파일과 프린터 서버
이 장은 [application] 삼바, 서버 메시지 블럭_(SMB)와 공통 인터넷 파일 시스템(CIFS
) 통신규약, 그리고 vsftpd, {MAJORS}와 함께 탑재된 기본적인 FTP 서버의 설치와 구성을 통해 당신을 안내합니다. 추가적으로, 이는 프린터를구성하는 프린터 사용하는 방법을 설명합니다.
삼바
Samba*는 리눅스를 위한 표준 공개용 원천 윈도우 상호 운용성 프로그램 제품군입니다. 이는 서버 메시지 블럭 (SMB
) 통신규약을 구현합니다. 이와 같은 통신규약의 최근 버전은 공통 인터넷 파일 시스템 (CIFS
) 통신규약으로도 알려졌습니다. 이는 마이크로소프트 *윈도우즈, 리눅스, 유닉스, 그리고 다른 운영체제 시스템과 함께, 윈도우-기반의 파일과 프린트 공유로 접근이 가능하도록 네트워킹을 허용합니다. 삼바의 `SMB`사용은 윈도우 클라이언트에게 윈도우 서버로 표시 할 수 있도록 허용합니다.
삼바 꾸러미 설치하기
Samba*를 사용하려면, 우선 [package]*samba 꾸러미가 `root`로 동작 중인 자신의 시스템에서 설치되었는지 다음과 같이 확인하세요: ~]# dnf install samba DNF와 함께 꾸러미 설치에 대한 자세한 내용은 꾸러미 설치를 참조하세요. |
삼바 소개
삼바는 리눅스 서버와 데스크탑을 동적 디렉토리(AD) 환경으로 원활하게 통할하도록 하는 중요한 요소입니다. 이는 도메인 제어기(NT-유형) 또는 정규 도메인 구성원(AD 또는 NT4-유형)과 같은 두 기능을 할 수 있습니다. .삼바가 할 수 있는 것:
-
리눅스, 유닉스와 윈도우 클라이언트에 디렉토리 트리와 프린터 제공
-
네트워크 검색 지원(NetBIOS 사용)
-
윈도우 도메인 로그인 인증
-
윈도우 인터넷 이름 서비스 (
WINS
) 이름 서버 확인을 제공합니다 -
윈도우 NT-유형 기본 도메인 제어기 (PDC)로 동작
-
삼바-기반의 PDC를 위한 백업 도메인 제어기 (BDC)로 동작
-
동적 디렉토리 도메인 구성원 서버로 동작
-
윈도우즈 NT/2000/2003/2008 PDC/윈도우즈 서버 2012 참여
-
윈도우 PDC를 위한 BDC로 작동 (그리고 반대로)
-
동적 디렉토리 도메인 제어기로 작동
삼바 데몬과 연관된 서비스
삼바는 3가지 데몬 (smbd
, nmbd
, 그리고 winbindd
)으로 구성됩니다. 3가지 서비스 (smbd
, nmbd
, 그리고 winbindd
)는 데몬이 시작하고, 멈추고, 그리고 다른 서비스와 연계된 기능 방식을 제어합니다. 이들 서비스는 다른 초기 스크립트처럼 동작합니다. 각 데몬은 지정된 서비스 뿐만 아니라 이를 통해 제어 할 수 있는 서비스를 아래에 상세히 나열하였습니다.
smbd
서버 데몬은 윈도우 클라이언트에 파일 공유와 출력 서비스를 제공합니다. 게다가, 이는 SMB
통신규약을 통해 사용자 인증, 자원 잠금, 그리고 자료 공유를 담당합니다. SMB
트래픽을 위해 서버 수신에 사용되는 기본 포트는 TCP
139와 445 포트입니다.
smbd
데몬은 smb
서비스에 의해 제어됩니다.
The nmbd
server daemon understands and replies to NetBIOS name service requests such as those produced by SMB/CIFS in Windows-based systems. These systems include Windows 95/98/ME, Windows NT, Windows 2000, Windows XP, and LanManager clients. It also participates in the browsing protocols that make up the Windows Network Neighborhood
view. The default port that the server listens to for NMB
traffic is UDP
port 137
.
nmd`서비스에 의해 `nmbd
데몬이 통제됩니다.
The winbind
service resolves user and group information received from a server running Windows NT, 2000, 2003, Windows Server 2008, or Windows Server 2012. This makes Windows user and group information understandable by UNIX platforms. This is achieved by using Microsoft RPC calls, Pluggable Authentication Modules (PAM), and the Name Service Switch (NSS). This allows Windows NT domain and Active Directory users to appear and operate as UNIX users on a UNIX machine. Though bundled with the Samba distribution, the winbind
service is controlled separately from the smb
service.
The winbind
daemon is controlled by the winbind
service and does not require the smb
service to be started in order to operate. winbind
is also used when Samba is an Active Directory member, and may also be used on a Samba domain controller (to implement nested groups and interdomain trust). Because winbind
is a client-side service used to connect to Windows NT-based servers, further discussion of winbind
is beyond the scope of this chapter.
삼바와 함께 제공되는 유틸리티 목록 얻기
삼바 배포판에서 포함된 유틸리티의 목록을 위한 삼바 배포판 프로그램을 참고하세요. |
공유 적재하기
Sometimes it is useful to mount a Samba share to a directory so that the files in the directory can be treated as if they are part of the local file system.
To mount a Samba share to a directory, create a directory to mount it to (if it does not already exist), and execute the following command as root
:
mount -t cifs //servername/sharename /mnt/point/ -o username=username,password=password
This command mounts sharename from servername in the local directory /mnt/point/.
삼바 공유 적재하기에 대해 더 많은 정보를 위해, mount.cifs(8) 설명서 부분을 참고하세요.
cifs-utils 꾸러미 설치하기
The mount.cifs utility is a separate RPM (independent from Samba). In order to use mount.cifs, first ensure the cifs-utils package is installed on your system by running, as ~]# dnf install cifs-utils DNF와 함께 꾸러미 설치에 대한 자세한 내용은 꾸러미 설치를 참조하세요. Note that the cifs-utils package also contains the cifs.upcall binary called by the kernel in order to perform kerberized CIFS mounts. For more information on cifs.upcall, see the cifs.upcall(8) manual page. |
일반 텍스트 비밀번호가 필요한 CIFS 서버
Some CIFS servers require plain text passwords for authentication. Support for plain text password authentication can be enabled using the following command as ~]# echo 0x37 > /proc/fs/cifs/SecurityFlags
|
삼바 서버 구성하기
The default configuration file (/etc/samba/smb.conf
) allows users to view their home directories as a Samba share. It also shares all printers configured for the system as Samba shared printers. You can attach a printer to the system and print to it from the Windows machines on your network.
Graphical Configuration To configure Samba using a graphical interface, use one of the available Samba graphical user interfaces. A list of available GUIs can be found at http://www.samba.org/samba/GUI/.
Command-Line Configuration Samba uses /etc/samba/smb.conf
as its configuration file. If you change this configuration file, the changes do not take effect until you restart the Samba daemon with the following command, as root
:
~]# systemctl restart smb.service
To specify the Windows workgroup and a brief description of the Samba server, edit the following lines in your /etc/samba/smb.conf
file:
workgroup = WORKGROUPNAME server string = BRIEF COMMENT ABOUT SERVER
Replace WORKGROUPNAME with the name of the Windows workgroup to which this machine should belong. The BRIEF COMMENT ABOUT SERVER is optional and is used as the Windows comment about the Samba system.
To create a Samba share directory on your Linux system, add the following section to your /etc/samba/smb.conf
file (after modifying it to reflect your needs and your system):
[sharename] comment = Insert a comment here path = /home/share/ valid users = tfox carole writable = yes create mask = 0765
The above example allows the users tfox and carole to read and write to the directory /home/share/
, on the Samba server, from a Samba client.
삼바 시작하기와 멈추기
To start a Samba server, type the following command in a shell prompt, as root
:
~]# systemctl start smb.service
도메인 구성원 서버로 설정하기
To set up a domain member server, you must first join the domain or Active Directory using the net join command before starting the |
To stop the server, type the following command in a shell prompt, as root
:
~]# systemctl stop smb.service
The restart
option is a quick way of stopping and then starting Samba. This is the most reliable way to make configuration changes take effect after editing the configuration file for Samba. Note that the restart option starts the daemon even if it was not running originally.
To restart the server, type the following command in a shell prompt, as root
:
~]# systemctl restart smb.service
The condrestart
(conditional restart) option only starts smb
on the condition that it is currently running. This option is useful for scripts, because it does not start the daemon if it is not running.
변경 사항을 구성에 적용하기
When the |
To conditionally restart the server, type the following command, as root
:
~]# systemctl try-restart smb.service
A manual reload of the /etc/samba/smb.conf
file can be useful in case of a failed automatic reload by the smb
service. To ensure that the Samba server configuration file is reloaded without restarting the service, type the following command, as root
:
~]# systemctl reload smb.service
By default, the smb
service does not start automatically at boot time. To configure Samba to start at boot time, type the following at a shell prompt as root
:
~]# systemctl enable smb.service
See Services and Daemons for more information regarding this tool.
삼바 서버 유형과 smb.conf
파일
Samba configuration is straightforward. All modifications to Samba are done in the /etc/samba/smb.conf
configuration file. Although the default smb.conf
file is well documented, it does not address complex topics such as LDAP, Active Directory, and the numerous domain controller implementations.
The following sections describe the different ways a Samba server can be configured. Keep in mind your needs and the changes required to the /etc/samba/smb.conf
file for a successful configuration.
Stand-alone Server A stand-alone server can be a workgroup server or a member of a workgroup environment. A stand-alone server is not a domain controller and does not participate in a domain in any way. The following examples include several user-level security configurations. For more information on security modes, see Samba Security Modes.
The following /etc/samba/smb.conf
file shows a sample configuration needed to implement anonymous read-only file sharing. Two directives are used to configure anonymous access – map to guest = Bad user
and guest account = nobody
.
