INFO 321 Server Technologies II - PowerPoint PPT Presentation

1 / 66
About This Presentation
Title:

INFO 321 Server Technologies II

Description:

SMB was originally for MS-DOS and PC-DOS. SMB is the file sharing protocol inside CIFS. The inventor of SMB was Dr. Barry Feigenbaum of IBM, who initially called ... – PowerPoint PPT presentation

Number of Views:92
Avg rating:3.0/5.0
Slides: 67
Provided by: rkap7
Category:

less

Transcript and Presenter's Notes

Title: INFO 321 Server Technologies II


1
INFO 321Server Technologies II
1
2
What is Samba?
  • Samba is essentially a TCP/IP file and print
    server for Microsoft Windows clients
  • It can support any SMB/CIFS-enabled client
  • SMB/CIFS?
  • SMB is Server (or Session) Message Block
  • Common Internet File System (CIFS) is Windows
    File Sharing

3
SMB
  • SMB was originally developed to run over NetBIOS
    (Network Basic Input Output System) LANs in the
    mid-1980s
  • SMB was originally for MS-DOS and PC-DOS
  • SMB is the file sharing protocol inside CIFS
  • The inventor of SMB was Dr. Barry Feigenbaum of
    IBM, who initially called it BAF
  • Notice the name Samba contains SaMBa

4
SMB
  • As of Windows 2000, the connection to NetBIOS was
    removed, thankfully
  • There exists NBT (NetBIOS over TCP/IP)
  • SMB over TCP/IP without NBT is "naked"
  • When running naked, SMB defaults to using TCP
    port 445 instead of the NBT Session Service port
    (TCP/139)
  • SMB should work over any transport protocol

5
CIFS
  • CIFS is a network file system plus a set of
    auxiliary services supported by a bunch of
    underlying protocols
  • Most of which are not particularly well
    documented by Microsoft you may faint now
  • CIFS is "Microsoft's way of doing network file
    sharing since about 1996
  • There is no RFC number for SMB or CIFS
  • Microsoft's implementations are the de facto CIFS
    standards

6
So what?
  • One of Sambas big strengths is that you can use
    it to blend your mix of Windows and Linux
    machines together without requiring a separate
    Windows server. Samba includes support for Active
    Directory, Unicode, new authentication and
    filename mangling systems, printing support,
    trust relationships, LDAP integration and
    loadable RPC modules.
  • From The Unofficial Samba HOWTO

7
If thats not enough
  • Samba is software that can be run on a platform
    other than Microsoft Windows, for example, UNIX,
    Linux, IBM System 390, OpenVMS, and other
    operating systems. Samba uses the TCP/IP protocol
    that is installed on the host server. When
    correctly configured, it allows that host to
    interact with a Microsoft Windows client or
    server as if it is a Windows file and print
    server.
  • From What is Samba?

8
Samba Today
  • Samba is on version 3.4.0 (as of July 3, 2009),
    and is available for the following platforms
  • UNIX - AIX (IBM UNIX), HP-UX (HP UNIX), Solaris
    (Sun UNIX)
  • Linux - Debian, Fedora, RedHat, SuSE
  • MVS (IBM mainframes)
  • Novell (NetWare)
  • VMS (was DEC, now HP OpenVMS)

From http//us1.samba.org/samba/ftp/Binary_Package
s/
9
SMB addressing - UNC
  • A Universal Naming Convention (UNC) path might
    look something like this
  • \\ubiqx\cifs\SMB.html
  • ...and would parse out like this
  • ubiqx The name of the server
  • cifs The directory path
  • SMB.html The file name

Much of this section adapted from Implementing
CIFS
10
SMB addressing - UNC
  • UNC doesn't provide a protocol specification
  • That's not because it always assumes SMB
  • The UNC format can support all sorts of
    filesharing protocols, but it is up to the
    underlying OS or application to figure out which
    one to use
  • Protocol and transport discovery are handled by
    trial-and-error, with each possibility tested
    until something works
  • You might imagine a system with AppleTalk,
    NetWare, and SMB all enabled has a lot of work to
    do

11
UNC
  • The UNC format is handled natively by Microsoft
    IBM's family of operating systems DOS, OS/2,
    Windows
  • Samba's smbclient utility can also parse UNC
    names, but it does so at the application level
    rather than within the OS and it only ever tries
    to deal with SMB
  • Even so, smbclient must handle both NBT and naked
    transport, which can be tricky

12
UNC
  • SMB is the server identifier field because it
    will accept addresses in addition to names
  • Recognized server names are
  • NetBIOS names
  • DNS hostnames
  • IP addresses
  • Going from an IP address to a NetBIOS name
    involves guesswork

