yum -y install dhcp

cp /usr/share/doc/dhcp*/dhcpd.conf.example /etc/dhcp/dhcpd.conf
cat /etc/dhcp/dhcpd.conf
# DHCP服务配置文件分为全局配置和作用域配置，很好区分：subnet的就是作用域 不在subnet里面的就是全局设置。
# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#
# DNS全局选项，指定DNS服务器的地址，可以是IP，也可以是域名。
# option definitions common to all supported networks...
# DNS的域名
option domain-name "example.org";
# 具体的DNS服务器
option domain-name-servers ns1.example.org, ns2.example.org;
# 租约设置，默认租约为600s
default-lease-time 600;
# 租约设置，最大租约为7200s，当客户端未请求明确的租约时间。
max-lease-time 7200;
# 动态DNS更新方式(none:不支持；interim:互动更新模式；ad-hoc:特殊更新模式)
# Use this to enble / disable dynamic dns updates globally.
# ddns-update-style none;
# 如果该DHCP服务器是本地官方DHCP就将此选项打开，避免其他DHCP服务器的干扰。
# 当一个客户端试图获得一个不是该DHCP服务器分配的IP信息，DHCP将发送一个拒绝消息，而不会等待请求超时。
# 当请求被拒绝，客户端会重新向当前DHCP发送IP请求获得新地址。
# 保证IP是自己发出去的
#
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
# 开启此项表权威DHCP
# authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
# 日志级别
log-facility local7;
# No service will be given on this subnet, but declaring it helps the 
# DHCP server to understand the network topology.
#作用域相关设置指令
# subnet 定义一个作用域
# netmask 定义作用域的掩码
# range 允许发放的IP范围
# option routers 指定网关地址
# option domain-name-servers 指定DNS服务器地址
# option broadcast-address 广播地址
#
#
# 案例:定义一个作用域 网段为10.152.187.0 掩码为255.255.255.0
# 此作用域不提供任何服务
subnet 10.152.187.0 netmask 255.255.255.0 {
}
# This is a very basic subnet declaration.
# 案例:定义一个基本的作用域
# 网段10.254.239.0 掩码255.255.255.224
# 分发范围10.254.239.10-20
# 网关为rtr-239-0-1.example.org, rtr-239-0-2.example.org
subnet 10.254.239.0 netmask 255.255.255.224 {
  range 10.254.239.10 10.254.239.20;
  option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
}
# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.
# 案例:允许采用bootp协议的客户端动态获得地址
# bootp DHCP的前身
# BOOTP用于无盘工作站的局域网中，可以让无盘工作站从一个中心服务器上获得IP地址。通过BOOTP协议可以为局域网中的无盘工作站分配动态IP地址，
# 这样就不需要管理员去为每个用户去设置静态IP地址。
subnet 10.254.239.32 netmask 255.255.255.224 {
  range dynamic-bootp 10.254.239.40 10.254.239.60;
  option broadcast-address 10.254.239.31;
  option routers rtr-239-32-1.example.org;
}
# 案例:一个简单的作用域案例
# A slightly different configuration for an internal subnet.
subnet 10.5.5.0 netmask 255.255.255.224 {
  range 10.5.5.26 10.5.5.30;
  option domain-name-servers ns1.internal.example.org;
  option domain-name "internal.example.org";
  option routers 10.5.5.1;
  option broadcast-address 10.5.5.31;
  default-lease-time 600;
  max-lease-time 7200;
}
# Hosts which require special configuration options can be listed in
# host statements.   If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.
#
# 保留地址:可以将指定的IP分发给指定的机器，根据网卡的MAC地址来做触发
# host: 启用保留。
# hardware:指定客户端的mac地址
# filename:指定文件名
# server-name:指定下一跳服务器地址
# fixed-address: 指定保留IP地址
#
#
# 案例:这个案例中分发给客户端的不是IP地址信息，而是告诉客户端去找toccata.fugue.com服务器，并且下载vmunix.passacaglia文件
host passacaglia {
  hardware ethernet 0:0:c0:5d:bd:95;
  filename "vmunix.passacaglia";
  server-name "toccata.fugue.com";
}
# Fixed IP addresses can also be specified for hosts.   These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP.   Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
# 案例:保留地址，将指定IP(fantasia.fugue.com对应的IP)分给指定客户端网卡(MAC:08:00:07:26:c0:a5)
host fantasia {
  hardware ethernet 08:00:07:26:c0:a5;
  fixed-address fantasia.fugue.com;
}
# 超级作用域
# 超级作用域是DHCP服务中的一种管理功能，使用超级作用域，可以将多个作用域组合为单个管理实体。
# You can declare a class of clients and then do address allocation
# based on that.   The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.
# 在局域网中，可以配置策略根据各个机器的具体信息分配IP地址和其他的网络参数，客户机的具体信息：客户机能够给dhcp服务提供的信息由两个，
# 第一个就是网卡的dhcp-client-identifier（mac地址），
# 第二个就是设备的vendor-class-identifier。
# 管理员可以根据这两个信息给不同的机器分组。
# 案例:
# 按client某种类型分组DHCP,而不是按物理接口网段
# 例子: SUNW 分配地址段10.17.224.0/24
#      非SUNW的主机,分配地址段10.0.29.0/24
# 定义一个dhcp类:foo
# request广播中vendor-class-identifier字段对应的值前四个字节如果是"SUNW",则视合法客户端.
class "foo" {
  match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
}
# 定义一个超级作用域: 224-29
shared-network 224-29 {
# 定义第一个作用域
  subnet 10.17.224.0 netmask 255.255.255.0 {
    option routers rtr-224.example.org;
  }
# 定义第二个作用域
  subnet 10.0.29.0 netmask 255.255.255.0 {
    option routers rtr-29.example.org;
  }
# 关连池,如果客户端匹配foo类，将获得该池地址
  pool {
    allow members of "foo";
    range 10.17.224.10 10.17.224.250;
  }
# 关连池,如果客户端配置foo类，则拒绝获得该段地址
  pool {
    deny members of "foo";
    range 10.0.29.10 10.0.29.230;
  }
}

subnet 192.168.88.0 netmask 255.255.255.0 {
    range 192.168.88.150 192.168.88.160; # 发放地址范围
    option routers 192.168.88.0; # 网关
    option broadcast-address 192.168.88.255; # 广播地址
    option domain-name-servers 8.8.8.8, 114.114.114.114; # 设置DNS
    default-lease-time 7200; # 默认租约2小时
    max-lease-time 10800; # 最大租约3小时
}