[global] workgroup = DOCS netbios name = DOCS_SRV security = user guest account = nobody # default value map to guest = Bad user [data] comment = Documentation Samba Server path = /export read only = yes guest ok = yes
The following /etc/samba/smb.conf
file shows a sample configuration needed to implement anonymous read/write file sharing. To enable anonymous read/write file sharing, set the read only
directive to no
. The force user
and force group
directives are also added to enforce the ownership of any newly placed files specified in the share.
익명 사용자의 읽기/쓰기를 서버에서 사용하지 않습니다
Although having an anonymous read/write server is possible, it is not recommended. Any files placed in the share space, regardless of user, are assigned the user/group combination as specified by a generic user ( |
[global] workgroup = DOCS security = user guest account = nobody # default value map to guest = Bad user [data] comment = Data path = /export guest ok = yes writeable = yes force user = user force group = group
The following /etc/samba/smb.conf
file shows a sample configuration needed to implement an anonymous print server. Setting browseable
to no
as shown does not list the printer in Windows Network Neighborhood
. Although hidden from browsing, configuring the printer explicitly is possible. By connecting to DOCS_SRV
using NetBIOS, the client can have access to the printer if the client is also part of the DOCS
workgroup. It is also assumed that the client has the correct local printer driver installed, as the use client driver
directive is set to yes
. In this case, the Samba server has no responsibility for sharing printer drivers to the client.
[global] workgroup = DOCS netbios name = DOCS_SRV security = user map to guest = Bad user printing = cups [printers] comment = All Printers path = /var/spool/samba guest ok = yes printable = yes use client driver = yes browseable = yes
The following /etc/samba/smb.conf
file shows a sample configuration needed to implement a secure read/write file and print server. Setting the security
directive to user
forces Samba to authenticate client connections. Notice the [homes]
share does not have a force user
or force group
directive as the [public]
share does. The [homes]
share uses the authenticated user details for any files created as opposed to the force user
and force group
in [public]
.
[global] workgroup = DOCS netbios name = DOCS_SRV security = user printcap name = cups disable spools = yes show add printer wizard = no printing = cups [homes] comment = Home Directories valid users = %S read only = no browseable = no [public] comment = Data path = /export force user = docsbot force group = users guest ok = yes [printers] comment = All Printers path = /var/spool/samba printer admin = john, ed, @admins create mask = 0600 guest ok = yes printable = yes use client driver = yes browseable = yes
Domain Member Server A domain member, while similar to a stand-alone server, is logged into a domain controller (either Windows or Samba) and is subject to the domain’s security rules. An example of a domain member server would be a departmental server running Samba that has a machine account on the Primary Domain Controller (PDC). All of the department’s clients still authenticate with the PDC, and desktop profiles and all network policy files are included. The difference is that the departmental server has the ability to control printer and network shares.
To implement an Active Directory domain member server, follow procedure below:
-
Create the
/etc/samba/smb.conf
configuration file on a member server to be added to the Active Directory domain. Add the following lines to the configuration file:[global] realm = EXAMPLE.COM security = ADS encrypt passwords = yes # Optional. Use only if Samba cannot determine the Kerberos server automatically. password server = kerberos.example.com
With the above configuration, Samba authenticates users for services being run locally but is also a client of the Active Directory. Ensure that your kerberos
realm
parameter is shown in all caps (for examplerealm = EXAMPLE.COM
). Since Windows 2000/2003/2008 requires Kerberos for Active Directory authentication, therealm
directive is required. If Active Directory and Kerberos are running on different servers, thepassword server
directive is required to help the distinction. -
Configure Kerberos on the member server. Create the
/etc/krb5.conf
configuration file with the following content:[logging] default = FILE:/var/log/krb5libs.log [libdefaults] default_realm = AD.EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d rdns = false forwardable = false [realms] # DNS 조회가 동작하지 않는 경우에만 정의 # AD.EXAMPLE.COM = { # kdc = server.ad.example.com # admin_server = server.ad.example.com # master_kdc = server.ad.example.com # } [domain_realm] # Define only if DNS lookups are not working # .ad.example.com = AD.EXAMPLE.COM # ad.example.com = AD.EXAMPLE.COM
Uncomment the
[realms]
and[domain_realm]
sections if DNS lookups are not working.For more information on Kerberos, and the /etc/krb5.conf file, see the Using Kerberos section of the Red Hat Enterprise Linux 7 System Level Authentication Guide.
-
To join an Active Directory server, type the following command as
root
on the member server:~]# net ads join -U administrator%password
The net command authenticates as
Administrator
using the NT LAN Manager (NTLM) protocol and creates the machine account. Then net uses the machine account credentials to authenticate with Kerberos.보안 선택Since
security = ads
and notsecurity = user
is used, a local password back end such assmbpasswd
is not needed. Older clients that do not supportsecurity = ads
are authenticated as ifsecurity = domain
had been set. This change does not affect functionality and allows local users not previously in the domain.
The following /etc/samba/smb.conf
file shows a sample configuration needed to implement a Windows NT4-based domain member server. Becoming a member server of an NT4-based domain is similar to connecting to an Active Directory. The main difference is NT4-based domains do not use Kerberos in their authentication method, making the /etc/samba/smb.conf
file simpler. In this instance, the Samba member server functions as a pass through to the NT4-based domain server.
[global] workgroup = DOCS netbios name = DOCS_SRV security = domain [homes] comment = Home Directories valid users = %S read only = no browseable = no [public] comment = Data path = /export force user = docsbot force group = users guest ok = yes
Having Samba as a domain member server can be useful in many situations. There are times where the Samba server can have other uses besides file and printer sharing. It may be beneficial to make Samba a domain member server in instances where Linux-only applications are required for use in the domain environment. Administrators appreciate keeping track of all machines in the domain, even if not Windows-based. In the event the Windows-based server hardware is deprecated, it is quite easy to modify the /etc/samba/smb.conf
file to convert the server to a Samba-based PDC. If Windows NT-based servers are upgraded to Windows 2000/2003/2008 the /etc/samba/smb.conf
file is easily modifiable to incorporate the infrastructure change to Active Directory if needed.
삼바를 시작하기 전에 도메인에 합류했는지 확인 합니다
~]# net rpc join -U administrator%password |
Note that the -S
option, which specifies the domain server host name, does not need to be stated in the net rpc join command. Samba uses the host name specified by the workgroup
directive in the /etc/samba/smb.conf
file instead of it being stated explicitly.
Domain Controller A domain controller in Windows NT is functionally similar to a Network Information Service (NIS) server in a Linux environment. Domain controllers and NIS servers both host user and group information databases as well as related services. Domain controllers are mainly used for security, including the authentication of users accessing domain resources. The service that maintains the user and group database integrity is called the Security Account Manager (SAM). The SAM database is stored differently between Windows and Linux Samba-based systems, therefore SAM replication cannot be achieved and platforms cannot be mixed in a PDC/BDC environment.
In a Samba environment, there can be only one PDC and zero or more BDCs.
A mixed Samba/Windows domain controller environment
Samba cannot exist in a mixed Samba/Windows domain controller environment (Samba cannot be a BDC of a Windows PDC or vice versa). Alternatively, Samba PDCs and BDCs can coexist. |
tdbsam
The simplest and most common implementation of a Samba PDC uses the new default tdbsam
password database back end. Replacing the aging smbpasswd
back end, tdbsam
has numerous improvements that are explained in more detail in Samba Account Information Databases. The passdb backend
directive controls which back end is to be used for the PDC.
The following /etc/samba/smb.conf
file shows a sample configuration needed to implement a tdbsam
password database back end.
tdbsam
[global] workgroup = DOCS netbios name = DOCS_SRV passdb backend = tdbsam security = user add user script = /usr/sbin/useradd -m "%u" delete user script = /usr/sbin/userdel -r "%u" add group script = /usr/sbin/groupadd "%g" delete group script = /usr/sbin/groupdel "%g" add user to group script = /usr/sbin/usermod -G "%g" "%u" add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null -g machines "%u" # The following specifies the default logon script # Per user logon scripts can be specified in the user # account using pdbedit logon script = logon.bat # This sets the default profile path. # Set per user paths with pdbedit logon drive = H: domain logons = yes os level = 35 preferred master = yes domain master = yes [homes] comment = Home Directories valid users = %S read only = no [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon/scripts browseable = no read only = no # For profiles to work, create a user directory under the # path shown. # mkdir -p /var/lib/samba/profiles/john [Profiles] comment = Roaming Profile Share path = /var/lib/samba/profiles read only = no browseable = no guest ok = yes profile acls = yes # 다른 자원 공유 ... ...
To provide a functional PDC system which uses tdbsam
follow these steps:
-
Adjust the
smb.conf
configuration file as shown in An Example Configuration of Primary Domain Controller (PDC) Usingtdbsam
. -
Add the
root
user to the Samba password database. You will be prompted to provide a new Samba password for theroot
user:~]# smbpasswd -a root New SMB password:
-
smb
서비스가 시작합니다:~]# service smb start
-
모든 프로파일, 사용자와 넷로그온 디렉토리가 생성되었는지 확인합니다.
-
사용자가 다음의 구성원이 될 수 있는 그룹을 추가합니다:
~]# groupadd -f users ~]# groupadd -f nobody ~]# groupadd -f ntadmins
-
유닉스 그룹을 예상되는 윈도우 그룹과 연결합니다.
~]# net groupmap add ntgroup="Domain Users" unixgroup=users ~]# net groupmap add ntgroup="Domain Guests" unixgroup=nobody ~]# net groupmap add ntgroup="Domain Admins" unixgroup=ntadmins
-
사용자 또는 그룹으로 접근 권한을 허용합니다. 예를 들면, 클라이언트 장비를 삼바 도메인 제어기, 도메인 관리 그룹에 대한 구성원에서 도메인으로 추가하도록 허용하려면, 다음 명령을 실행합니다:
~]# net rpc rights grant 'DOCS\Domain Admins' SetMachineAccountPrivilege -S PDC -U root
윈도우 시스템은 도메인 사용자와 같은 도메인 그룹에 대응되는 기본 그룹을 가지는 것을 선호한다는 것을 명심하세요.