13
Share names
  • The directory path looks just like a directory
    path, but there is one small thing that makes it
    different that thing is called the "share name
  • A given directory can have one or many share
    names
  • The idea is similar to symbolic links (symlinks)
    in Unix, or shortcuts in Windows
  • The share is a named pointer--with its own set of
    attributes--to the object being made available

14
File name
  • File names are straightforward, right? No.
  • Windows is case insensitive
  • But UNIX and Linux are case sensitive
  • Other problem areas include
  • filename lengths
  • valid characters
  • file access permissions
  • the end-of-line delimiter in text files

15
SMB URL
  • Fortunately, there such a thing as an SMB URL
  • It fits into the general URI syntax and can be
    used to specify files, directories, and other
    SMB-shared stuff
  • It is intended as a more portable, and more
    complete way to specify SMB paths at the
    application level

16
Reach out
  • and touch an SMB server
  • To do this we need two steps to identify who
    were talking to, and how
  • Server identifier interpretation
  • Transport discovery

17
Server identifier interpretation
  • Try a URL like this
  • smb//server/
  • Assuming the servers name is server
  • To resolve the name server, try
  • It could be an IPv4 address
  • Thats easy and IPv6 addresses should be in
    brackets, smb//fe80240f4fffe1f8243/

18
Server identifier interpretation
  • It could be a NetBIOS Name
  • Look for un-escaped dots in the NetBIOS name
  • smb//my2Enode.scope/ has a NetBIOS Name of
    my.node and Scope ID of scope
  • Use a NBT Name Query to get the servers IP
    address
  • It could be a DNS name
  • Try DNS to get the IP address

19
Port number please?
  • Now we need to divine the port number
  • Port 139 is for NBT
  • Port 445 is for raw TCP
  • Which one applies?
  • And if other security protocols are being used,
    higher port numbers could apply
  • So this is another mess to figure out, if you
    werent given it

20
Transport discovery
  • Try running naked
  • Open a TCP connection to port 445 on the server,
    but do not send an NBT SESSION REQUEST--just
    start sending SMB messages and see if that works
  • Try NBT transport
  • Try reverse-mapping a NetBIOS Name

21
Can we do something?
  • All that was just to establish a connection to an
    SMB server
  • Now we can look at SMB commands
  • They may contain a header, parameters, and data

Image from http//www.ubiqx.org/cifs/figures/smb-0
3.html
22
SMB Header
  • The SMB header typically has eight 4-Byte lines
  • SMB_HEADER
  • PROTOCOL "\xffSMB" (4B)
  • COMMAND ltSMB Command code (1 B)gt
  • The CIFS Technical Reference lists these
  • STATUS ltStatus codegt (4B)
  • FLAGS ltOld flagsgt (1 B)

23
SMB Header
  • FLAGS2 ltNew flagsgt (2 B)
  • EXTRA ltSometimes used for additional datagt (12
    B)
  • The PidHigh subfield is used to accommodate
    systems that have 32-bit Process IDs
  • The 8-byte Signature subfield is for SMB message
    signing, as in a digital signature
  • When not in use, these fields must be filled with
    zeros

24
SMB Header
  • TID ltTree IDgt (2B)
  • The SMB used to open a share is called a "Tree
    Connect the TID field is used to identify
    connections to shares once they have been
    established
  • PID ltProcess IDgt (2B)
  • The "Process ID" is set by the client, and is
    intended as an identifier for the process sending
    the SMB request
  • The most important thing to note regarding the
    PID is that file locking and access modes are
    maintained relative to the value in this field

25
SMB Header
  • UID ltUser IDgt (2B)
  • The "User ID" is also known as a VUID (Virtual
    User ID)
  • It is assigned by the server after the user logs
    in, and is valid until the user logs off
  • It does not need to be the user's actual User ID
    on the server system

26
SMB Header
  • MID ltMultiplex IDgt (2B)
  • The "Multiplex ID is used by the client to keep
    track of multiple outstanding requests
  • The server must echo back the MID and the PID
    provided in the client request
  • The client can use those values to make sure that
    the reply is matched up to the correct request

27
SMB Message Parameters
  • SMB_PARAMETERS
  • WordCount ltNumber of words in the Words arraygt
    (1 B)
  • WordsWordCount ltSMB parameters varies with
    SMB commandgt (2WordCount B)
  • The SMB_PARAMETERS.Words block is limited in
    length to 510 bytes

28
SMB Message Parameters
  • Each SMB message type (species?) has a different
    record structure that is carried in the Words
    block
  • Think of that structure as representing the
    parameters passed to a function (the function
    identified by the SMB command code listed in the
    header)

29
SMB Message Data
  • SMB_DATA
  • ByteCount ltNumber of bytes in the Bytes fieldgt
    (2 B)
  • BytesByteCount ltContents varies with SMB
    commandgt (ByteCount B)
  • SMB_DATA.Bytes may be as much as 65,535 bytes in
    length