# 重启网络服务
systemctl restart network

# 释放IP
dhclient -r ens33
# 获取IP
dhclient -d ens33

vim /etc/dhcp/dhcpd.conf
host fantasia {
    hardware ethernet 00:0c:29:6c:6f:0d;
    fixed-address 192.168.88.155;
}

dhclient -r ens37
dhclient -d ens37

# 添加作用域之前DHCP必须拥有两个网段的网卡
shared-network supernet {

   subnet 192.168.88.0 netmask 255.255.255.0 {
       range 192.168.88.150 192.168.88.160;
       option routers 192.168.88.2;
       option broadcast-address 192.168.88.255;
       option domain-name-servers 8.8.8.8, 114.114.114.114;
       default-lease-time 7200;
       max-lease-time 10800;
   }

   subnet 192.168.99.0 netmask 255.255.255.0 {
       range 192.168.99.150 192.168.99.160;
       option routers 192.168.99.0;
       option broadcast-address 192.168.99.255;
       option domain-name-servers 8.8.8.8, 114.114.114.114;
       default-lease-time 7200;
       max-lease-time 10800;
   }

}

yum -y install bind bind-chroot
# bind-chroot是bind的一个功能,使bind可以在一个chroot的模式下运行.也就是说,bind运行时的/(根)目录,并不是系统真正的/(根)目录,只是系统中的一个子目录而已.这样做的目的是为了提高安全性.因为在chroot的模式下,bind可以访问的范围仅限于这个子目录的范围里,无法进一步提升,进入到系统的其他目录中。bind的默认启动方式就是chroot方式。

cp -p /etc/named.conf /var/named/chroot/etc/
cp -pr /var/named/name* /var/named/chroot/var/named/
chown -R named:named /var/named/chroot/*
# 配置文件 /var/named/chroot/etc/named.conf
# 区域数据库文件 /var/named/chroot/var/named/

