Title: INFO 321 Server Technologies II
1INFO 321Server Technologies II
1
2What is Samba?
- Samba is essentially a TCP/IP file and print
server for Microsoft Windows clients - It can support any SMB/CIFS-enabled client
- SMB/CIFS?
- SMB is Server (or Session) Message Block
- Common Internet File System (CIFS) is Windows
File Sharing
3SMB
- SMB was originally developed to run over NetBIOS
(Network Basic Input Output System) LANs in the
mid-1980s - SMB was originally for MS-DOS and PC-DOS
- SMB is the file sharing protocol inside CIFS
- The inventor of SMB was Dr. Barry Feigenbaum of
IBM, who initially called it BAF - Notice the name Samba contains SaMBa
4SMB
- As of Windows 2000, the connection to NetBIOS was
removed, thankfully - There exists NBT (NetBIOS over TCP/IP)
- SMB over TCP/IP without NBT is "naked"
- When running naked, SMB defaults to using TCP
port 445 instead of the NBT Session Service port
(TCP/139) - SMB should work over any transport protocol
5CIFS
- CIFS is a network file system plus a set of
auxiliary services supported by a bunch of
underlying protocols - Most of which are not particularly well
documented by Microsoft you may faint now - CIFS is "Microsoft's way of doing network file
sharing since about 1996 - There is no RFC number for SMB or CIFS
- Microsoft's implementations are the de facto CIFS
standards
6So what?
- One of Sambas big strengths is that you can use
it to blend your mix of Windows and Linux
machines together without requiring a separate
Windows server. Samba includes support for Active
Directory, Unicode, new authentication and
filename mangling systems, printing support,
trust relationships, LDAP integration and
loadable RPC modules. - From The Unofficial Samba HOWTO
7If thats not enough
- Samba is software that can be run on a platform
other than Microsoft Windows, for example, UNIX,
Linux, IBM System 390, OpenVMS, and other
operating systems. Samba uses the TCP/IP protocol
that is installed on the host server. When
correctly configured, it allows that host to
interact with a Microsoft Windows client or
server as if it is a Windows file and print
server. - From What is Samba?
8Samba Today
- Samba is on version 3.4.0 (as of July 3, 2009),
and is available for the following platforms - UNIX - AIX (IBM UNIX), HP-UX (HP UNIX), Solaris
(Sun UNIX) - Linux - Debian, Fedora, RedHat, SuSE
- MVS (IBM mainframes)
- Novell (NetWare)
- VMS (was DEC, now HP OpenVMS)
From http//us1.samba.org/samba/ftp/Binary_Package
s/
9SMB addressing - UNC
- A Universal Naming Convention (UNC) path might
look something like this - \\ubiqx\cifs\SMB.html
- ...and would parse out like this
- ubiqx The name of the server
- cifs The directory path
- SMB.html The file name
Much of this section adapted from Implementing
CIFS
10SMB addressing - UNC
- UNC doesn't provide a protocol specification
- That's not because it always assumes SMB
- The UNC format can support all sorts of
filesharing protocols, but it is up to the
underlying OS or application to figure out which
one to use - Protocol and transport discovery are handled by
trial-and-error, with each possibility tested
until something works - You might imagine a system with AppleTalk,
NetWare, and SMB all enabled has a lot of work to
do
11UNC
- The UNC format is handled natively by Microsoft
IBM's family of operating systems DOS, OS/2,
Windows - Samba's smbclient utility can also parse UNC
names, but it does so at the application level
rather than within the OS and it only ever tries
to deal with SMB - Even so, smbclient must handle both NBT and naked
transport, which can be tricky
12UNC
- SMB is the server identifier field because it
will accept addresses in addition to names - Recognized server names are
- NetBIOS names
- DNS hostnames
- IP addresses
- Going from an IP address to a NetBIOS name
involves guesswork
13Share names
- The directory path looks just like a directory
path, but there is one small thing that makes it
different that thing is called the "share name - A given directory can have one or many share
names - The idea is similar to symbolic links (symlinks)
in Unix, or shortcuts in Windows - The share is a named pointer--with its own set of
attributes--to the object being made available
14File name
- File names are straightforward, right? No.