Windows groups and users use the same namespace thus not allowing the existence of a group and a user with the same name like in UNIX.
Limitations of the tdbsam authentication back end
If you need more than one domain controller or have more than 250 users, do not use the |
Although it is possible for Samba to be a member of an Active Directory, it is not possible for Samba to operate as an Active Directory domain controller.
삼바 보안 방법
There are only two types of security modes for Samba, share-level and user-level, which are collectively known as security levels. Share-level security is deprecated and has been removed from Samba. Configurations containing this mode need to be migrated to use user-level security. User-level security can be implemented in one of three different ways. The different ways of implementing a security level are called security modes.
User-Level Security User-level security is the default and recommended setting for Samba. Even if the security = user
directive is not listed in the /etc/samba/smb.conf
file, it is used by Samba. If the server accepts the client’s user name and password, the client can then mount multiple shares without specifying a password for each instance. Samba can also accept session-based user name and password requests. The client maintains multiple authentication contexts by using a unique UID for each logon.
In the /etc/samba/smb.conf
file, the security = user
directive that sets user-level security is:
[GLOBAL] ... security = user ...
As mentioned above, share-level security mode is deprecated. To configure a Samba guest share without using the security = share
parameter, follow the procedure below:
다음 부분은 사용자-수준 보안의 다른 구현을 설명합니다.
In domain security mode, the Samba server has a machine account (domain security trust account) and causes all authentication requests to be passed through to the domain controllers. The Samba server is made into a domain member server by using the following directives in the /etc/samba/smb.conf
file:
[GLOBAL] ... security = domain workgroup = MARKETING ...
If you have an Active Directory environment, it is possible to join the domain as a native Active Directory member. Even if a security policy restricts the use of NT-compatible authentication protocols, the Samba server can join an ADS using Kerberos. Samba in Active Directory member mode can accept Kerberos tickets.
In the /etc/samba/smb.conf
file, the following directives make Samba an Active Directory member server:
[GLOBAL] ... security = ADS realm = EXAMPLE.COM password server = kerberos.example.com ...
Share-Level Security With share-level security, the server accepts only a password without an explicit user name from the client. The server expects a password for each share, independent of the user name. There have been recent reports that Microsoft Windows clients have compatibility issues with share-level security servers. This mode is deprecated and has been removed from Samba. Configurations containing security = share
should be updated to use user-level security. Follow the steps in Configuring Samba Guest Shares to avoid using the security = share
directive.
삼바 계정 정보 데이타베이스
The following is a list different back ends you can use with Samba. Other back ends not listed here may also be available.
- 플레인 텍스트
-
Plain text back ends are nothing more than the
/etc/passwd
type back ends. With a plain text back end, all user names and passwords are sent unencrypted between the client and the Samba server. This method is very insecure and is not recommended for use by any means. It is possible that different Windows clients connecting to the Samba server with plain text passwords cannot support such an authentication method. smbpasswd
-
The
smbpasswd
back end utilizes a plain ASCII text layout that includes the MS Windows LanMan and NT account, and encrypted password information. Thesmbpasswd
back end lacks the storage of the Windows NT/2000/2003 SAM extended controls. Thesmbpasswd
back end is not recommended because it does not scale well or hold any Windows information, such as RIDs for NT-based groups. Thetdbsam
back end solves these issues for use in a smaller database (250 users), but is still not an enterprise-class solution. ldapsam_compat
-
The
ldapsam_compat
back end allows continued OpenLDAP support for use with upgraded versions of Samba. tdbsam
-
The default
tdbsam
password back end provides a database back end for local servers, servers that do not need built-in database replication, and servers that do not require the scalability or complexity of LDAP. Thetdbsam
back end includes all of thesmbpasswd
database information as well as the previously-excluded SAM information. The inclusion of the extended SAM data allows Samba to implement the same account and system access controls as seen with Windows NT/2000/2003/2008-based systems.The
tdbsam
back end is recommended for 250 users at most. Larger organizations should require Active Directory or LDAP integration due to scalability and possible network infrastructure concerns. ldapsam
-
The
ldapsam
back end provides an optimal distributed account installation method for Samba. LDAP is optimal because of its ability to replicate its database to any number of servers such as the Red Hat Directory Server or an OpenLDAP Server. LDAP databases are light-weight and scalable, and as such are preferred by large enterprises. Installation and configuration of directory servers is beyond the scope of this chapter. For more information on the Red Hat Directory Server, see the Red Hat Directory Server 10 Deployment Guide. For more information on LDAP, see OpenLDAP.If you are upgrading from a previous version of Samba to 3.0, note that the OpenLDAP schema file (
/usr/share/doc/samba-version/LDAP/samba.schema
) and the Red Hat Directory Server schema file (/usr/share/doc/samba-version/LDAP/samba-schema-FDS.ldif
) have changed. These files contain the attribute syntax definitions and objectclass definitions that theldapsam
back end needs in order to function properly.As such, if you are using the
ldapsam
back end for your Samba server, you will need to configureslapd
to include one of these schema file. See Extending Schema for directions on how to do this.Make sure the openldap-servers package is installedYou need to have the openldap-servers package installed if you want to use the
ldapsam
back end. To ensure that the package is installed, execute the following command asroots
:~]# dnf install openldap-servers
삼바 네트워크 검색
Network browsing enables Windows and Samba servers to appear in the Windows Network Neighborhood
. Inside the Network Neighborhood
, icons are represented as servers and if opened, the server’s shares and printers that are available are displayed.
Network browsing capabilities require NetBIOS over TCP
/IP
. NetBIOS-based networking uses broadcast (UDP
) messaging to accomplish browse list management. Without NetBIOS and WINS as the primary method for TCP
/IP
host name resolution, other methods such as static files (/etc/hosts
) or DNS
, must be used.
A domain master browser collates the browse lists from local master browsers on all subnets so that browsing can occur between workgroups and subnets. Also, the domain master browser should preferably be the local master browser for its own subnet.
Domain Browsing By default, a Windows server PDC for a domain is also the domain master browser for that domain. A Samba server must not be set up as a domain master server in this type of situation.
For subnets that do not include the Windows server PDC, a Samba server can be implemented as a local master browser. Configuring the /etc/samba/smb.conf
file for a local master browser (or no browsing at all) in a domain controller environment is the same as workgroup configuration (see Configuring a Samba Server).
WINS (Windows Internet Name Server) Either a Samba server or a Windows NT server can function as a WINS server. When a WINS server is used with NetBIOS enabled, UDP unicasts can be routed which allows name resolution across networks. Without a WINS server, the UDP broadcast is limited to the local subnet and therefore cannot be routed to other subnets, workgroups, or domains. If WINS replication is necessary, do not use Samba as your primary WINS server, as Samba does not currently support WINS replication.
In a mixed NT/2000/2003/2008 server and Samba environment, it is recommended that you use the Microsoft WINS capabilities. In a Samba-only environment, it is recommended that you use only one Samba server for WINS.
The following is an example of the /etc/samba/smb.conf
file in which the Samba server is serving as a WINS server:
[global] wins support = yes
WINS 사용하기
All servers (including Samba) should connect to a WINS server to resolve NetBIOS names. Without WINS, browsing only occurs on the local subnet. Furthermore, even if a domain-wide list is somehow obtained, hosts cannot be resolved for the client without WINS. |
CUPS 출력 지원하는 삼바
Samba allows client machines to share printers connected to the Samba server. In addition, Samba also allows client machines to send documents built in Linux to Windows printer shares. Although there are other printing systems that function with Fedora, CUPS (Common UNIX Print System) is the recommended printing system due to its close integration with Samba.
Simple smb.conf
Settings The following example shows a very basic /etc/samba/smb.conf
configuration for CUPS support:
[global] load printers = yes printing = cups printcap name = cups [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = yes writable = no printable = yes printer admin = @ntadmins [print$] comment = Printer Drivers Share path = /var/lib/samba/drivers write list = ed, john printer admin = ed, john
Other printing configurations are also possible. To add additional security and privacy for printing confidential documents, users can have their own print spooler not located in a public path. If a job fails, other users would not have access to the file.
The print$
directive contains printer drivers for clients to access if not available locally. The print$
directive is optional and may not be required depending on the organization.
Setting browseable
to yes
enables the printer to be viewed in the Windows Network Neighborhood, provided the Samba server is set up correctly in the domain or workgroup.
삼바 배포 프로그램
.net
net <protocol> <function> <misc_options> <target_options>
The net
utility is similar to the net
utility used for Windows and MS-DOS. The first argument is used to specify the protocol to use when executing a command. The protocol
option can be ads
, rap
, or rpc
for specifying the type of server connection. Active Directory uses ads
, Win9x/NT3 uses rap
, and Windows NT4/2000/2003/2008 uses rpc
. If the protocol is omitted, net
automatically tries to determine it.
The following example displays a list of the available shares for a host named wakko
:
~]$ net -l share -S wakko
비밀번호:
원격 서버에서 공유 자원 (내보내기) 열거하기:
공유 이름 유형 설명
---------- ---- -----------
data Disk Wakko data 공유
tmp Disk Wakko tmp 공유
IPC$ IPC IPC 서비스 (삼바 서버)
ADMIN$ IPC IPC 서비스 (삼바 서버)
The following example displays a list of Samba users for a host named wakko
:
~]$ net -l user -S wakko
root 비밀번호:
사용자 이름 댓글
-----------------------------
andriusb 문서
joe 마케팅
lisa 세일즈
nmblookup
nmblookup <options> <netbios_name>
The nmblookup
program resolves NetBIOS names into IP
addresses. The program broadcasts its query on the local subnet until the target machine replies.
The following example displays the IP
address of the NetBIOS name trek
:
~]$ nmblookup trek querying trek on 10.1.59.255 10.1.56.45 trek<00>
pdbedit
pdbedit <options>
The pdbedit
program manages accounts located in the SAM database. All back ends are supported including smbpasswd
, LDAP, and the tdb database library.