/*
 Sample named.conf BIND DNS server 'named' configuration file
 for the Red Hat BIND distribution.
 See the BIND Administrator's Reference Manual (ARM) for details about the
 configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
*/
options
{
    // Put files that named is allowed to write in the data/ directory:
        #指定区域数据库文件的路径目录
    directory         "/var/named";        // "Working" directory
    #CACHE文件路径,指定服务器在收到rndc dump命令时，转储数据到文件的路径。默认named_dump.db
    dump-file         "data/cache_dump.db";
    #静态文件路径,指定服务器在收到rndc stats命令时，追加统计数据的文件路径。默认named.stats
        statistics-file     "data/named_stats.txt";
    #内存静态文件路径,服务器在退出时，将内存统计写到文件的路径。默认named.memstats
        memstatistics-file     "data/named_mem_stats.txt";
    # 指定服务器在通过rndc recursing命令指定转储当前递归请求到的文件路径。默认named.recursing
    recursing-file        "data/named.recursing";
    #在收到rndc secroots指令后，服务器转储安全根的目的文件的路径名。默认named.secroots
    secroots-file        "data/named.secroots";
    /*
      Specify listenning interfaces. You can use list of addresses (';' is
      delimiter) or keywords "any"/"none"
    */
    #IPV4监听端口为53,允许任何人连接
    //listen-on port 53    { any; };
    #IPv4监听端口为53，只允许本机连接
    listen-on port 53    { 127.0.0.1; };
    #IPV6监听端口为53,允许任何人连接
    //listen-on-v6 port 53    { any; };
    #IPv6监听端口为53，只允许本机连接
    listen-on-v6 port 53    { ::1; };
    /*
      访问控制
      Access restrictions
          两个重要选项
      There are two important options:
        allow-query { argument; };
          - allow queries for authoritative data
        允许查询来自权威数据
        allow-query-cache { argument; };
          - allow queries for non-authoritative data (mostly cached data)
        允许查询来自非权威数据
      You can use address, network address or keywords "any"/"localhost"/"none" as argument
      大括号中可以使用IP地址、网段、或者关键字 any任何人   localhost本机  none任何人不允许
      Examples:
        allow-query { localhost; 10.0.0.1; 192.168.1.0/8; };
        allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; };
    */
    #指定允许哪些主机可以进行普通的DNS查询,可以是关键字:any/localhost/none,也可以是IPV4,IPV6地址
    allow-query        { localhost; };
    #指定允许哪些主机可以对缓存的访问
    allow-query-cache    { localhost; };
    /* Enable/disable recursion - recursion yes/no;
        递归查询开关
     - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
    假如你建立的是一个权威DNS你不需要开启递归
     - If you are building a RECURSIVE (caching) DNS server, you need to enable 
       recursion. 
    假如你建立的是一个递归DNS,你需要开启递归服务
     - If your recursive DNS server has a public IP address, you MUST enable access 
    如果你的递归DNS是具有公网IP，你必须要设置访问控制来限制对合法用户的查询.
       control to limit queries to your legitimate users. Failing to do so will
       cause your server to become part of large scale DNS amplification 
    否者你的DNS会被大规模的攻击
       attacks. Implementing BCP38 within your network would greatly
    在您的网络中实现BCP38将非常重要减少此类攻击面
       reduce such attack surface 
     */
    #开启递归
    recursion yes;
    #Domain Name System Security Extensions (DNS安全扩展）
    /* DNSSEC related options. See information about keys ("Trusted keys", bellow) */
    /* Enable serving of DNSSEC related data - enable on both authoritative
        and recursive servers DNSSEC aware servers */
    #开启DNSSEC在权威或者递归服务器之间信任服务
    dnssec-enable yes;
    /* Enable DNSSEC validation on recursive servers */
    #开启DNSSEC验证在递归服务器
    dnssec-validation yes;
    /* In RHEL-7 we use /run/named instead of default /var/run/named
       so we have to configure paths properly. */
    #PID文件路径
    pid-file "/run/named/named.pid";
    #session-keyfile文件路径
    session-keyfile "/run/named/session.key";
    #指定目录，其中保存着跟踪被管理DNSSEC密钥文件。默认为工作目录。
    managed-keys-directory "/var/named/dynamic";
};
logging 
{
#开启DNS日志记录
/*      If you want to enable debugging, eg. using the 'rndc trace' command,
 *      named will try to write the 'named.run' file in the $directory (/var/named).
 *      By default, SELinux policy does not allow named to modify the /var/named directory,
 *      so put the default debug log file in data/ :
 */
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
/*
##日志分为两种 告警和访问
logging {
  channel warning {
    file "data/dns_warning" versions 10 size 10m;
    severity warning;
    print-category yes;
    print-severity yes;
    print-time yes;
  };
  channel general_dns {
    file "data/dns_log" versions 10 size 100m;
    severity info;
    print-category yes;
    print-severity yes;
    print-time yes;
  };
 #默认日志 warning
 category default {
    warning;
  };
 #访问日志级别 general_dns info
  category queries {
    general_dns;
  };
};
*/
};
/*
通过Views指令配置智能查询DNS
 Views let a name server answer a DNS query differently depending on who is asking.
 By default, if named.conf contains no "view" clauses, all zones are in the 
 "default" view, which matches all clients.
 Views are processed sequentially. The first match is used so the last view should
 match "any" - it's fallback and the most restricted view.
 If named.conf contains any "view" clause, then all zones MUST be in a view.
*/
#配置一个明称为localhost_resolver的智能访问视图
view "localhost_resolver"
{
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
 * If all you want is a caching-only nameserver, then you need only define this view:
 */
    #允许使用该视图解析的客户端   localhost本机   any 任何机器  或者网段
    match-clients         { localhost; };
    #允许递归
    recursion yes;
    # all views must contain the root hints zone:
    #根域
    zone "." IN {
        #域类型为hint,还有master slave forward等类型
            type hint;
        #区域数据库文件路径
            file "/var/named/named.ca";
    };
        /* these are zones that contain definitions for all the localhost
         * names and addresses, as recommended in RFC1912 - these names should
     * not leak to the other nameservers:
     */
    #包含子配置文件
    include "/etc/named.rfc1912.zones";
};
#定义视图internal
view "internal"
{
/* This view will contain zones you want to serve only to "internal" clients
   that connect via your directly attached LAN interfaces - "localnets" .
 */
    match-clients        { localnets; };
    recursion yes;
    zone "." IN {
            type hint;
            file "/var/named/named.ca";
    };
        /* these are zones that contain definitions for all the localhost
         * names and addresses, as recommended in RFC1912 - these names should
     * not leak to the other nameservers:
     */
    include "/etc/named.rfc1912.zones";
    // These are your "authoritative" internal zones, and would probably
    // also be included in the "localhost_resolver" view above :
    /*
      NOTE for dynamic DNS zones and secondary zones:
      DO NOT USE SAME FILES IN MULTIPLE VIEWS!
      If you are using views and DDNS/secondary zones it is strongly
      recommended to read FAQ on ISC site (www.isc.org), section
      "Configuration and Setup Questions", questions
      "How do I share a dynamic zone between multIPle views?" and
      "How can I make a server a slave for both an internal and an external
       view at the same time?"
    */
    zone "my.internal.zone" { 
        type master;
        file "my.internal.zone.db";
    };
    zone "my.slave.internal.zone" {
        type slave;
        file "slaves/my.slave.internal.zone.db";
        masters { /* put master nameserver IPs here */ 127.0.0.1; } ;
        // put slave zones in the slaves/ directory so named can update them
    };    
    zone "my.ddns.internal.zone" {
        type master;
        allow-update { key ddns_key; };
        file "dynamic/my.ddns.internal.zone.db";
        // put dynamically updateable zones in the slaves/ directory so named can update them
    };            
};
#设置DDNS_key
#主从复制加密使用
key ddns_key
{
    #加密方式 hmac-md5
    algorithm hmac-md5;
    secret "use /usr/sbin/dnssec-keygen to generate TSIG keys";
};
view "external"
{
/* This view will contain zones you want to serve only to "external" clients
 * that have addresses that are not match any above view:
 */
    match-clients        { any; };
    zone "." IN {
            type hint;
            file "/var/named/named.ca";
    };
    recursion no;
    // you'd probably want to deny recursion to external clients, so you don't
        // end up providing free DNS service to all takers
    // These are your "authoritative" external zones, and would probably
        // contain entries for just your web and mail servers:
    zone "my.external.zone" { 
        type master;
        file "my.external.zone.db";
    };
};
/* Trusted keys
#定义信任的dnssec密钥。
  This statement contains DNSSEC keys. If you want DNSSEC aware resolver you
  have to configure at least one trusted key.
  Note that no key written below is valid. Especially root key because root zone
  is not signed yet.
*/
/*
trusted-keys {
// Root Key
"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
             E9gx4UC1zGAHlXKdE4zYIPRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
             zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
             MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
             /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
             iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
             Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
// Key for forward zone
example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
                      3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
                      OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
                      lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
                      8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
                      iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
                      SCThlHf3xiYleDbt/o1OTQ09A0=";
// Key for reverse zone.
2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
                                VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
                                tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
                                yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
                                4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
                                zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
                                7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
                                52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
};
*/

vim /var/named/chroot/etc/named.conf

options {
        listen-on port 53 { 192.168.88.132; };
        #listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { any; };