- Windows is case insensitive
- But UNIX and Linux are case sensitive
- Other problem areas include
- filename lengths
- valid characters
- file access permissions
- the end-of-line delimiter in text files
15SMB URL
- Fortunately, there such a thing as an SMB URL
- It fits into the general URI syntax and can be
used to specify files, directories, and other
SMB-shared stuff - It is intended as a more portable, and more
complete way to specify SMB paths at the
application level
16Reach out
- and touch an SMB server
- To do this we need two steps to identify who
were talking to, and how - Server identifier interpretation
- Transport discovery
17Server identifier interpretation
- Try a URL like this
- smb//server/
- Assuming the servers name is server
- To resolve the name server, try
- It could be an IPv4 address
- Thats easy and IPv6 addresses should be in
brackets, smb//fe80240f4fffe1f8243/
18Server identifier interpretation
- It could be a NetBIOS Name
- Look for un-escaped dots in the NetBIOS name
- smb//my2Enode.scope/ has a NetBIOS Name of
my.node and Scope ID of scope - Use a NBT Name Query to get the servers IP
address - It could be a DNS name
- Try DNS to get the IP address
19Port number please?
- Now we need to divine the port number
- Port 139 is for NBT
- Port 445 is for raw TCP
- Which one applies?
- And if other security protocols are being used,
higher port numbers could apply - So this is another mess to figure out, if you
werent given it
20Transport discovery
- Try running naked
- Open a TCP connection to port 445 on the server,
but do not send an NBT SESSION REQUEST--just
start sending SMB messages and see if that works - Try NBT transport
- Try reverse-mapping a NetBIOS Name
21Can we do something?
- All that was just to establish a connection to an
SMB server - Now we can look at SMB commands
- They may contain a header, parameters, and data
Image from http//www.ubiqx.org/cifs/figures/smb-0
3.html
22SMB Header
- The SMB header typically has eight 4-Byte lines
- SMB_HEADER
- PROTOCOL "\xffSMB" (4B)
- COMMAND ltSMB Command code (1 B)gt
- The CIFS Technical Reference lists these
- STATUS ltStatus codegt (4B)
- FLAGS ltOld flagsgt (1 B)
23SMB Header
- FLAGS2 ltNew flagsgt (2 B)
- EXTRA ltSometimes used for additional datagt (12
B) - The PidHigh subfield is used to accommodate
systems that have 32-bit Process IDs - The 8-byte Signature subfield is for SMB message
signing, as in a digital signature - When not in use, these fields must be filled with
zeros
24SMB Header
- TID ltTree IDgt (2B)
- The SMB used to open a share is called a "Tree
Connect the TID field is used to identify
connections to shares once they have been
established - PID ltProcess IDgt (2B)
- The "Process ID" is set by the client, and is
intended as an identifier for the process sending
the SMB request - The most important thing to note regarding the
PID is that file locking and access modes are
maintained relative to the value in this field
25SMB Header
- UID ltUser IDgt (2B)
- The "User ID" is also known as a VUID (Virtual
User ID) - It is assigned by the server after the user logs
in, and is valid until the user logs off - It does not need to be the user's actual User ID
on the server system
26SMB Header
- MID ltMultiplex IDgt (2B)
- The "Multiplex ID is used by the client to keep
track of multiple outstanding requests - The server must echo back the MID and the PID
provided in the client request - The client can use those values to make sure that
the reply is matched up to the correct request
27SMB Message Parameters
- SMB_PARAMETERS
- WordCount ltNumber of words in the Words arraygt
(1 B) - WordsWordCount ltSMB parameters varies with
SMB commandgt (2WordCount B) - The SMB_PARAMETERS.Words block is limited in
length to 510 bytes
28SMB Message Parameters
- Each SMB message type (species?) has a different
record structure that is carried in the Words
block - Think of that structure as representing the
parameters passed to a function (the function
identified by the SMB command code listed in the
header)
29SMB Message Data
- SMB_DATA
- ByteCount ltNumber of bytes in the Bytes fieldgt
(2 B) - BytesByteCount ltContents varies with SMB
commandgt (ByteCount B) - SMB_DATA.Bytes may be as much as 65,535 bytes in
length
30Parameters vs Data blocks
- So if the Parameters block and the Data block
look alike, its not just you - any functional distinction that may have
separated the Parameter and Data blocks has been
blurred - Implementing CIFS
31AndX messages
- SMB can form a linked list of related messages
using a format called AndX messages - The AndX message has two fields in a 4-Byte line
- AndXCommand (1 B)
- (reserved) (1 B)
- AndXOffset (2 B)
32AndX messages
Figure from http//www.ubiqx.org/cifs/figures/smb-
05.html
- The AndXCommand field provides the SMB command
code for the next AndX block in the list (not the
current one) - The AndXOffset value in each AndX parameter block
gives the offset (relative to the start of the
SMB) of the next AndX block AndXOffset of the
last AndX block has a value of zero (0)
33AndX messages
- The AndXOffset contains the byte index, relative
to the start of the SMB header, of that next AndX
block--think of it as a pointer - Since the AndXOffset value is independent of the
SMB_PARAMETERS.WordCount and SMB_DATA.ByteCount
values, it is possible to provide padding between
the AndX blocks
34Start the conversation
- After establishing the transport protocol, the
SMB client and server can exchange messages - The first one is always NEGOTIATE PROTOCOL
REQUEST/RESPONSE, which does just that - Its followed by SESSION SETUP REQUEST
- Didnt we already do that?