The following are examples of adding, deleting, and listing users:
~]$ pdbedit -a kristin new password: retype new password: Unix username: kristin NT username: Account Flags: [U ] User SID: S-1-5-21-1210235352-3804200048-1474496110-2012 Primary Group SID: S-1-5-21-1210235352-3804200048-1474496110-2077 Full Name: Home Directory: \\wakko\kristin HomeDir Drive: Logon Script: Profile Path: \\wakko\kristin\profile Domain: WAKKO Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Mon, 18 Jan 2038 22:14:07 GMT Kickoff time: Mon, 18 Jan 2038 22:14:07 GMT Password last set: Thu, 29 Jan 2004 08:29:28 GMT Password can change: Thu, 29 Jan 2004 08:29:28 GMT Password must change: Mon, 18 Jan 2038 22:14:07 GMT ~]$ pdbedit -v -L kristin Unix username: kristin NT username: Account Flags: [U ] User SID: S-1-5-21-1210235352-3804200048-1474496110-2012 Primary Group SID: S-1-5-21-1210235352-3804200048-1474496110-2077 Full Name: Home Directory: \\wakko\kristin HomeDir Drive: Logon Script: Profile Path: \\wakko\kristin\profile Domain: WAKKO Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Mon, 18 Jan 2038 22:14:07 GMT Kickoff time: Mon, 18 Jan 2038 22:14:07 GMT Password last set: Thu, 29 Jan 2004 08:29:28 GMT Password can change: Thu, 29 Jan 2004 08:29:28 GMT Password must change: Mon, 18 Jan 2038 22:14:07 GMT ~]$ pdbedit -L andriusb:505: joe:503: lisa:504: kristin:506: ~]$ pdbedit -x joe ~]$ pdbedit -L andriusb:505: lisa:504: kristin:506:
rpcclient
rpcclient <server> <options>
The rpcclient
program issues administrative commands using Microsoft RPCs, which provide access to the Windows administration graphical user interfaces (GUIs) for systems management. This is most often used by advanced users that understand the full complexity of Microsoft RPCs.
smbcacls
smbcacls <//server/share> <filename> <options>
The smbcacls
program modifies Windows ACLs on files and directories shared by a Samba server or a Windows server.
smbclient
smbclient <//server/share> <password> <options>
The smbclient
program is a versatile UNIX client which provides functionality similar to the ftp
utility.
smbcontrol
smbcontrol -i <options>
smbcontrol <options> <destination> <messagetype> <parameters>
The smbcontrol
program sends control messages to running smbd
, nmbd
, or winbindd
daemons. Executing smbcontrol -i runs commands interactively until a blank line or a 'q'
is entered.
smbpasswd
smbpasswd <options> <username> <password>
The smbpasswd
program manages encrypted passwords. This program can be run by a superuser to change any user’s password and also by an ordinary user to change their own Samba password.
smbspool
smbspool <job> <user> <title> <copies> <options> <filename>
The smbspool
program is a CUPS-compatible printing interface to Samba. Although designed for use with CUPS printers, smbspool can work with non-CUPS printers as well.
smbstatus
smbstatus <options>
`smbstatus`프로그램은 삼바 서버의 현재 연결 상태를 표시합니다.
smbtar
smbtar <options>
The smbtar
program performs backup and restores of Windows-based share files and directories to a local tape archive. Though similar to the tar
utility, the two are not compatible.
testparm
testparm <options> <filename> <hostname IP_address>
The testparm
program checks the syntax of the /etc/samba/smb.conf
file. If your smb.conf
file is in the default location (/etc/samba/smb.conf
) you do not need to specify the location. Specifying the host name and IP
address to the testparm
program verifies that the hosts.allow
and host.deny
files are configured correctly. The testparm
program also displays a summary of your smb.conf
file and the server’s role (stand-alone, domain, etc.) after testing. This is convenient when debugging as it excludes comments and concisely presents information for experienced administrators to read. For example:
~]$ testparm Load smb config files from /etc/samba/smb.conf Processing section "[homes]" Processing section "[printers]" Processing section "[tmp]" Processing section "[html]" Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions <enter>
# Global parameters
[global]
workgroup = MYGROUP
server string = Samba Server
security = SHARE
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
[homes]
comment = Home Directories
read only = no
browseable = no
[printers]
comment = All Printers
path = /var/spool/samba
printable = yes
browseable = no
[tmp]
comment = Wakko tmp
path = /tmp
guest only = yes
[html]
comment = Wakko www
path = /var/www/html
force user = andriusb
force group = users
read only = no
guest only = yes
wbinfo
wbinfo <options>
The wbinfo
program displays information from the winbindd
daemon. The winbindd
daemon must be running for wbinfo
to work.
추가 자원
The following sections give you the means to explore Samba in greater detail.
-
/usr/share/doc/samba-<version-number>/
— All additional files included with the Samba distribution. This includes all helper scripts, sample configuration files, and documentation. -
See the following man pages for detailed information specific Samba features:
-
smb.conf(5)
-
samba(7)
-
smbd(8)
-
nmbd(8)
-
winbindd(8)
-
-
http://www.samba.org/ — Homepage for the Samba distribution and all official documentation created by the Samba development team. Many resources are available in HTML and PDF formats, while others are only available for purchase. Although many of these links are not Fedora specific, some concepts may apply.
-
https://wiki.samba.org/index.php/User_Documentation — Samba 4.x official documentation.
-
http://samba.org/samba/archives.html — Active email lists for the Samba community. Enabling digest mode is recommended due to high levels of list activity.
-
Samba newsgroups — Samba threaded newsgroups, such as www.gmane.org, that use the
NNTP
protocol are also available. This an alternative to receiving mailing list emails.
FTP
File Transfer Protocol (FTP
) is one of the oldest and most commonly used protocols found on the Internet today. Its purpose is to reliably transfer files between computer hosts on a network without requiring the user to log directly into the remote host or have knowledge of how to use the remote system. It allows users to access files on remote systems using a standard set of simple commands.
This section outlines the basics of the FTP
protocol, as well as configuration options for the primary FTP
server shipped with Fedora, vsftpd.
파일 전송 통신규약
However, because FTP
is so prevalent on the Internet, it is often required to share files to the public. System administrators, therefore, should be aware of the FTP
protocol’s unique characteristics.
Multiple Ports, Multiple Modes Unlike most protocols used on the Internet, FTP
requires multiple network ports to work properly. When an FTP
client application initiates a connection to an FTP
server, it opens port 21 on the server — known as the command port. This port is used to issue all commands to the server. Any data requested from the server is returned to the client via a data port. The port number for data connections, and the way in which data connections are initialized, vary depending upon whether the client requests the data in active or passive mode.
다음은 이들 방식을 정의합니다:
- 동적 방식
-
Active mode is the original method used by the
FTP
protocol for transferring data to the client application. When an active mode data transfer is initiated by theFTP
client, the server opens a connection from port 20 on the server to theIP
address and a random, unprivileged port (greater than 1024) specified by the client. This arrangement means that the client machine must be allowed to accept connections over any port above 1024. With the growth of insecure networks, such as the Internet, the use of firewalls to protect client machines is now prevalent. Because these client-side firewalls often deny incoming connections from active modeFTP
servers, passive mode was devised. - 정적 방식
-
Passive mode, like active mode, is initiated by the
FTP
client application. When requesting data from the server, theFTP
client indicates it wants to access the data in passive mode and the server provides theIP
address and a random, unprivileged port (greater than 1024) on the server. The client then connects to that port on the server to download the requested information.While passive mode resolves issues for client-side firewall interference with data connections, it can complicate administration of the server-side firewall. You can reduce the number of open ports on a server by limiting the range of unprivileged ports on the
FTP
server. This also simplifies the process of configuring firewall rules for the server. See Network Options for more information about limiting passive ports.
FTP 서버
Fedora ships with two different FTP
servers:
-
proftpd - 빠르고, 안정적이며, 그리고 고도로 구성 가능한 FTP 서버.
-
vsftpd — Fedora를 위해 선호하는
FTP`서버인 빠르고, 안전한 `FTP
데몬. 이 부분의 나머지 부분은 [command]#vsftpd#에 중점을 둡니다.
vsftpd
The Very Secure FTP Daemon (vsftpd) is designed from the ground up to be fast, stable, and, most importantly, secure. vsftpd is the only stand-alone FTP
server distributed with Fedora, due to its ability to handle large numbers of connections efficiently and securely.
[command]#vsftpd#에 의해 사용된 보안 모델은 다음 3가지 기본 측면을 가지고 있습니다:
-
Strong separation of privileged and non-privileged processes — Separate processes handle different tasks, and each of these processes run with the minimal privileges required for the task.
-
Tasks requiring elevated privileges are handled by processes with the minimal privilege necessary — By leveraging compatibilities found in the
libcap
library, tasks that usually require fullroot
privileges can be executed more safely from a less privileged process. -
Most processes run in a chroot jail — Whenever possible, processes are change-rooted to the directory being shared; this directory is then considered a chroot jail. For example, if the directory /var/ftp/ is the primary shared directory, vsftpd reassigns /var/ftp/ to the new root directory, known as /. This disallows any potential malicious hacker activities for any directories not contained below the new root directory.
이들 보안 사례의 사용은 [command]#vsftpd#가 요청을 처리하는 방법에서 다음과 같은 영향을 갖습니다:
-
The parent process runs with the least privileges required — The parent process dynamically calculates the level of privileges it requires to minimize the level of risk. Child processes handle direct interaction with the
FTP
clients and run with as close to no privileges as possible. -
All operations requiring elevated privileges are handled by a small parent process — Much like the Apache
HTTP
Server, vsftpd launches unprivileged child processes to handle incoming connections. This allows the privileged, parent process to be as small as possible and handle relatively few tasks. -
All requests from unprivileged child processes are distrusted by the parent process — Communication with child processes are received over a socket, and the validity of any information from child processes is checked before being acted on.
-
Most interaction with
FTP
clients is handled by unprivileged child processes in a chroot jail — Because these child processes are unprivileged and only have access to the directory being shared, any crashed processes only allows the attacker access to the shared files.