        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

systemctl start named-chroot

# 正向解析 named.localhost
;缓存时间
$TTL 1D
;@表示相应的域名
@    IN SOA        @ rname.invalid. (
;解析的域名   类型 授权域    授权域名服务器   管理员邮箱
                    0    ; serial  序列号,每次更新该文件系列号都应该变大
                    1D    ; refresh 刷新时间,即规定从域名服务器多长时间查询一个主服务器，以保证从服务器的数据是最新的
                    1H    ; retry   重试时间,即当从服务试图在主服务器上查询更时，而连接失败了，则这个值规定了从服务多长时间后再试 
                    1W    ; expire  过期时间,从服务器在向主服务更新失败后多长时间后清除对应的记录
                    3H )    ; minimum 这个数据用来规定缓冲服务器不能与主服务联系上后多长时间清除相应的记录
    NS   @
    ;NS 名称服务器，表示这个主机为域名服务器
    A    127.0.0.1
;主机头  A记录   IP
    AAAA    ::1
;   AAAA 解析为IPV6地址

# 反向解析 named.loopback
$TTL 1D
@    IN SOA    @ rname.invalid. (
                    0    ; serial
                    1D    ; refresh
                    1H    ; retry
                    1W    ; expire
                    3H )    ; minimum
    NS    @
    PTR    localhost
;IP 反向指针     域名
;PTR 反向指针 反解

zone "cqm.com" IN {
	type master;
	file "cqm.com.zone";
};

cp /var/named/chroot/var/named/named.localhost /var/named/chroot/var/named/cqm.com.zone
chgrp named cqm.com.zone
vim /var/named/chroot/var/named/cqm.com.zone

$TTL 1D
cqm.com.    IN SOA  dns.cqm.com. rname.invalid. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
# A:IPv4解析为域名
# PTR:域名解析为IP
# MX
# CNAME:设置别名
		NS      dns.cqm.com.
# 解析dns为192.168.88.132
dns		A		192.168.88.132
# 解析www为192.168.88.132
www     A       192.168.88.132
# 用news访问也解析为www
news    CNAME   www

# 检测文件是否有误
named-checkzone cqm.com cqm.com.zone

vim /etc/resolve.conf
nameserver 192.168.88.132

yum -y install bind-utils
host www.cqm.com
www.cqm.com has address 192.168.88.132

host news.cqm.com
news.cqm.com is an alias for www.cqm.com.
www.cqm.com has address 192.168.88.132

zone "88.168.192.in-addr.arpa" IN {
	type master;
	file "192.168.88.arpa";
};

cp /var/named/chroot/var/named/named.loopback /var/named/chroot/var/named/192.168.88.arpa
vim /var/named/chroot/var/named/192.168.88.arpa

$TTL 1D
88.168.192.in-addr.arpa.        IN SOA  dns.cqm.com. rname.invalid. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      dns.cqm.com.
132     PTR     www.cqm.com.

named-checkzone 88.168.192.in-addr.arpa 192.168.88.arpa

host 192.168.88.132
132.88.168.192.in-addr.arpa domain name pointer www.cqm.com.

yum -y install bind bind-chroot

scp root@192.168.88.132:/var/named/chroot/etc/named.conf /var/named/chroot/etc/named.conf
chgrp named /var/named/chroot/etc/named.conf
vim /var/named/chroot/etc/named.conf

options {
        listen-on port 53 { 192.168.88.135; };
        #listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { any; };
        # 从主DNS服务器拷过来的数据不进行加密
        masterfile-format text;

        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone "cqm.com" IN {
        type slave;
        file "cqm.com.zone";
        masters { 192.168.88.132; };
};

zone "88.168.192.in-addr.arpa" IN {
        type slave;
        file "192.168.88.arpa";
        masters { 192.168.88.132; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

vim cqm.com.zone
...
vim 192.168.88.arpa
...

vim /etc/reslove.comf
nameserver 192.168.88.135
host www.cqm.com
...

options {
        listen-on port 53 { 192.168.88.132; };
        #listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { any; };

        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

acl sz {
		# 假设该网段是深圳的IP地址段
        192.168.77.0/24;
};

acl gz {
        192.168.88.0/24;
};

acl fs {
        192.168.99.0/24;
};

view shenzhen {
match-clients { sz; };
        zone "." IN {
                type hint;
                file "named.ca";
        };

        zone "cqm.com" IN {
                type master;
                file "cqm.com.zone.SZ";
        };
};

view guangzhou {
match-clients { gz; };
        zone "." IN {
                type hint;
                file "named.ca";
        };

        zone "cqm.com" IN {
                type master;
                file "cqm.com.zone.GZ";
        };
};

view foshan {
match-clients { fs; };
        zone "." IN {
                type hint;
                file "named.ca";
        };

        zone "cqm.com" IN {
                type master;
                file "cqm.com.zone.FS";
        };
};

cp cqm.com.zone cqm.com.zone.SZ
cp cqm.com.zone cqm.com.zone.GZ
cp cqm.com.zone cqm.com.zone.FS
chgrp named cqm.com.zone.*

# 深圳
$TTL 1D
cqm.com.        IN SOA  dns.cqm.com. rname.invalid. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      dns.cqm.com.
dns     A       192.168.88.132
www     A       1.1.1.1
news    CNAME   www

# 广州
$TTL 1D
cqm.com.        IN SOA  dns.cqm.com. rname.invalid. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      dns.cqm.com.
dns     A       192.168.88.132
www     A       2.2.2.2
news    CNAME   www
# 佛山

$TTL 1D
cqm.com.        IN SOA  dns.cqm.com. rname.invalid. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      dns.cqm.com.
dns     A       192.168.88.132
www     A       3.3.3.3
news    CNAME   www