30
Parameters vs Data blocks
  • So if the Parameters block and the Data block
    look alike, its not just you
  • any functional distinction that may have
    separated the Parameter and Data blocks has been
    blurred - Implementing CIFS

31
AndX messages
  • SMB can form a linked list of related messages
    using a format called AndX messages
  • The AndX message has two fields in a 4-Byte line
  • AndXCommand (1 B)
  • (reserved) (1 B)
  • AndXOffset (2 B)

32
AndX messages
Figure from http//www.ubiqx.org/cifs/figures/smb-
05.html
  • The AndXCommand field provides the SMB command
    code for the next AndX block in the list (not the
    current one)
  • The AndXOffset value in each AndX parameter block
    gives the offset (relative to the start of the
    SMB) of the next AndX block AndXOffset of the
    last AndX block has a value of zero (0)

33
AndX messages
  • The AndXOffset contains the byte index, relative
    to the start of the SMB header, of that next AndX
    block--think of it as a pointer
  • Since the AndXOffset value is independent of the
    SMB_PARAMETERS.WordCount and SMB_DATA.ByteCount
    values, it is possible to provide padding between
    the AndX blocks

34
Start the conversation
  • After establishing the transport protocol, the
    SMB client and server can exchange messages
  • The first one is always NEGOTIATE PROTOCOL
    REQUEST/RESPONSE, which does just that
  • Its followed by SESSION SETUP REQUEST
  • Didnt we already do that?

35
Transport vs user sessions
  • No, we established the transport layer session
    now its time to establish a user logon session
  • In the second message in the handout, we have
  • AccountName "GUEST
  • This is to log on as the GUEST user

36
Find a tree
  • Once a user logon is done, often the next command
    is to find the shared directory tree
  • TREE CONNECT does this
  • Recall the tree concept identifies shared folders

37
SMB Connection
  • After transport disconnect, all resources are
    released, not too surprisingly

Figure from http//www.ubiqx.org/cifs/figures/smb-
06.html
38
Ok, enough SMB!
  • Arent you glad someone wrote Samba to do all
    this stuff for you? Who, you ask?
  • Aussie Andrew Tridgell reverse engineered SMB and
    started Samba in 1992
  • Samba exists only on the non-Windows side a
    Windows system only needs to be configured for
    Microsoft networking

Much of this section is from (Nemeth, 2007) and
the Samba3-HOWTO
39
Samba Unix CIFS server
  • Samba can provide these services
  • File sharing
  • Network printing
  • Authentication and authorization
  • Name resolution
  • Service announcement
  • Browse file servers or printers

40
Samba services
  • Samba can also
  • Do basic Windows primary domain controller
    functions
  • With LDAP, serve as a backup domain controller
  • Support some other Windows functions such as
    domain logins, roaming user profiles, and CIFS
    print spooling

41
Samba processes
  • Samba is implemented in Linux mostly via two
    processes (daemons, to be precise)
  • The daemon smbd provides file sharing, network
    printing, authentication and authorization
  • The daemon nmbd provides name resolution and
    service announcement
  • Samba runs as a normal user process, binding to
    the CIFS sockets

42
Installing Samba
  • Most Linux distributions include Samba, but you
    can download the latest from samba.org, and
    install it
  • root rpm -Uvh samba-3.0.20-1.i386.rpm
  • Create a mount point for shared files
  • root mkdir /plans
  • root chmod 755 /plans

From Samba ByExample
43
Installing Samba
  • Then install the smb.conf file (which well get
    to soon)
  • Verify that the /etc/hosts file contains the
    following entry
  • 192.168.1.1 server
  • Start samba
  • root chkconfig smb on
  • root /etc/rc.d/init.d/smb restart

44
Simple smb.conf file
  • Global Parameters
  • global
  • workgroup MIDEARTH
  • security SHARE
  • Plans
  • path /plans
  • read only Yes
  • guest ok Yes

45
From the PC side
  • Make sure the PC is in the workgroup (e.g.
    MIDEARTH)
  • Make sure its IP address is in the same range as
    the Samba system (192.168.1.x), and they have the
    same netmask (255.255.255.0)
  • Find the samba server in the Network Neighborhood

46
Is Samba alive?
  • Check samba status with
  • root smbclient -L localhost -U
  • The -U option gives no user name and password
  • And prove it can handle a login
  • root smbclient -L server -Urootpassword
  • That should establish basic file sharing

47
Samba configuration file
  • Like most Unix-y apps, it has a .conf file
    which governs how it runs
  • /etc/smb.conf or /etc/samba/smb.conf or maybe
    /usr/local/samba/lib/smb.conf
  • When Samba is running, it checks the conf file
    every few seconds, so changes will take effect
    quite quickly (no reboot needed)