[command]#vsftpd#로 설치된 파일
The vsftpd
RPM installs the daemon (/usr/sbin/vsftpd
), its configuration and related files, as well as FTP
directories onto the system. The following lists the files and directories related to vsftpd configuration:
-
/etc/rc.d/init.d/vsftpd
— The initialization script (initscript) used by the systemctl command to start, stop, or reload vsftpd. See Starting and Stopping vsftpd for more information about using this script. -
/etc/pam.d/vsftpd
— The Pluggable Authentication Modules (PAM) configuration file for vsftpd. This file specifies the requirements a user must meet to login to theFTP
server. For more information on PAM, refer to the Using Pluggable Authentication Modules (PAM) chapter of the Fedora 26 Managing Single Sign-On and Smart Cards guide. -
/etc/vsftpd/vsftpd.conf
— The configuration file for vsftpd. See vsftpd Configuration Options for a list of important options contained within this file. -
/etc/vsftpd/ftpusers
— 사용자 목록은 로그를 [command]#vsftpd#로 허용하지 않습니다. 기본값으로, 이와 같은 목록은 무엇보다도root
,bin
, 그리고daemon
사용자를 포함합니다. -
/etc/vsftpd/user_list
— This file can be configured to either deny or allow access to the users listed, depending on whether the userlist_deny directive is set to YES (default) or NO in/etc/vsftpd/vsftpd.conf
. If/etc/vsftpd/user_list
is used to grant access to users, the usernames listed must not appear in/etc/vsftpd/ftpusers
. -
/varftp/ftp/
— [command]#vsftpd#에 의해 제공되는 파일을 포함하는 디렉토리. 이는 또한 익명의 사용자를 위한/var/ftp/pub/
디렉토리를 포함합니다. 두 디렉토리 누구나-읽을 수 있지만, 'root' 사용자만이 쓸 수 있습니다.
vsftpd 시작과 멈춤
The vsftpd
RPM installs the /etc/rc.d/init.d/vsftpd
script, which can be accessed using the systemctl command.
`root`유형으로 서버를 시작 할 때에:
systemctl start vsftpd.service
서버를 멈추려면`root` 유형으로:
systemctl stop vsftpd.service
The restart
option is a shorthand way of stopping and then starting vsftpd. This is the most efficient way to make configuration changes take effect after editing the configuration file for vsftpd.
서버를 재시작 할 때에, `root`으로 다음과 같이 입력하세요:
systemctl restart vsftpd.service
The condrestart
(conditional restart) option only starts vsftpd if it is currently running. This option is useful for scripts, because it does not start the daemon if it is not running.
상태에 따라 서버를 재시작 할 때에, `root`으로 다음과 같이 입력하세요:
systemctl condrestart vsftpd.service
By default, the vsftpd service does not start automatically at boot time. To configure the vsftpd service to start at boot time, use a service manager such as systemctl. See Services and Daemons for more information on how to configure services in Fedora.
Starting Multiple Copies of vsftpd Sometimes one computer is used to serve multiple FTP
domains. This is a technique called multihoming. One way to multihome using vsftpd is by running multiple copies of the daemon, each with its own configuration file.
To do this, first assign all relevant IP
addresses to network devices or alias network devices on the system. For more information about configuring network devices, device aliases, and additional information about network configuration scripts, refer to the Fedora Networking Guide.
Next, the DNS server for the FTP
domains must be configured to reference the correct machine. For information about BIND and its configuration files, refer to the Fedora Networking Guide.
If there is more configuration files present in the /etc/vsftpd
directory, calling systemctl start vsftpd.service results in the /etc/rc.d/init.d/vsftpd
initscript starting the same number of processes as the number of configuration files. Each configuration file must have a unique name in the /etc/vsftpd/
directory and must be readable and writable only by root
.
vsftpd 구성 옵션
Although vsftpd may not offer the level of customization other widely available FTP
servers have, it offers enough options to fill most administrator’s needs. The fact that it is not overly feature-laden limits configuration and programmatic errors.
[command]#vsftpd#의 모든 구성은 `/etc/vsftpd/vsftpd.conf`구성 파일에 의해 다뤄집니다. 각 지시문은 파일안의 자체 행에 있으며 다음과 같은 형식을 따릅니다:
directive=value
각 지시문을 위해 유효한 지시문인 지시문 및 유효한 값인 _값_으로 교체합니다.
공백을 사용하지 않습니다
지시문, 등호, 지시문의 값 사이에서 어떤 공백도 있으면 안됩니다. |
주석 행은 해쉬 기호 (#)의해 진행되어야 하고 데몬에 의해 무시됩니다.
사용 가능한 모든 지시문 목록을 위하여, `vsftpd.conf`를 위한 설명서 부분을 참고하세요.
vsftpd 서비스 보안설정
vsftpd 보호하는 방식을 위한 개요는, Red Hat Enterprise Linux 7 보안 안내를 참고하세요. |
The following is a list of some of the more important directives within /etc/vsftpd/vsftpd.conf
. All directives not explicitly found or commented out within vsftpd's configuration file are set to their default value.
데몬 옵션 다음은 vsftpd 데몬의 전체 동작을 제어하는 지시문 목록입니다.
-
listen — When enabled, vsftpd runs in stand-alone mode. Fedora sets this value to YES. This directive cannot be used in conjunction with the listen_ipv6 directive.
기본 값은 NO 입니다.
-
listen_ipv6 — When enabled, vsftpd runs in stand-alone mode, but listens only to
IPv6
sockets. This directive cannot be used in conjunction with the listen directive.기본 값은 NO 입니다.
-
session_support — When enabled, vsftpd attempts to maintain login sessions for each user through Pluggable Authentication Modules (PAM). For more information, refer to the Using Pluggable Authentication Modules (PAM) chapter of the Red Hat Enterprise Linux 6 Managing Single Sign-On and Smart Cards and the PAM man pages. . If session logging is not necessary, disabling this option allows vsftpd to run with less processes and lower privileges.
기본 값은 YES 입니다.
Log In Options and Access Controls The following is a list of directives which control the login behavior and access control mechanisms.
-
anonymous_enable — When enabled, anonymous users are allowed to log in. The usernames
anonymous
andftp
are accepted.기본 값은 YES 입니다.
익명 사용자에게 영향을 미치는 지시문 목록을 위해 익명 사용자 옵션을 참고하세요.
-
banned_email_file — If the deny_email_enable directive is set to YES, this directive specifies the file containing a list of anonymous email passwords which are not permitted access to the server.
기본 값은 `/etc/vsftpd/banned_emails`입니다.
-
banner_file — Specifies the file containing text displayed when a connection is established to the server. This option overrides any text specified in the ftpd_banner directive.
이 지시문에 지정 값이 없습니다.
-
cmds_allowed — Specifies a comma-delimited list of
FTP
commands allowed by the server. All other commands are rejected.이 지시문에 지정 값이 없습니다.
-
deny_email_enable — When enabled, any anonymous user utilizing email passwords specified in the
/etc/vsftpd/banned_emails
are denied access to the server. The name of the file referenced by this directive can be specified using the banned_email_file directive.기본 값은 NO 입니다.
-
ftpd_banner — When enabled, the string specified within this directive is displayed when a connection is established to the server. This option can be overridden by the banner_file directive.
기본적으로 [command]#vsftpd#는 표준 배너를 표시합니다.
-
local_enable — 활성화 되었을 때에, 로컬 사용자는 시스템에 로그인 할 수 있습니다.
기본 값은 YES 입니다.
로컬 사용자에게 영향을 주는 지시문 목록을 위한 로컬 사용자 옵션을 참고하세요.
-
pam_service_name — [command]#vsftpd#을 위한 PAM 서비스 이름을 지정합니다.
기본 값은 [command]#ftp#입니다. 주의, Fedora에서, 값은 [command]#vsftpd#로 설정됩니다.
-
기본 값은 [command]#NO#입니다. 주의, Fedora에서, 값은 [command]#YES#로 설정됩니다.
-
userlist_deny — When used in conjunction with the userlist_enable directive and set to NO, all local users are denied access unless the username is listed in the file specified by the userlist_file directive. Because access is denied before the client is asked for a password, setting this directive to NO prevents local users from submitting unencrypted passwords over the network.
기본 값은 YES 입니다.
-
userlist_enable — When enabled, the users listed in the file specified by the userlist_file directive are denied access. Because access is denied before the client is asked for a password, users are prevented from submitting unencrypted passwords over the network.
기본 값은 [command]#NO#이고,아무튼 Fedora에서 값은 [command]#YES#로 설정됩니다.
-
userlist_file — Specifies the file referenced by vsftpd when the userlist_enable directive is enabled.
기본 값은 [command]#/etc/vsftpd/user_list#이고 설치 중에 생성됩니다.
Anonymous User Options The following lists directives which control anonymous user access to the server. To use these options, the anonymous_enable directive must be set to YES.
-
anon_mkdir_write_enable — When enabled in conjunction with the write_enable directive, anonymous users are allowed to create new directories within a parent directory which has write permissions.
기본 값은 NO 입니다.
-
anon_root — 익명 사용자가 로그인 후에 디렉토리 vsftpd 변경을 지정합니다.
이 지시문에 지정 값이 없습니다.
-
anon_upload_enable — When enabled in conjunction with the write_enable directive, anonymous users are allowed to upload files within a parent directory which has write permissions.
기본 값은 NO 입니다.
-
anon_world_readable_only — When enabled, anonymous users are only allowed to download world-readable files.
기본 값은 YES 입니다.
-
ftp_username — Specifies the local user account (listed in
/etc/passwd
) used for the anonymousFTP
user. The home directory specified in/etc/passwd
for the user is the root directory of the anonymousFTP
user.기본 값은 ftp 입니다.
-
no_anon_password — 활성화 되었을 때에, 익명 사용자은 비밀번호를 요구하지 않습니다.
기본 값은 NO 입니다.
-
secure_email_list_enable — When enabled, only a specified list of email passwords for anonymous logins are accepted. This is a convenient way to offer limited security to public content without the need for virtual users.
Anonymous logins are prevented unless the password provided is listed in /etc/vsftpd/email_passwords. The file format is one password per line, with no trailing white spaces.
기본 값은 NO 입니다.