# 测试主机的地址段为192.168.88.0/24网段的，所以属于广州区域，即匹配解析到2.2.2.2
host www.cqm.com
www.cqm.com has address 2.2.2.2

yum -y install vsftpd

# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
#匿名用户访问,YES是允许，NO是拒绝
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
# 本地用户登录,YES是允许，NO是拒绝.默认访问的是本地用户家目录，如果你开启了selinux
# 请设置开启布尔值ftp_home_dir为ON
# When SELinux is enforcing check for SE bool ftp_home_dir
local_enable=YES
#
#允许本地用户上传
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# 上传的权限是022，使用的是umask权限。对应的目录是755，文件是644
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
# When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access
# 开启匿名用户上传功能，默认是拒绝的
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
# 开启匿名用户创建文件或文件夹权限
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
# 开启目录欢迎消息，一般对命令行登陆有效
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
# 开启上传和下载日志记录功能
xferlog_enable=YES
#
#使用标准模式
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
# 声明匿名用户上传文件的所有者
# 允许更改匿名用户上传文件的所有者
#chown_uploads=YES
#所有者为whoever
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
# 日志文件路径
#xferlog_file=/var/log/xferlog
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
# 日志文件采用标准格斯
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
# 会话超时时间
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
# 数据传输超时时间
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
# FTP子进程管理用户
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
# 是否允许客户端发起“async ABOR”请求，该操作是不安全的默认禁止。
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode. The vsftpd.conf(5) man page explains
# the behaviour when these options are disabled.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
# 该选项用于指定是否允许上传时以ASCII模式传输数据
#ascii_upload_enable=YES
#该选项用于指定是否允许下载时以ASCII模式传输数据
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
# FTP文本界面登陆欢迎词
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
# 是否开启拒绝的Email功能
#deny_email_enable=YES
# (default follows)
# 指定保存被拒接的Email地址的文件
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
# 是否开启对本地用户chroot的限制，YES为默认所有用户都不能切出家目录，NO代表默认用户都可以切出家目录
# 设置方法类似于：YES拒绝所有允许个别；NO允许所有拒绝个别
#chroot_local_user=YES
# 开启特例列表
#chroot_list_enable=YES
# (default follows)
# 如果chroot_local_user的值是YES则该文件中的用户是可以切出家目录，如果是NO，该文件中的用户则不能切出家目录
# 一行一个用户。
#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
# 是否开启ls 递归查询功能 ls -R
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
# 是否开启ftp独立模式在IPV4
listen=NO
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
# Make sure, that one of the listen options is commented !!
# 是否开启ftp独立模式在ipv6
listen_ipv6=YES
#启用pam模块验证
pam_service_name=vsftpd
#是否开启userlist功能.
定义对列表中的用户做定义
userlist_deny=NO
#NO拒绝所有人访问，对应列表中的用户可以访问，YES允许所有人访问，列表中的用户无法访问。
#只有userlist_file=/etc/vsftpd/user_list定义的用户才可以访问或拒绝访问
userlist_enable=YES
#是否开启tcp_wrappers管理，TCP_Wrappers是一个工作在第四层（传输层）的的安全工具，
#对有状态连接的特定服务进行安全检测并实现访问控制
tcp_wrappers=YES

# 是否开启对本地用户chroot的限制，YES为默认所有用户都不能切出家目录，NO代表默认用户都可以切出家目录
# 设置方法类似于：YES拒绝所有允许个别；NO允许所有拒绝个别
chroot_local_user=YES
chroot_list_enable=YES
# 特例列表
chroot_list_file=/etc/vsftpd/chroot_list

# 如果用户家目录有写权限的话，则该用户登陆不上
# 如果想在有写权限的家目录登录的话，需在配置文件加上
allow_writeable_chroot=YES

help # 打印命令菜单
!+linux命令 # 执行linux命令
lcd 目录路径 # 切换linux当前路径
put mput # 上传 批量上传
get mget # 下载 批量下载
ls dir # 列出目录内容
mkdir cd delete rmdir # 创建目录 进入目录 删除文件 删除目录
pwd # 现实FTP当前路径
open close bye # 开启/关闭/退出FTP

guest_enable=YES
guest_username=cqm
# 虚拟用户不用本地用户的权限
virtual_use_local_privs=NO
# 用户文件存放地址
user_config_dir=/etc/vsftpd/vconf.d

useradd -s /sbin/nologin -d /var/tmp/vuser_ftp cqm

chmod 500 /var/tmp/vuser_ftp
mkdir /var/tmp/vuser_ftp/{A,B,C}
chmod 700 /var/tmp/vuser_ftp/*
chown -R cqm:cqm /var/tmp/vuser_ftp

vim /etc/vsftpd/vuser
A_01
123
B_01
123
C_01
123
A_02
123
B_02
123
C_02
123
db_load -T -t hash -f /etc/vsftpd/vuser /etc/vsftpd/vuser.db
chmod 600 /etc/vsftpd/vuser.db

vim /etc/pam.d/vsftpd
auth       sufficient   /lib64/security/pam_userdb.so db=/etc/vsftpd/vuser
account    sufficient   /lib64/security/pam_userdb.so db=/etc/vsftpd/vuser

vim /etc/vsftpd/chroot_list
A_01
B_01
C_01
A_02
B_02
C_02

mkdir /etc/vsftpd/vconf.d
# A主管文件
vim /etc/vsftpd/vconf.d/A_01
# 指定家目录
local_root=/var/tmp/vuser_ftp/A
# 指定权限
anon_umask=077
# 下载权限
anon_world_readable_only=NO
# 上传权限
anon_upload_enable=YES
# 创建目录权限
anon_mkdir_write_enable=YES
# 删除和重命名目录权限
anon_other_write_enable=YES

