuk memastikan pencetak berfungsi dengan baik:
-
Klik kanan pencetak di jendela
Pencetakan
dan klikProperti
. -
Di jendela Properti, klik
Pengaturan
di sebelah kiri. -
Pada tab
Pengaturan
yang ditampilkan, klik tombol Cetak Halaman Uji.
Memodifikasi Pencetak yang Ada
Untuk menghapus pencetak yang ada, di jendela konfigurasi Pencetak
, pilih pencetak dan buka . Konfirmasikan penghapusan pencetak. Atau, tekan tombol Delete.
Untuk mengatur pencetak baku, klik kanan pencetak dalam daftar pencetak dan klik tombol Jadikan Baku
di menu konteks.
The Settings Page To change printer driver configuration, double-click the corresponding name in the Printer
list and click the Settings
label on the left to display the Settings
page.
Anda dapat mengubah pengaturan pencetak seperti merek dan model, mencetak halaman uji, mengubah lokasi perangkat (URI), dan banyak lagi.
The Policies Page
Klik tombol Kebijakan
di sebelah kiri untuk mengubah pengaturan dalam status pencetak dan mencetak keluaran.
Anda dapat memilih status pencetak, mengonfigurasi Kebijakan Kesalahan
pencetak (Anda dapat memutuskan untuk membatalkan pekerjaan pencetakan, mencoba lagi, atau menghentikannya jika terjadi kesalahan).
Anda juga dapat membuat halaman banner (halaman yang menjelaskan aspek-aspek pekerjaan pencetakan seperti pencetak asal, nama pengguna dari mana pekerjaan itu berasal, dan status keamanan dokumen yang sedang dicetak): klik menu tarik-turun Banner Awalan
atau Banner Akhiran
dan pilih opsi yang paling menggambarkan sifat pekerjaan pencetakan (misalnya, rahasia
).
Pada halaman Kebijakan
, Anda dapat menandai pencetak sebagai dipakai bersama: jika pencetak dibagikan, pengguna yang dipublikasikan di jaringan dapat menggunakannya. Untuk mengizinkan fungsi berbagi untuk pencetak, buka dan pilih Publikasikan pencetak yang dibagikan yang tersambung ke sistem ini
.
Pastikan bahwa firewall memungkinkan koneksi TCP
yang masuk ke port 631
, port untuk protokol Network Printing Server (IPP
). Untuk mengizinkan lalu lintas IPP
melalui firewall pada Fedora 27, manfaatkan layanan IPP
firewalld
. Untuk melakukannya, lanjutkan sebagai berikut:
-
Untuk memulai alat grafis firewall-config, tekan tombol Super untuk memasukkan Gambaran Umum Aktivitas, ketik firewall lalu tekan Enter. Jendela
Konfigurasi Firewall
terbuka. Anda akan dimintai kata sandi administrator atauroot
.
Atau, untuk memulai alat konfigurasi firewall grafis menggunakan baris perintah, masukkan perintah berikut sebagai pengguna root
:
~]# firewall-config
Jendela Konfigurasi Firewall
terbuka.
Cari kata "Tersambung" di pojok kiri bawah. Ini menunjukkan bahwa alat firewall-config terhubung ke daemon ruang pengguna, firewalld
.
Untuk segera mengubah pengaturan firewall saat ini, pastikan menu pemilihan drop-down berlabel Konfigurasi
diatur ke Runtime
. Atau, untuk mengedit pengaturan yang akan diterapkan pada awal sistem berikutnya, atau memuat ulang firewall, pilih Permanen
dari daftar drop-down.
-
Pilih tab
Zona
dan kemudian pilih zona firewall agar sesuai dengan antarmuka jaringan yang akan digunakan. Defaultnya adalah zonapublik
. TabAntarmuka
menunjukkan antarmuka apa yang telah ditetapkan ke zona. -
Pilih tab
Layanan
dan kemudian pilih layananipp
untuk mengaktifkan berbagi. Layananipp-client
diperlukan untuk mengakses pencetak jaringan. -
Tutup alat firewall-config.
Anda dapat mengubah akses tingkat pengguna ke pencetak yang dikonfigurasi di halaman Kontrol Akses
. Klik label Kontrol Akses
di sebelah kiri untuk menampilkan halaman. Pilih Izinkan pencetakan untuk semua orang kecuali pengguna ini
atau Tolak pencetakan untuk semua orang kecuali pengguna ini
dan tentukan set pengguna di bawah ini: masukkan nama pengguna di kotak teks dan klik tombol Tambah untuk menambahkan pengguna ke set pengguna.