Local User Options The following lists directives which characterize the way local users access the server. To use these options, the local_enable directive must be set to YES.
-
chmod_enable — When enabled, the
FTP
command SITE CHMOD is allowed for local users. This command allows the users to change the permissions on files.기본 값은 YES 입니다.
-
chroot_list_enable — When enabled, the local users listed in the file specified in the chroot_list_file directive are placed in a chroot jail upon log in.
If enabled in conjunction with the chroot_local_user directive, the local users listed in the file specified in the chroot_list_file directive are not placed in a chroot jail upon log in.
기본 값은 NO 입니다.
-
chroot_list_file — Specifies the file containing a list of local users referenced when the chroot_list_enable directive is set to YES.
기본 값은 [command]#/etc/vsftpd/chroot_list#입니다.
-
chroot_local_user — When enabled, local users are change-rooted to their home directories after logging in.
기본 값은 NO 입니다.
chroot_local_user 옵션 활성화 방지Enabling chroot_local_user opens up a number of security issues, especially for users with upload privileges. For this reason, it is not recommended.
-
guest_enable — When enabled, all non-anonymous users are logged in as the user guest, which is the local user specified in the guest_username directive.
기본 값은 NO 입니다.
-
guest_username —guest 사용자가 일치되도록 사용자 이름을 지정합니다.
기본 값은 ftp 입니다.
-
local_root — 로컬 사용자가 로그인 후에 디렉토리 vsftpd 변경을 지정합니다.
이 지시문에 지정 값이 없습니다.
-
local_umask — Specifies the umask value for file creation. Note that the default value is in octal form (a numerical system with a base of eight), which includes a "0" prefix. Otherwise the value is treated as a base-10 integer.
기본 값은 022 입니다.
-
passwd_chroot_enable — When enabled in conjunction with the chroot_local_user directive, vsftpd change-roots local users based on the occurrence of the /./ in the home directory field within
/etc/passwd
.기본 값은 NO 입니다.
-
user_config_dir — Specifies the path to a directory containing configuration files bearing the name of local system users that contain specific setting for that user. Any directive in the user’s configuration file overrides those found in
/etc/vsftpd/vsftpd.conf
.이 지시문에 지정 값이 없습니다.
디렉토리 옵션 다음은 디렉토리에 영향을 미치는 지시문을 나열합니다.
-
dirlist_enable — 활성화 될 때에, 사용자는 디렉토리 목록에 허용됩니다.
기본 값은 YES 입니다.
-
dirmessage_enable — When enabled, a message is displayed whenever a user enters a directory with a message file. This message resides within the current directory. The name of this file is specified in the message_file directive and is
.message
by default.기본 값은 [command]#NO#입니다. 주의, Fedora에서, 값은 [command]#YES#로 설정됩니다.
-
force_dot_files — When enabled, files beginning with a dot (
.
) are listed in directory listings, with the exception of the.
and..
files.기본 값은 NO 입니다.
-
hide_ids — When enabled, all directory listings show
ftp
as the user and group for each file.기본 값은 NO 입니다.
-
message_file — Specifies the name of the message file when using the dirmessage_enable directive.
기본 값은 .메시지 입니다.
-
text_userdb_names — When enabled, text usernames and group names are used in place of UID and GID entries. Enabling this option may slow performance of the server.
기본 값은 NO 입니다.
-
use_localtime — 활성화 되었을 때에, 디렉토리 목록은 GMT 대신에 컴퓨터를 위한 지역 시간을 나타냅니다.
기본 값은 NO 입니다.
파일 전송 옵션 다음은 디렉토리에 영향을 미치는 지시문을 나열합니다.
-
download_enable — 활성화 될 때에, 파일 내려받기가 허용됩니다.
기본 값은 YES 입니다.
-
chown_uploads — When enabled, all files uploaded by anonymous users are owned by the user specified in the chown_username directive.
기본 값은 NO 입니다.
-
chown_username — Specifies the ownership of anonymously uploaded files if the chown_uploads directive is enabled.
기본 값은 root 입니다.
-
write_enable — When enabled,
FTP
commands which can change the file system are allowed, such as DELE, RNFR, and STOR.기본 값은 YES 입니다.
Logging Options The following lists directives which affect vsftpd's logging behavior.
-
dual_log_enable — When enabled in conjunction with xferlog_enable, vsftpd writes two files simultaneously: a wu-ftpd-compatible log to the file specified in the xferlog_file directive (
/var/log/xferlog
by default) and a standard vsftpd log file specified in the vsftpd_log_file directive (/var/log/vsftpd.log
by default).기본 값은 NO 입니다.
-
log_ftp_protocol — When enabled in conjunction with xferlog_enable and with xferlog_std_format set to NO, all
FTP
commands and responses are logged. This directive is useful for debugging.기본 값은 NO 입니다.
-
syslog_enable — When enabled in conjunction with xferlog_enable, all logging normally written to the standard vsftpd log file specified in the vsftpd_log_file directive (
/var/log/vsftpd.log
by default) is sent to the system logger instead under theFTPD
facility.기본 값은 NO 입니다.
-
vsftpd_log_file — Specifies the vsftpd log file. For this file to be used, xferlog_enable must be enabled and xferlog_std_format must either be set to NO or, if xferlog_std_format is set to YES, dual_log_enable must be enabled. It is important to note that if syslog_enable is set to YES, the system log is used instead of the file specified in this directive.
기본 값은 `/var/log/vsftpd.log`입니다.
-
xferlog_enable — When enabled, vsftpd logs connections (vsftpd format only) and file transfer information to the log file specified in the vsftpd_log_file directive (
/var/log/vsftpd.log
by default). If xferlog_std_format is set to YES, file transfer information is logged but connections are not, and the log file specified in xferlog_file (/var/log/xferlog
by default) is used instead. It is important to note that both log files and log formats are used if dual_log_enable is set to YES.기본 값은 [command]#NO#입니다. 주의, Fedora에서, 값은 [command]#YES#로 설정됩니다.
-
xferlog_file — Specifies the wu-ftpd-compatible log file. For this file to be used, xferlog_enable must be enabled and xferlog_std_format must be set to YES. It is also used if dual_log_enable is set to YES.
기본 값은 `/var/log/xferlog`입니다.
-
xferlog_std_format — When enabled in conjunction with xferlog_enable, only a wu-ftpd-compatible file transfer log is written to the file specified in the xferlog_file directive (
/var/log/xferlog
by default). It is important to note that this file only logs file transfers and does not log connections to the server.기본 값은 [command]#NO#입니다. 주의, Fedora에서, 값은 [command]#YES#로 설정됩니다.
예전 로그 파일 형식과 함께 호환성 유지하기
To maintain compatibility with log files written by the older wu-ftpd To both log connections in vsftpd format and maintain a wu-ftpd-compatible file transfer log, set dual_log_enable to YES. If maintaining a wu-ftpd-compatible file transfer log is not important, either set xferlog_std_format to NO, comment the line with a hash sign (#), or delete the line entirely. |
네트워크 옵션 다음은 [command]#vsftpd#가 네트워크와 함께 상호 작용하는 방식에 영향을 주는 지시문을 나열합니다.
-
accept_timeout — 연결을 설정하도록 수동 방식을 사용하는 클라이언트를 위한 시간의 양을 지정합니다.
기본 값은 60 입니다.
-
anon_max_rate — 초당 바이트로 익명 사용자를 위한 최대 자료 전송 비율을 지정합니다.
기본 값은 [command]#0#이고, 이는 전송 비율을 제한하지 않습니다.
-
connect_from_port_20 When enabled, vsftpd runs with enough privileges to open port 20 on the server during active mode data transfers. Disabling this option allows vsftpd to run with less privileges, but may be incompatible with some
FTP
clients.기본 값은 [command]#NO#입니다. 주의, Fedora에서, 값은 [command]#YES#로 설정됩니다.
-
connect_timeout — Specifies the maximum amount of time a client using active mode has to respond to a data connection, in seconds.
기본 값은 60 입니다.
-
data_connection_timeout — Specifies maximum amount of time data transfers are allowed to stall, in seconds. Once triggered, the connection to the remote client is closed.
기본 값은 300 입니다.
-
ftp_data_port — Specifies the port used for active data connections when connect_from_port_20 is set to YES.
기본 값은 20 입니다.
-
idle_session_timeout — Specifies the maximum amount of time between commands from a remote client. Once triggered, the connection to the remote client is closed.
기본 값은 300 입니다.
-
listen_address — 네트워크 연결을 위한 vsftpd 수신에서
IP
주소를 지정합니다.이 지시문에 지정 값이 없습니다.
vsftpd의 다중 복사 동작 중If running multiple copies of vsftpd serving different
IP
addresses, the configuration file for each copy of the vsftpd daemon must have a different value for this directive. See Starting Multiple Copies of vsftpd for more information about multihomedFTP
servers. -
listen_address6 — Specifies the
IPv6
address on which vsftpd listens for network connections when listen_ipv6 is set to YES.이 지시문에 지정 값이 없습니다.
vsftpd의 다중 복사 동작 중If running multiple copies of vsftpd serving different
IP
addresses, the configuration file for each copy of the vsftpd daemon must have a different value for this directive. See Starting Multiple Copies of vsftpd for more information about multihomedFTP
servers. -
listen_port — 네트워크 연결을 위한 vsftpd 수신하는 포트를 지정합니다.
기본 값은 [command]#21#입니다.
-
local_max_rate — Specifies the maximum rate data is transferred for local users logged into the server in bytes per second.
기본 값은 [command]#0#이고, 이는 전송 비율을 제한하지 않습니다.
-
max_clients — Specifies the maximum number of simultaneous clients allowed to connect to the server when it is running in standalone mode. Any additional client connections would result in an error message.
기본 값은 [command]#0#이고, 연결 제한이 없습니다.
-
max_per_ip — Specifies the maximum of clients allowed to connected from the same source
IP
address.기본 값은 [command]#0#이고, 연결 제한이 없습니다.
-
pasv_address — Specifies the
IP
address for the public facingIP
address of the server for servers behind Network Address Translation (NAT) firewalls. This enables vsftpd to hand out the correct return address for passive mode connections.이 지시문에 지정 값이 없습니다.