# A员工文件
vim /etc/vsftpd/vconf.d/A_02
local_root=/var/tmp/vuser_ftp/A
anon_world_readable_only=NO

vim /etc/vsftpd/vsftpd.conf
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
listen=YES
listen_ipv6=NO
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
guest_enable=YES
guest_username=cqm
virtual_use_local_privs=NO
user_config_dir=/etc/vsftpd/vconf.d

ftp 192.168.88.132
A_01
123
230 Login successful

yum -y install samba samba-client
systemctl start smb nmb

cat /etc/samba/smb.conf.example
# This is the main Samba configuration file. For detailed information about the
# options listed here, refer to the smb.conf(5) manual page. Samba has a huge
# number of configurable options, most of which are not shown in this example.
#
# The Samba Wiki contains a lot of step-by-step guides installing, configuring,
# and using Samba:
# https://wiki.samba.org/index.php/User_Documentation
#
# In this file, lines starting with a semicolon (;) or a hash (#) are
# comments and are ignored. This file uses hashes to denote commentary and
# semicolons for parts of the file you may wish to configure.
#
# NOTE: Run the "testparm" command after modifying this file to check for basic
# syntax errors.
#
#---------------
#
#SAMBA selinux相关设置，如果你开启了selinux，请注意下面的说明
#
#
#Security-Enhanced Linux (SELinux) Notes:
#
# Turn the samba_domain_controller Boolean on to allow a Samba PDC to use the
# useradd and groupadd family of binaries. Run the following command as the
# root user to turn this Boolean on:
# 如果你在域环境中使用samba那么请设置下面的bool值
# setsebool -P samba_domain_controller on
#
# Turn the samba_enable_home_dirs Boolean on if you want to share home
# directories via Samba. Run the following command as the root user to turn this
# Boolean on:
#
# 假如希望通过samba共享用户家目录请设置下面的bool值
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory, such as a new top-level directory, label it
# with samba_share_t so that SELinux allows Samba to read and write to it. Do
# not label system directories, such as /etc/ and /home/, with samba_share_t, as
# such directories should already have an SELinux label.
#
#加入你想将目录通过samba共享，请确认其目录标签为sambe_share_t
# Run the "ls -ldZ /path/to/directory" command to view the current SELinux
# label for a given directory.
#
# Set SELinux labels only on files and directories you have created. Use the
# chcon command to temporarily change a label:
# 标签设置方法
# chcon -t samba_share_t /path/to/directory
#
# Changes made via chcon are lost when the file system is relabeled or commands
# such as restorecon are run.
#
# Use the samba_export_all_ro or samba_export_all_rw Boolean to share system
# directories. To share such directories and only allow read-only permissions:
# 对共享目录的权限的bool设置，只读或读写
# setsebool -P samba_export_all_ro on
# To share such directories and allow read and write permissions:
# setsebool -P samba_export_all_rw on
#
# To run scripts (preexec/root prexec/print command/...), copy them to the
# /var/lib/samba/scripts/ directory so that SELinux will allow smbd to run them.
# Note that if you move the scripts to /var/lib/samba/scripts/, they retain
# their existing SELinux labels, which may be labels that SELinux does not allow
# smbd to run. Copying the scripts will result in the correct SELinux labels.
# Run the "restorecon -R -v /var/lib/samba/scripts" command as the root user to
# apply the correct SELinux labels to these files.
#
#--------------
#
#======================= Global Settings =====================================
#全局设置，对整个服务都生效
[global]
#网络设置
# ----------------------- Network-Related Options -------------------------
#
# workgroup = the Windows NT domain name or workgroup name, for example, MYGROUP.
#
# server string = the equivalent of the Windows NT Description field.
#
# netbios name = used to specify a server name that is not tied to the hostname,
#                maximum is 15 characters.
#
# interfaces = used to configure Samba to listen on multiple network interfaces.
# If you have multiple interfaces, you can use the "interfaces =" option to
# configure which of those interfaces Samba listens on. Never omit the localhost
# interface (lo).
#
# hosts allow = the hosts allowed to connect. This option can also be used on a
# per-share basis.
#
# hosts deny = the hosts not allowed to connect. This option can also be used on
# a per-share basis.
#
#定义计算机的工作组,如果希望和windows共享，可以设置为workgroup，这样就可以在windows的网上邻居中找到linux计算机
    workgroup = MYGROUP
#对samba服务器的描述信息
    server string = Samba Server Version %v
#设置netbios计算机名称
;    netbios name = MYSERVER
#samba使用本机的那块网卡
;    interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
#允许那个网段访问samba服务器共享
;    hosts allow = 127. 192.168.12. 192.168.13.
#
#日志选项
# --------------------------- Logging Options -----------------------------
#
# log file = specify where log files are written to and how they are split.
#
# max log size = specify the maximum size log files are allowed to reach. Log
# files are rotated when they reach the size specified with "max log size".
#
    #samba日志文件路径
    # log files split per-machine:
    log file = /var/log/samba/log.%m
    #日志文件大小，0为不限制，注意不建议这样设置
    # maximum size of 50KB per log file, then rotate:
    max log size = 50
#独立服务选项
# ----------------------- Standalone Server Options ------------------------
#
# security = the mode Samba runs in. This can be set to user, share
# (deprecated), or server (deprecated).
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards
# compatibility.
#
#samba安全级别
#share:  不需要账号密码，公开共享
#user:   需要提供sam账号密码才能访问共享，私密共享
#server：依靠其他Windows NT/2000或Samba Server来验证用户的账号和密码,是一种代理验证。此种安全模式下,系统管理员可以把所有的Windows用户和口令集中到一个NT系统上,>使用Windows NT进行Samba认证, 远程服务器可以自动认证全部用户和口令,如果认证失败,Samba将使用用户级安全模式作为替代的方式。
#domain：域安全级别,使用主域控制器(PDC)来完成认证。
#
#一般情况下我们使用share和user的比较多，除非公司有完整的域环境
    security = user
#该方式则是使用一个数据库文件来建立用户数据库。数据库文件叫passdb.tdb，默认在/etc/samba目录下。passdb.tdb 用户数据库可以使用smbpasswd –a来建立Samba用户，不过要建立的Samba用户必须先是系统用户。我们也可以使用pdbedit命令来建立Samba账户并由其pdbedit管理。
    passdb backend = tdbsam
#域成员选项
# ----------------------- Domain Members Options ------------------------
#
# security = must be set to domain or ads.
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards
# compatibility.
#
# realm = only use the realm option when the "security = ads" option is set.
# The realm option specifies the Active Directory realm the host is a part of.
#
# password server = only use this option when the "security = server"
# option is set, or if you cannot use DNS to locate a Domain Controller. The
# argument list can include My_PDC_Name, [My_BDC_Name], and [My_Next_BDC_Name]:
#
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
#
# Use "password server = *" to automatically locate Domain Controllers.
#设置域共享
;    security = domain