Halaman Opsi Pencetak
berisi berbagai opsi konfigurasi untuk media dan keluaran pencetak, dan kontennya dapat bervariasi dari pencetak ke pencetak. Ini berisi pengaturan pencetakan umum, kertas, kualitas, dan ukuran pencetakan.
Pada halaman Opsi Pekerjaan
, Anda dapat merinci opsi pekerjaan pencetak. Klik label Opsi Pekerjaan
di sebelah kiri untuk menampilkan halaman. Sunting pengaturan baku untuk menerapkan opsi pekerjaan ubahan, seperti cacah salinan, orientasi, halaman per sisi, penskalaan (menambah atau mengurangi ukuran area yang dapat dicetak, yang dapat digunakan untuk menyesuaikan area cetak berukuran besar ke lembar fisik media cetak yang lebih kecil), opsi teks terperinci, dan opsi pekerjaan khusus.
Halaman Level Tinta/Toner
berisi detail tentang status toner jika tersedia dan pesan status pencetak. Klik label Level Tinta/Toner
di sebelah kiri untuk menampilkan halaman.
Managing Print Jobs When you send a print job to the printer daemon, such as printing a text file from Emacs or printing an image from GIMP, the print job is added to the print spool queue. The print spool queue is a list of print jobs that have been sent to the printer and information about each print request, such as the status of the request, the job number, and more.
Selama proses pencetakan, pesan yang menginformasikan tentang proses muncul di area notifikasi.
Untuk membatalkan, menahan, melepaskan, mencetak ulang, atau mengautentikasi pekerjaan pencetakan, pilih pekerjaan di Status Cetak GNOME dan pada menu Pekerjaan, klik perintah masing-masing.
Untuk melihat daftar pekerjaan pencetakan di spool cetak dari prompt shell, ketik perintah lpstat -o. Beberapa baris terakhir terlihat mirip dengan yang berikut ini:
$ lpstat -o
Charlie-60 twaugh 1024 Tue 08 Feb 2011 16:42:11 GMT
Aaron-61 twaugh 1024 Tue 08 Feb 2011 16:42:44 GMT
Ben-62 root 1024 Tue 08 Feb 2011 16:45:42 GMT
Jika Anda ingin membatalkan pekerjaan pencetakan, temukan nomor pekerjaan permintaan dengan perintah lpstat -o lalu gunakan perintah cancel job number. Misalnya, cancel 60 akan membatalkan pekerjaan pencetakan di Contoh keluaran lpstat -o. Anda tidak dapat membatalkan pekerjaan pencetakan yang dimulai oleh pengguna lain dengan perintah cancel. Namun, Anda dapat memberlakukan penghapusan pekerjaan tersebut dengan mengeluarkan perintah cancel -U root job_number. Untuk mencegah pembatalan tersebut, ubah kebijakan operasi pencetak menjadi Diautentikasi
untuk memaksa autentikasi root
.
Anda juga dapat mencetak berkas langsung dari shell prompt. Misalnya, perintah lp sample.txt mencetak berkas teks sample.txt
. Filter cetak menentukan jenis berkas apa itu dan mengubahnya menjadi format yang dapat dipahami pencetak.
Sumber Daya Tambahan
Untuk mempelajari selengkapnya tentang mencetak di Fedora, lihat sumber daya berikut ini.
Installed Documentation
- man lp
-
Halaman manual untuk perintah lpr yang memungkinkan Anda mencetak berkas dari baris perintah.
- man cancel
-
Halaman manual untuk utilitas baris perintah untuk menghapus pekerjaan pencetakan dari antrian cetak.
- man mpage
-
Halaman manual untuk utilitas baris perintah untuk mencetak beberapa halaman pada satu lembar kertas.
- man cupsd
-
Halaman manual untuk daemon pencetak CUPS.
- man cupsd.conf
-
Halaman manual untuk berkas konfigurasi daemon pencetak CUPS.
- man classes.conf
-
Halaman manual untuk berkas konfigurasi kelas untuk CUPS.
- man lpstat
-
Halaman manual untuk perintah lpstat, yang menampilkan informasi status tentang kelas, pekerjaan, dan pencetak.
Useful Websites
- https://wiki.linuxfoundation.org/openprinting/start
-
Open Printing berisi sejumlah besar informasi tentang pencetakan di Linux.
- http://www.cups.org/
-
Dokumentasi, FAQ, dan newsgroup tentang CUPS.
Want to help? Learn how to contribute to Fedora Docs ›