48
Config file sections
  • Each section in the smb.conf file (stanza)
    represents either a share or a meta-service on
    the Samba server
  • The global stanza contains settings that apply
    to the whole Samba server
  • Samba supports a number of meta-services, each of
    which serves its own purpose

From (Samba3-HOWTO)
49
Config file meta-services
  • The homes stanza is a meta-service that causes
    Samba to provide a personal home share for each
    user
  • The printers stanza is a meta-service that
    establishes print queue support, and species the
    location of the intermediate spool directory into
    which print jobs are received from Windows
    clients prior to being dispatched to the
    UNIX/Linux print spooler

50
Really minimal smb.conf file
  • global
  • workgroup WKG
  • netbios name MYNAME
  • share1
  • path /tmp
  • share2
  • path /my shared folder
  • comment Some random files

51
Security issues
  • File sharing is naturally a security hole
  • To control which clients can access Samba shared
    resources, look for the hosts allow clause in the
    smb.conf file
  • It should contain only the IP addresses or IP
    address ranges you trust to have access
  • Turn on password encryption
  • encrypt passwords true

52
Security issues
  • Password encryption makes Samba keep a hash of
    the password for each user
  • Recall Unix and Windows keep different user login
    information
  • To set this password, use smbpasswd
  • sudo smbpasswd a username
  • Users can then change their password
  • smbpasswd r smbservername U username

53
Security issues
  • Block the Samba server from outside your
    organization
  • Samba uses encryption only for password
    authentication, not for data transport!
  • Hence might want to use firewall to block
  • UDP ports 137-139
  • TCP ports 137, 139, and 445

54
What are my settings?
  • To find the current Samba settings use the
    command
  • testparm v
  • This will include all your smb.conf settings, and
    other defaults
  • Only override defaults for a reason otherwise
    leave them out of smb.conf

55
Encoding compatibility
  • Try echo LANG
  • Samba uses UTF-8 character set
  • If youre using anything else, set the character
    sets in Samba to be the same as your system
    using, e.g.
  • unix charset ISO8859-15
  • display charset ISO8859-15

56
Removing NetBIOS support
  • If all Windows clients are at least Win2k, have
    DNS provided outside of Samba, and you dont need
    Network Neighborhood browsing in Samba, you can
    remove NetBIOS support
  • global
  • disable netbios yes
  • name resolve order host

57
Removing NetBIOS support
  • Without NetBIOS support, you dont need to run
    nmbd so remove it from Samba startup in
    /etc/init.d
  • To connect to a Samba server without NetBIOS
    support, use the full DNS name of the host
  • \\server.example.com.\myshare
  • The extra dot tells Windows to use DNS

58
Authentication
  • Windows uses a challenge/response approach to
    respond to an authentication request
  • If you have the same Samba username and password
    as in Windows, then this will be invisible in the
    background
  • For larger scale systems, can use NIS, LDAP or
    Windows authen. services

59
Authentication
  • To merge authentication services between Linux
    and Windows, make Samba act as a Primary Domain
    Controller
  • Or can use Nate Yocoms open source pGina (GINA
    Graphical Identification aNd Authentication) to
    handle almost any authentication method

60
Basic file sharing in smb.conf
  • If everyone has a home directory, the homes
    stanza can share them
  • homes
  • comment Home directories
  • browseable no
  • valid users S
  • writeable yes
  • guest ok no

61
Basic file sharing
  • This will allow any user to access their home
    Linux directory from any Windows system
  • Can you see another users home directory?
  • Samba uses Linux file permissions through CIFS,
    so usually the answer would be yes
  • The valid users line prevents it though

62
Group shares
  • A group can be defined by access control lists
    (ACLs), but thats a bit messy
  • Easier to define a pseudo user, and have Samba
    pretend people are in that group
  • E.g. create a Linux eng group, and matching
    Samba user and group of the same name
  • The pseudo user is the owner of the directory

63
Group shares
  • eng
  • valid users _at_eng
  • force user eng
  • force group eng
  • path /home/eng
  • nt acl support no
  • create mask 0660
  • force create mask 0660

64
Group shares
  • security mask 0000
  • directory mask 2770
  • force directory mask 2770
  • directory security mask 0000
  • More info on these masks circa p. 324 of HOWTO
  • browseable no
  • writeable yes
  • guest ok no

65
Sources
  • The Unofficial Samba HOWTO from
    oregontechsupport.com
  • Vernooij, Terpstra, Carter. (May 27, 2009)
    Samba3-HOWTO from samba.org
  • Samba3-ByExample from samba.org
  • What is Samba? from samba.org
  • Implementing CIFS, by Christopher R. Hertel

66
Sources
  • CIFS Technical Reference by SNIA (2002)
  • Nemeth, Snyder, Hein. (2007) Linux Administration
    Handbook. Prentice Hall, ISBN 0131480049
Write a Comment
User Comments (0)
About PowerShow.com