35Transport vs user sessions
- No, we established the transport layer session
now its time to establish a user logon session - In the second message in the handout, we have
- AccountName "GUEST
- This is to log on as the GUEST user
36Find a tree
- Once a user logon is done, often the next command
is to find the shared directory tree - TREE CONNECT does this
- Recall the tree concept identifies shared folders
37SMB Connection
- After transport disconnect, all resources are
released, not too surprisingly
Figure from http//www.ubiqx.org/cifs/figures/smb-
06.html
38Ok, enough SMB!
- Arent you glad someone wrote Samba to do all
this stuff for you? Who, you ask? - Aussie Andrew Tridgell reverse engineered SMB and
started Samba in 1992 - Samba exists only on the non-Windows side a
Windows system only needs to be configured for
Microsoft networking
Much of this section is from (Nemeth, 2007) and
the Samba3-HOWTO
39Samba Unix CIFS server
- Samba can provide these services
- File sharing
- Network printing
- Authentication and authorization
- Name resolution
- Service announcement
- Browse file servers or printers
40Samba services
- Samba can also
- Do basic Windows primary domain controller
functions - With LDAP, serve as a backup domain controller
- Support some other Windows functions such as
domain logins, roaming user profiles, and CIFS
print spooling
41Samba processes
- Samba is implemented in Linux mostly via two
processes (daemons, to be precise) - The daemon smbd provides file sharing, network
printing, authentication and authorization - The daemon nmbd provides name resolution and
service announcement - Samba runs as a normal user process, binding to
the CIFS sockets
42Installing Samba
- Most Linux distributions include Samba, but you
can download the latest from samba.org, and
install it - root rpm -Uvh samba-3.0.20-1.i386.rpm
- Create a mount point for shared files
- root mkdir /plans
- root chmod 755 /plans
From Samba ByExample
43Installing Samba
- Then install the smb.conf file (which well get
to soon) - Verify that the /etc/hosts file contains the
following entry - 192.168.1.1 server
- Start samba
- root chkconfig smb on
- root /etc/rc.d/init.d/smb restart
44Simple smb.conf file
- Global Parameters
- global
- workgroup MIDEARTH
- security SHARE
- Plans
- path /plans
- read only Yes
- guest ok Yes
45From the PC side
- Make sure the PC is in the workgroup (e.g.
MIDEARTH) - Make sure its IP address is in the same range as
the Samba system (192.168.1.x), and they have the
same netmask (255.255.255.0) - Find the samba server in the Network Neighborhood
46Is Samba alive?