-
pasv_enable — 활성화 되었을 때에, 수동 방식 연결은 허용됩니다.
기본 값은 YES 입니다.
-
pasv_max_port — Specifies the highest possible port sent to the
FTP
clients for passive mode connections. This setting is used to limit the port range so that firewall rules are easier to create.The default value is 0, which does not limit the highest passive port range. The value must not exceed 65535.
-
pasv_min_port — Specifies the lowest possible port sent to the
FTP
clients for passive mode connections. This setting is used to limit the port range so that firewall rules are easier to create.The default value is 0, which does not limit the lowest passive port range. The value must not be lower 1024.
-
pasv_promiscuous — When enabled, data connections are not checked to make sure they are originating from the same
IP
address. This setting is only useful for certain types of tunneling.pasv_promiscuous 옵션 활성화 방지Do not enable this option unless absolutely necessary as it disables an important security feature which verifies that passive mode connections originate from the same
IP
address as the control connection that initiates the data transfer.기본 값은 NO 입니다.
-
port_enable — 활성화 되었을 때에, 동적 방식 연결이 허용됩니다.
기본 값은 YES 입니다.
추가 자원
[command]#vsftpd#에 대한 더 많은 정보를 위해, 다음 자원을 참고하세요.
설치된 문서
-
The
/usr/share/doc/vsftpd/
directory — This directory contains aREADME
with basic information about the software. TheTUNING
file contains basic performance tuning tips and theSECURITY/
directory contains information about the security model employed by vsftpd. -
vsftpd related man pages — There are a number of man pages for the daemon and configuration files. The following lists some of the more important man pages.
- 서버 응용프로그램
-
-
man vsftpd — [command]#vsftpd#을 위해 사용 가능한 명령 줄 옵션을 설명합니다.
-
- 구성 파일
-
-
man vsftpd.conf — [command]#vsftpd#을 위한 구성 파일내에서 사용 가능한 옵션의 상세한 목록을 포함합니다.
-
man 5 hosts_access — Describes the format and options available within the TCP wrappers configuration files:
hosts.allow
andhosts.deny
.
-
유용한 웹주소
-
https://security.appspot.com/vsftpd.html — The vsftpd project page is a great place to locate the latest documentation and to contact the author of the software.
-
http://slacksite.com/other/ftp.html — This website provides a concise explanation of the differences between active and passive mode
FTP
. -
http://www.ietf.org/rfc/rfc0959.txt — The original Request for Comments (RFC) of the
FTP
protocol from the IETF.
프린터 구성
프린터 구성하기, 프린터 구성 도구는 프린터 구성하기, 프린터 설정 파일의 유지보수, 프린트 스풀 디렉토리 및 프린터 필터, 그리고 프린터 등급 관리를 제공합니다.
도구는 일반적인 유닉스 출력 시스템(CUPS)을 기반으로 합니다. 만약 당신이 CUPS를 사용한 이전 Fedora 버전에서 시스템을 향상 했다면, 향상을 위한 처리에서 구성된 프린터를 보존합니다.
CUPS 웹 응용프로그램 또는 명령-줄 도구 사용
당신은 CUPS 웹 응용프로그램 또는 명령줄에서 직접 프린터의 동일한 작업이나 추가적인 동작을 수행 할 수 있습니다. 응용프로그램에 접근하려면, 웹 검색기에 http://localhost:631/로 진행합니다. CUPS 설명서는 웹 사이트의 `홈`탭에 연결된 설명서를 참조하세요. |
프린터 구성 도구 시작하기
With the Printers configuration tool you can perform various operations on existing printers and set up new printers. You can also use CUPS directly (go to http://localhost:631/ to access the CUPS web application).
To start the Printers configuration tool if using the GNOME desktop, press the Super key to enter the Activities Overview, type Printers, and then press Enter. The Printers configuration tool appears. The Super key appears in a variety of guises, depending on the keyboard and other hardware, but often as either the Windows or Command key, and typically to the left of the Spacebar.
프린터 구성 창에서 더 이상 사용하지 않는 `프린터`가 나타납니다.
프린터 설정 시작
프린터 설정 처리는 프린터 대기 유형에 따라 다릅니다.
If you are setting up a local printer connected with USB, the printer is discovered and added automatically. You will be prompted to confirm the packages to be installed and provide an administrator or the root
user password. Local printers connected with other port types and network printers need to be set up manually.
수동 프린터 설정을 시작하는데 이 절차를 따릅니다:
-
프린터 구성 도구를 시작합니다 (refer to 프린터 구성 도구 시작하기).
-
변경 사항을 적용하기 위해 활성화 하려면
잠금 해제`를 선택하세요. `인증 필요
상자에서, 관리자 또는root
사용자 비밀번호를 입력하고 확인합니다. -
추가 기호를 선택하고 `신규 프린터 추가`대화상자를 엽니다. 목록에서 프린터를 선택하거나 아래에서 해당 주소를 입력하세요.
로컬 프린터 추가하기
이와 같은 절차를 따르고 시리얼 포트 보다 다른 방식으로 연결된 로컬 프린터를 추가하세요:
-
신규 프린터 추가
대화상자 (프린터 설정 시작하기 언급)를 엽니다. -
If the device does not appear automatically, select the port to which the printer is connected in the list on the left (such as
Serial Port #1
orLPT #1
). -
우측에서, 연결 설정을 입력합니다:
- `Enter URI`를 위하여
-
URI
(예제 파일:/dev/lp0) - `Serial Port`를 위하여
-
전송 속도
패리티
데이타 비트
흐름 제어
-
누름단추를 누룹니다:[앞으로].
-
프린터 모델을 선택합니다. 더 자세한 정보를 위해 프린터 모델 선택하기와 마무리하기.
AppSocket/HP JetDirect 프린터 추가하기
이와 같은 절차를 따르고 AppSocket/HP JetDirect 프린터를 추가합니다:
-
신규 프린터 추가
대화상자를 엽니다 (프린터 구성 도구 시작하기 참조). -
좌측의 목록에서, 메뉴:네트워크 프린터[
AppSocket/HP JetDirect
]를 선택합니다. -
우측에서, 연결 설정을 입력합니다:
호스트 이름
-
프린터 호스트 이름 또는
IP
주소. 포트 번호
-
프린터 작업(기본지정
9100
)에 프린터 포트 대기하기.
-
누름단추를 누룹니다:[앞으로].
-
프린터 모델을 선택합니다. 더 자세한 정보를 위해 프린터 모델 선택하기와 마무리하기.
IPP 프린터 추가하기
An IPP
printer is a printer attached to a different system on the same TCP/IP network. The system this printer is attached to may either be running CUPS or simply configured to use IPP
.
If a firewall is enabled on the printer server, then the firewall must be configured to allow incoming TCP
connections on port 631
. Note that the CUPS browsing protocol allows client machines to discover shared CUPS queues automatically. To enable this, the firewall on the client machine must be configured to allow incoming UDP
packets on port 631
.
IPP
프린터 추가하기 위한 이 절차를 따르세요:
-
프린터
대화 상자를 엽니다 (프린터 설정 시작하기 참조). -
좌측의 장치 목록에서, 네트워크 프린트와
인터넷 출력 통신규약 (ipp)
또는 `인터넷 출력 통신규약 (https)`을 선택합니다. -
우측에서, 연결 설정을 입력합니다:
호스트
-
IPP
프린터의 호스트 이름. 대기
-
신규 대기에 제공되는 대기 이름 (만약 상자가 비웠으면, 장치 노드에서 기반된 이름이 사용됩니다).
-
선택적으로, 프린터 탐지를 위해서 확인을 누릅니다.
-
누름 단추를 누룹니다: 계속하기 위하여 [앞으로].
-
프린터 모델을 선택합니다. 더 자세한 정보를 위해 프린터 모델 선택하기와 마무리하기.
LPD/LPR 호스트 또는 프린터 추가하기
ndexterm:[프린터 구성, LDP/LPR 프린터]
LPD/LPR 호스트 또는 프린터를 추가하려면 이 절차를 따라주세요:
-
신규 프린터
대화상자를 엽니다 (프린터 설정 시작하기 참조). -
좌측의 장치 목록에서, 메뉴:네트워크 프린터[
LPD/LPR 호스트 또는 프린터
]를 선택합니다. -
우측에서, 연결 설정을 입력합니다:
호스트
-
LPD/LPR 프린터의 호스트 이름 또는 호스트.
선택적으로, 누름단추:[Probe]을 누르고 LPD 호스트에서 대기를 찾습니다.
대기
-
신규 대기에 제공되는 대기 이름 (만약 상자가 비웠으면, 장치 노드에서 기반된 이름이 사용됩니다).
-
누름 단추를 누룹니다: 계속하기 위하여 [앞으로].
-
프린터 모델을 선택합니다. 더 자세한 정보를 위해 프린터 모델 선택하기와 마무리하기.
삼바 (SMB) 프린터 추가하기
이와 같은 절차를 따르고 삼바 프린터를 추가합니다:
삼바-클라이언트 꾸러미 설치하기
삼바 프린터를 추가하기 위해 확인하려면, 당신은 samba-client 꾸러미가 설치되어 있어야 합니다. 당신은 `root`으로 동작하여 동작 할 수 있습니다: dnf install samba-client
DNF와 함께 꾸러미 설치에 대한 자세한 내용은 꾸러미 설치를 참조하세요. |
-
신규 프린터
대화상자를 엽니다 (프린터 설정 시작하기 참조). -
좌측의 목록에서, 메뉴:네트워크 프린터[
Windows Printer via SAMBA
]를 선택합니다. -
`smb://`입력부분에서 SMB 주소를 입력합니다. 형식 _computer name/printer share_을 사용합니다. SMB 프린터 추가하기에서, _computer name_은 [command]#dellbox#이고 _printer share_는 [command]#r2#입니다.
-
Click Browse to see the available workgroups/domains. To display only queues of a particular host, type in the host name (NetBios name) and click Browse.