;    passdb backend = tdbsam
#定义域名称
;    realm = MY_REALM
#域验证服务器
;    password server = 
#域控选项
# ----------------------- Domain Controller Options ------------------------
#
# security = must be set to user for domain controllers.
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards
# compatibility.
#
# domain master = specifies Samba to be the Domain Master Browser, allowing
# Samba to collate browse lists between subnets. Do not use the "domain master"
# option if you already have a Windows NT domain controller performing this task.
#
# domain logons = allows Samba to provide a network logon service for Windows
# workstations.
#
# logon script = specifies a script to run at login time on the client. These
# scripts must be provided in a share named NETLOGON.
#
# logon path = specifies (with a UNC path) where user profiles are stored.
#
#
;    security = user
;    passdb backend = tdbsam
;    domain master = yes
;    domain logons = yes
    # the following login script name is determined by the machine name
    # (%m):
;    logon script = %m.bat
    # the following login script name is determined by the UNIX user used:
;    logon script = %u.bat
;    logon path = \\%L\Profiles\%u
    # use an empty path to disable profile support:
;    logon path =
    # various scripts can be used on a domain controller or a stand-alone
    # machine to add or delete corresponding UNIX accounts:
;    add user script = /usr/sbin/useradd "%u" -n -g users
;    add group script = /usr/sbin/groupadd "%g"
;    add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
;    delete user script = /usr/sbin/userdel "%u"
;    delete user from group script = /usr/sbin/userdel "%u" "%g"
;    delete group script = /usr/sbin/groupdel "%g"
#这些设置选项主要用于SMB网络中进行浏览时，设置samba服务器的行为。缺省情况不让 samba服务器参加broswser的推举过程，为了使得samba服务器能成为browser，就需要设定local master =yes。然后samba服务就可以根据os level设置的权重进行推举，缺省的os level为0，这个权重不会赢得推举。但可以取消注释，将os level设置为33，这将在与所有Windows计算机（包括Windows NT）的推举竞赛中获得胜利，因为NT server的权重为32。设置比33更高的权重，只是在不同的samba 服务器之间进行选择时才有意义。
#
# preferred master  可以设置自己优先成为浏览服务器候选人
#
# ----------------------- Browser Control Options ----------------------------
#
# local master = when set to no, Samba does not become the master browser on
# your network. When set to yes, normal election rules apply.
#
# os level = determines the precedence the server has in master browser
# elections. The default value should be reasonable.
#
# preferred master = when set to yes, Samba forces a local browser election at
# start up (and gives itself a slightly higher chance of winning the election).
#
;    local master = no
;    os level = 33
;    preferred master = yes
#
#
#wins服务，如果网络中配置了wins服务器可以在此设置wins相关项
#----------------------------- Name Resolution -------------------------------
#
# This section details the support for the Windows Internet Name Service (WINS).
#
# Note: Samba can be either a WINS server or a WINS client, but not both.
#
# wins support = when set to yes, the NMBD component of Samba enables its WINS
# server.
#
# wins server = tells the NMBD component of Samba to be a WINS client.
#
# wins proxy = when set to yes, Samba answers name resolution queries on behalf
# of a non WINS capable client. For this to work, there must be at least one
# WINS server on the network. The default is no.
#
# dns proxy = when set to yes, Samba attempts to resolve NetBIOS names via DNS
# nslookups.
#设置nmb进程支持wins服务
;    wins support = yes
#设置wins服务器ip
;    wins server = w.x.y.z
#设置wins代理IP
;    wins proxy = yes
#设置Samba服务器是否在无法联系WINS服务器时通过DNS去解析主机的NetBIOS名
;    dns proxy = yes
#该部分包括Samba服务器打印机相关设置
# --------------------------- Printing Options -----------------------------
#
# The options in this section allow you to configure a non-default printing
# system.
#
# load printers = when set you yes, the list of printers is automatically
# loaded, rather than setting them up individually.
#
# cups options = allows you to pass options to the CUPS library. Setting this
# option to raw, for example, allows you to use drivers on your Windows clients.
#
# printcap name = used to specify an alternative printcap file.
#
#是否启用共享打印机
    load printers = yes
    cups options = raw
#打印机配置文件
;    printcap name = /etc/printcap
    # obtain a list of printers automatically on UNIX System V systems:
;    printcap name = lpstat
#打印机的系统类型,现在支持的打印系统有：bsd, sysv, plp, lprng, aix, hpux, qnx,cups
;    printing = cups
#该部分包括Samba服务器如何保留从Windows客户端复制或移动到Samba服务器共享目录文件的Windows文件属性的相关配置.
# --------------------------- File System Options ---------------------------
#
# The options in this section can be un-commented if the file system supports
# extended attributes, and those attributes are enabled (usually via the
# "user_xattr" mount option). These options allow the administrator to specify
# that DOS attributes are stored in extended attributes and also make sure that
# Samba does not change the permission bits.
#
# Note: These options can be used on a per-share basis. Setting them globally
# (in the [global] section) makes them the default for all shares.
#当Windows客户端将文件复制或移动到Samba服务器共享目录时，是否保留文件在Windows中的存档属性。默认no。
;    map archive = no
#当Windows客户端将文件复制或移动到Samba服务器共享目录时，是否保留文件在Windows中的隐藏属性。默认no。
;    map hidden = no
#当Windows客户端将文件复制或移动到Samba服务器共享目录时，是否保留文件在Windows中的只读属性。默认为no。
;    map read only = no
#当Windows客户端将文件复制或移动到Samba服务器共享目录时，是否保留文件在Windows中的系统文件属性。默认为no。
;    map system = no
#当Windows客户端将文件复制或移动到Samba服务器共享目录时，是否保留文件在Windows中的相关属性（只读、系统、隐藏、存档属性）。默认为yes。
;    store dos attributes = yes
#共享设置
#============================ Share Definitions ==============================
#用户家目录共享
#共享名称
[homes]
#描述
    comment = Home Directories
#是否支持浏览
    browseable = no
#是否允许写入
    writable = yes
#允许访问该共享资源的smb用户，@组
;    valid users = %S
;    valid users = MYDOMAIN\%S
#打印机共享
[printers]
#描述
    comment = All Printers
#路径
    path = /var/spool/samba
#是否可浏览，no类似隐藏共享
    browseable = no
#是否支持guest访问，和public指令类似    
    guest ok = no
#是否可写
    writable = no
#是否允许打印
    printable = yes
# Un-comment the following and create the netlogon directory for Domain Logons:
;    [netlogon]
;    comment = Network Logon Service
;    path = /var/lib/samba/netlogon
;    guest ok = yes
;    writable = no
;    share modes = no
# Un-comment the following to provide a specific roaming profile share.
# The default is to use the user's home directory:
;    [Profiles]
;    path = /var/lib/samba/profiles
;    browseable = no
;    guest ok = yes
# A publicly accessible directory that is read only, except for users in the
# "staff" group (which have write permissions):
;    [public]
;    comment = Public Stuff
;    path = /home/samba
;    public = yes
;    writable = no
;    printable = no
#定义允许哪些smb用户写入
;    write list = +staff