- Check samba status with
- root smbclient -L localhost -U
- The -U option gives no user name and password
- And prove it can handle a login
- root smbclient -L server -Urootpassword
- That should establish basic file sharing
47Samba configuration file
- Like most Unix-y apps, it has a .conf file
which governs how it runs - /etc/smb.conf or /etc/samba/smb.conf or maybe
/usr/local/samba/lib/smb.conf - When Samba is running, it checks the conf file
every few seconds, so changes will take effect
quite quickly (no reboot needed)
48Config file sections
- Each section in the smb.conf file (stanza)
represents either a share or a meta-service on
the Samba server - The global stanza contains settings that apply
to the whole Samba server - Samba supports a number of meta-services, each of
which serves its own purpose
From (Samba3-HOWTO)
49Config file meta-services
- The homes stanza is a meta-service that causes
Samba to provide a personal home share for each
user - The printers stanza is a meta-service that
establishes print queue support, and species the
location of the intermediate spool directory into
which print jobs are received from Windows
clients prior to being dispatched to the
UNIX/Linux print spooler
50Really minimal smb.conf file
- global
- workgroup WKG
- netbios name MYNAME
- share1
- path /tmp
- share2
- path /my shared folder
- comment Some random files
51Security issues
- File sharing is naturally a security hole
- To control which clients can access Samba shared
resources, look for the hosts allow clause in the
smb.conf file - It should contain only the IP addresses or IP
address ranges you trust to have access - Turn on password encryption
- encrypt passwords true
52Security issues
- Password encryption makes Samba keep a hash of
the password for each user - Recall Unix and Windows keep different user login
information - To set this password, use smbpasswd
- sudo smbpasswd a username
- Users can then change their password
- smbpasswd r smbservername U username
53Security issues
- Block the Samba server from outside your
organization - Samba uses encryption only for password
authentication, not for data transport! - Hence might want to use firewall to block
- UDP ports 137-139
- TCP ports 137, 139, and 445
54What are my settings?
- To find the current Samba settings use the
command - testparm v
- This will include all your smb.conf settings, and
other defaults - Only override defaults for a reason otherwise
leave them out of smb.conf
55Encoding compatibility
- Try echo LANG
- Samba uses UTF-8 character set
- If youre using anything else, set the character
sets in Samba to be the same as your system
using, e.g. - unix charset ISO8859-15
- display charset ISO8859-15
56Removing NetBIOS support
- If all Windows clients are at least Win2k, have
DNS provided outside of Samba, and you dont need
Network Neighborhood browsing in Samba, you can
remove NetBIOS support - global
- disable netbios yes
- name resolve order host
57Removing NetBIOS support
- Without NetBIOS support, you dont need to run
nmbd so remove it from Samba startup in
/etc/init.d - To connect to a Samba server without NetBIOS
support, use the full DNS name of the host - \\server.example.com.\myshare
- The extra dot tells Windows to use DNS
58Authentication
- Windows uses a challenge/response approach to
respond to an authentication request - If you have the same Samba username and password
as in Windows, then this will be invisible in the
background - For larger scale systems, can use NIS, LDAP or
Windows authen. services
59Authentication
- To merge authentication services between Linux
and Windows, make Samba act as a Primary Domain
Controller - Or can use Nate Yocoms open source pGina (GINA
Graphical Identification aNd Authentication) to
handle almost any authentication method
60Basic file sharing in smb.conf
- If everyone has a home directory, the homes
stanza can share them - homes
- comment Home directories
- browseable no
- valid users S
- writeable yes
- guest ok no
61Basic file sharing
- This will allow any user to access their home
Linux directory from any Windows system - Can you see another users home directory?
- Samba uses Linux file permissions through CIFS,
so usually the answer would be yes - The valid users line prevents it though
62Group shares
- A group can be defined by access control lists
(ACLs), but thats a bit messy - Easier to define a pseudo user, and have Samba
pretend people are in that group - E.g. create a Linux eng group, and matching
Samba user and group of the same name - The pseudo user is the owner of the directory
63Group shares
- eng
- valid users _at_eng
- force user eng
- force group eng
- path /home/eng
- nt acl support no
- create mask 0660
- force create mask 0660
64Group shares
- security mask 0000
- directory mask 2770
- force directory mask 2770
- directory security mask 0000
- More info on these masks circa p. 324 of HOWTO
- browseable no
- writeable yes
- guest ok no
65Sources
- The Unofficial Samba HOWTO from
oregontechsupport.com - Vernooij, Terpstra, Carter. (May 27, 2009)
Samba3-HOWTO from samba.org - Samba3-ByExample from samba.org
- What is Samba? from samba.org
- Implementing CIFS, by Christopher R. Hertel
66Sources
- CIFS Technical Reference by SNIA (2002)
- Nemeth, Snyder, Hein. (2007) Linux Administration
Handbook. Prentice Hall, ISBN 0131480049