-
다음 선택 중의 하나를 선택합니다:
-
Prompt user if authentication is required
: user name and password are collected from the user when printing a document. -
Set authentication details now
: provide authentication information now so it is not required later. In theUsername
field, enter the user name to access the printer. This user must exist on the SMB system, and the user must have permission to access the printer. The default user name is typicallyguest
for Windows servers, ornobody
for Samba servers.
-
-
사용자이름
입력부분에서 지정된 사용자를 위해 (만약 필요하다면)비밀번호
를 입력합니다.
비밀번호를 선택 할 때에 주의하세요
Samba printer user names and passwords are stored in the printer server as unencrypted files readable by Therefore, when you choose a user name and password to access a Samba printer, it is advisable that you choose a password that is different from what you use to access your local Fedora system. If there are files shared on the Samba print server, it is recommended that they also use a password different from what is used by the print queue. |
-
Click Verify to test the connection. Upon successful verification, a dialog box appears confirming printer share accessibility.
-
누름단추를 누룹니다:[앞으로].
-
프린터 모델을 선택합니다. 더 자세한 정보를 위해 프린터 모델 선택하기와 마무리하기.
프린터 모델 선택하기와 마무리하기
Once you have properly selected a printer connection type, the system attempts to acquire a driver. If the process fails, you can locate or search for the driver resources manually.
이와 같은 절차를 따르고 프린터 드라이버를 제공하며 설치를 마무리합니다:
-
자동 드라이버 탐지가 실패 한 후에 표시되는 창에서, 다음 옵션 중의 하나를 선택합니다:
-
Select printer from database
— the system chooses a driver based on the selected make of your printer from the list ofMakes
. If your printer model is not listed, chooseGeneric
. -
Provide PPD file
— the system uses the provided PostScript Printer Description (PPD) file for installation. A PPD file may also be delivered with your printer as being normally provided by the manufacturer. If the PPD file is available, you can choose this option and use the browser bar below the option description to select the PPD file. -
Search for a printer driver to download
— enter the make and model of your printer into theMake and model
field to search on OpenPrinting.org for the appropriate packages.
-
-
자신의 이전 선택에 따라 아래 표시된 영역에서 상세히 제공합니다:
-
`데이타베이스에서 프린터 선택`옵션을 위한 프린터 제조사.
-
PPD 파일 제공
옵션을 위한 PPD 파일 위치. -
내려받으려는 프린터 드라이버를 위한 검색
옵션을 위한 프린터 제조사와 모델.
-
-
누름 단추를 누룹니다: 계속하기 위하여 [앞으로].
-
자신의 옵션이 해당하는 경우, 프린터 모델 선택하기에서 보여진 창이 나타납니다. 좌측에서
모델
행에서 일치하는 모델을 선택하세요.
프린터 드라이버 선택하기
On the right, the recommended printer driver is automatically selected; however, you can select another available driver. The print driver processes the data that you want to print into a format the printer can understand. Since a local printer is attached directly to your computer, you need a printer driver to process the data that is sent to the printer. |
-
누름단추를 누룹니다:[앞으로].
-
Under the
Describe Printer
enter a unique name for the printer in thePrinter Name
field. The printer name can contain letters, numbers, dashes (-), and underscores (_); it must not contain any spaces. You can also use theDescription
andLocation
fields to add further printer information. Both fields are optional, and may contain spaces.
-
누름단추:[적용]을 누르고 자신의 프린터 구성을 확인하고 만약 설정이 올바르면 프린터 대기열에 추가합니다. 누름단추:[뒤로]를 누르면 프린터 구성이 수정됩니다.
-
After the changes are applied, a dialog box appears allowing you to print a test page. Click Print Test Page to print a test page now. Alternatively, you can print a test page later as described in Printing a Test Page.
시험 부분 출력하기
프린터를 설정 또는 프린터 구성을 변경한 후에, 프린터가 기능적으로 다음과 같이 적절하게 되는지 확인하기 위해 시험 부분을 출력합니다:
-
출력하기
창에서 프린터 우측-누름과 `속성`을 누릅니다. -
속성 창에서, 좌측에 `설정`을 누릅니다.
-
표시된
설정
탭에서, 시험 부분 출력 누름단추를 누릅니다.
기존 프린터 수정하기
To delete an existing printer, in the Printer
configuration window, select the printer and go to . Confirm the printer deletion. Alternatively, press the Delete key.
To set the default printer, right-click the printer in the printer list and click the Set As Default
button in the context menu.
The Settings Page To change printer driver configuration, double-click the corresponding name in the Printer
list and click the Settings
label on the left to display the Settings
page.
You can modify printer settings such as make and model, print a test page, change the device location (URI), and more.
정책 부분
좌측에서 정책
누름단추를 누르고 프린터 상태와 인쇄 출력에서 설정을 변경합니다.
당신은 프린터 상태를 선택 할 수 있고, 프린터의 `오류 정책`을 구성합니다(당신은 만약 오류가 발생한 경우에 프린터 작업 중지, 재시도, 또는 중지를 결정 할 수 있습니다).
You can also create a banner page (a page that describes aspects of the print job such as the originating printer, the user name from the which the job originated, and the security status of the document being printed): click the Starting Banner
or Ending Banner
drop-down menu and choose the option that best describes the nature of the print jobs (for example, confidential
).
On the Policies
page, you can mark a printer as shared: if a printer is shared, users published on the network can use it. To allow the sharing function for printers, go to and select Publish shared printers connected to this system
.
Make sure that the firewall allows incoming TCP
connections to port 631
, the port for the Network Printing Server (IPP
) protocol. To allow IPP
traffic through the firewall on Fedora 26, make use of firewalld
's IPP
service. To do so, proceed as follows:
-
To start the graphical firewall-config tool, press the Super key to enter the Activities Overview, type firewall and then press Enter. The
Firewall Configuration
window opens. You will be prompted for an administrator orroot
password.
Alternatively, to start the graphical firewall configuration tool using the command line, enter the following command as root
user:
~]# firewall-config
방화벽 구성
창을 엽니다.
Look for the word "Connected" in the lower left corner. This indicates that the firewall-config tool is connected to the user space daemon, firewalld
.
To immediately change the current firewall settings, ensure the drop-down selection menu labeled Configuration
is set to Runtime
. Alternatively, to edit the settings to be applied at the next system start, or firewall reload, select Permanent
from the drop-down list.
-
Select the
Zones
tab and then select the firewall zone to correspond with the network interface to be used. The default is thepublic
zone. TheInterfaces
tab shows what interfaces have been assigned to a zone. -
Select the
Services
tab and then select theipp
service to enable sharing. Theipp-client
service is required for accessing network printers. -
firewall-config 도구를 닫습니다.
You can change user-level access to the configured printer on the Access Control
page. Click the Access Control
label on the left to display the page. Select either Allow printing for everyone except these users
or Deny printing for everyone except these users
and define the user set below: enter the user name in the text box and click the Add button to add the user to the user set.
The Printer Options
page contains various configuration options for the printer media and output, and its content may vary from printer to printer. It contains general printing, paper, quality, and printing size settings.
On the Job Options
page, you can detail the printer job options. Click the Job Options
label on the left to display the page. Edit the default settings to apply custom job options, such as number of copies, orientation, pages per side, scaling (increase or decrease the size of the printable area, which can be used to fit an oversize print area onto a smaller physical sheet of print medium), detailed text options, and custom job options.
The Ink/Toner Levels
page contains details on toner status if available and printer status messages. Click the Ink/Toner Levels
label on the left to display the page.
Managing Print Jobs When you send a print job to the printer daemon, such as printing a text file from Emacs or printing an image from GIMP, the print job is added to the print spool queue. The print spool queue is a list of print jobs that have been sent to the printer and information about each print request, such as the status of the request, the job number, and more.
출력 처리에, 프로세서에 대해 제공되는 메시지는 알림 영역에서 나타납니다.
인쇄 작업을 취소, 보류, 해제, 재인쇄 또는 인증하려면, [application]*그놈 출력 상태*와 작업 메뉴에서 작업을 선택하고, 해당 명령을 누릅니다.
To view the list of print jobs in the print spool from a shell prompt, type the command lpstat -o. The last few lines look similar to the following:
$ lpstat -o
Charlie-60 twaugh 1024 2011년 2월 8일 화요일 16시 42분 11초 표준시(GMT)
Aaron-61 twaugh 1024 2011년 2월 8일 화요일 16시 42분 44초 표준시(GMT)
Ben-62 root 1024 2011년 2월 8일 화요일 16시 45분 42초 표준시(GMT)
If you want to cancel a print job, find the job number of the request with the command lpstat -o and then use the command cancel job number. For example, cancel 60 would cancel the print job in Example of lpstat -o output. You cannot cancel print jobs that were started by other users with the cancel command. However, you can enforce deletion of such job by issuing the cancel -U root job_number command. To prevent such canceling, change the printer operation policy to Authenticated
to force root
authentication.
You can also print a file directly from a shell prompt. For example, the command lp sample.txt prints the text file sample.txt
. The print filter determines what type of file it is and converts it into a format the printer can understand.
추가 자원
Fedora에서 출력에 대해 더 많이 알려면, 다음 자원을 참고하세요.
설치 문서
- man lp
-
당신을 명령줄에서 파일을 출력하도록 허용하는 lpr 명령을 위한 설명서 부분.
- man cancel
-
출력 대기열에서 출력 작업을 제거하는 명령-줄 유틸리티를 위한 설명서 부분.
- man mpage
-
한 장의 종이에서 여러 쪽을 출력하기 위한 명령-줄 유틸리티를 위한 설명서 부분.
- man cupsd
-
CUPS 프린터 데몬을 위한 설명서 부분.
- man cupsd.conf
-
CUPS 프린터 데몬 구성 파일을 위한 설명서 부분.
- man classes.conf
-
CUPS를 위한 클래스 구성 파일의 설명서 부분.
- man lpstat
-
lpstat 명령을 위한 설명서 부분, 이는 클래스, 작업, 그리고 프린터에 대한 상태 정보를 표시합니다.
Want to help? Learn how to contribute to Fedora Docs ›