# smbpasswd用户命令
# -a 添加用户 smbpasswd -a cqm
# -x 删除用户 smbpasswd -x cqm
# -d 禁用帐号 smbpasswd -d cqm
# -e 取消禁用 smbpasswd -e cqm
# -n 清除密码 smbpasswd -a cqm
useradd -s /sbin/nologin cqm1
useradd -s /sbin/nologin cqm2
smbpasswd -a cqm1
smbpasswd -a cqm2

mkdir /common
# 设置757是为了让cqm2有写权限
chmod 757 /common

[global]
		workgroup = WORKGROUP
		...
[common]
        comment = samba share directory
        path = /common
        browseable = YES
        hosts allow = 10.0.0.0/8,192.168.88.0/24
        valid users = cqm1,cqm2
        writable = No
        write list = cqm2

yum -y install samba-client

smbclient //192.168.88.132/common -U cqm2%toortoor

mkdir /common
mount -o username=cqm2,password=toortoor -t cifs //192.168.88.132/common /common
mount
//192.168.88.132/common on /common type cifs (rw,relatime,vers=default,cache=strict,username=cqm2,domain=LOCALHOST,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.88.132,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=1048576,wsize=1048576,echo_interval=60,actimeo=1)

yum -y install nfs-utils
systemctl start rpcbind
systemctl start nfs

# 共享格式
# 共享目录绝对路径 IP地址或网段地址(权限1,权限2)
/test 192.168.88.132(rw,sync)
# 权限说明
ro                      只读访问  
rw                      读写访问  
sync                    所有数据在请求时写入共享  
async                   NFS在写入数据前可以相应请求  
secure                  NFS通过1024以下的安全TCP/IP端口发送  
insecure                NFS通过1024以上的端口发送  
wdelay                  如果多个用户要写入NFS目录，则归组写入（默认）  
no_wdelay               如果多个用户要写入NFS目录，则立即写入，当使用async时，无需此设置。  
hide                    在NFS共享目录中不共享其子目录  
no_hide                 共享NFS目录的子目录  
subtree_check           如果共享/usr/bin之类的子目录时，强制NFS检查父目录的权限（默认）  
no_subtree_check        和上面相对，不检查父目录权限  
all_squash              共享文件的UID和GID映射匿名用户anonymous，适合公用目录。  
no_all_squash           保留共享文件的UID和GID（默认）  
root_squash             root用户的所有请求映射成如anonymous用户一样的权限（默认）  
no_root_squash          root用户具有根目录的完全管理访问权限  
anonuid=xxx          	指定NFS服务器/etc/passwd文件中匿名用户的UID  
anongid=xxx          	指定NFS服务器/etc/passwd文件中匿名用户的GID

exportfs命令：
-a     打开或取消所有目录共享。
-o     options,... 指定一列共享选项，与 exports(5) 中讲到的类似。
-i     忽略 /etc/exports 文件，从而只使用默认的和命令行指定的选项。
-r     重新共享所有目录。它使/var/lib/nfs/xtab和/etc/exports同步。它将/etc/exports中已删除的条目从 /var/lib/nfs/xtab中删除，将内核共享表中任何不再有效的条目移除。
-u     取消一个或多个目录的共享。
-f     在“新”模式下，刷新内核共享表之外的任何东西。
       任何活动的客户程序将在它们的下次请求中得到mountd 添加的新的共享条目。
-v     输出详细信息。当共享或者取消共享时，显示在做什么。
       显示当前共享列表的时候，同时显示共享的选项。

# 创建被共享目录
mkdir /test
# 设置exports
vim /etc/exports
/test 192.168.88.0/24(rw,sync)
# 共享
exportfs -r
# 查看是否共享
exportfs -v
showmount -e 192.168.88.132

mount -t nfs 192.168.88.132:/test /test

yum -y install targetcli
sysetmctl start target