320 likes | 552 Views
Samba. Integrating SMB file systems with UNIX. Samba. Provides a file server compatible with Windows 9x and NT .. SMB Can function in NETBIOS name browsing as seen in network neighborhood Provides for authentication of users Provides an NT domain server. General Questions to Consider.
E N D
Samba Integrating SMB file systems with UNIX
Samba • Provides a file server compatible with Windows 9x and NT .. SMB • Can function in NETBIOS name browsing as seen in network neighborhood • Provides for authentication of users • Provides an NT domain server
General Questions to Consider • How do the protocols relate? • How are connections made? • What is network browsing? • What is a workgroup? • What is a domain?
How do protocols relate? • SMB is a file/resource protocol (Server Message Block) • files • printers Application DISK REQUEST Op System Local Disk Remote Disk FAT32/16/.. SMB NETBIOS More on which protocol later! NETBEUI TCP/IP IPX
How are connections made? • This at the level of SMB: • Negotiate which level of SMB to use • As SMB evolves, different versions abound • Set up a session • Validate the client requesting connection • Tree Connect • Connect to a specific resource • disk • printer
What is network Browsing? • PCs turn on and off as users come and go • Resources are not static • Users need to see what resources are available • Browsing is a means of determining what is available for use • printers • files • etc.
Two means of browsing Broadcast requests Client Workstation Server Workstation Client Register Resource WINS requests Workstation Server Workstation
What is a workgroup? • A collection of computers • Each can provide a network resource • Each provides authentication for its own resources FileServer PrintServer request request consent consent User
What is a domain? • Like a workgroup • Central Authentication Domain Controller consent consent FileServer PrintServer request request User
Setting up Samba • Install either directly or using rpm for red-hat • Usually installs in /usr/local/samba • Edit the smb.conf file to configure server • Activities • set up a file share • set up a “user” share
Samba setup continued • configure the smb.conf file to identify resources you want to share • configure the unix system to be consistent with the smb.conf specifications • run testparm to validate the smb.conf file • start smbd and nmdb • test the installation from unix with smbclient • make sure Win 98 allows plain text login • browse and connect via Win 98
General setup in smb.conf • [global] • netbios name = YourMachineName • workgroup = YourWorkgroup • security = user • “user” security determines access to a resource based on who the user is and the associated password required of that user.
Setting up a file sharemultiple users in a groupsmb.conf • [SHARENAME] (name of resource) • comment = description when browsed • writeable = yes • valid users = @groupname (unix group) • locking = yes • create mode = 660 • directory mode = 770
Setting up a file sharemultiple users in a groupunix system • Set up a directory in /export/smb • e.g. /export/smb/SHARENAME • set permissions • chgrp groupnameSHARENAME • chmod 770 SHARENAME • chmod g+s SHARENAME • make an entry in /etc/group for groupname • make an entry in /etc/passwd for EACH user
Check smb.conf for validity • In /usr/local/samba/bin is testparm • testparm -s smb.conf • Checks for invalid section names etc • Prints all default values NOT specified in the smb.conf file. • Run the daemons • /usr/local/samba/bin/nmbd -D • /usr/local/samba/bin/smbd -D
Testing samba locally • Use smbclient • smbclient -L YourMachineName -N • lists resources at your machine • smbclient //YourMachineName/SHARENAME -U user • logs you into the resource you just created as long as the user name is in the group which shares the resource. • And assuming you enter the correct password. • Try it from a non-local unix box.
Win98 with plain-text login • Win 98 and Win 95/OSR2 have been modified to use encrypted login • Suffice to say samba does not with basic install. • Long-run -> set up samba to do encryption • Short-run -> make WIN 98 do plain text • Make registry entry: [HKLM\System\CurrentControlSet\Services\VxD\VNETSUP] “EnablePlainTextPassword”=dword:00000001 using regedit.exe
Browse using Win 98/95 • Log into Win 98 as a user of the group in unix • Easiest way is to use Network Neighborhood and click Entire Network. You should see YourMachineName and after clicking that you should see the SHARENAME • OR net use \\YourMachineName\Sharename L: • will mount the resource as drive L: • OR use Windows Explorer to map network drive
User accounts • Set up the network users as local unix users on the samba server • Put accounts in /home/… with standard user names in /etc/passwd • set up smb.conf as indicated on next slide • Be sure to set logins from Win 98 to use plain text as indicated on a previous slide
smb.conf for user login • [homes] • comment = Unix home directory • path = %H • writeable = yes • valid users = %S • create mode = 0600 • directory mode = 0700 • locking = no not sure why for this one
Logging on from Win 98/95 • Possible problems • Case sensitivity • Name length • Using SMB for share level security • Unix still associates by user • searches ALL users (groups etc) to determine if password transmitted is the password of ANYONE with ownership. • More complicated than this • Try to use “user” security
Windows and passwords Why is this complicated and how is it implemented?
Basic Problem • Sending PLAIN-TEXT passwords across the net is a major issue. • Less problematic in a LAN (where you are using Samba) • Still a fundamental concerns of administrators • First review plain text transmission • Second examine encrypted transmission • Third examine how to set it up in linux
Plain text linux samba server thispassw thisuser 1-encryption W98 thispassw 213jkj23423kj*&l3 2-compare 3-accept /etc/passwd (shadow) thisuser:213jkj23423kj*&l3:.. NOTE: W98 user must log on with same user name (thisuser) as in unix
Avoiding Plain-text transmission • Much more complicated process to avoid plain-text over the net. • Important to remember - PASSWORD ENCRYTION ALGORITHMS ARE NOT REVERSIBLE! (e.g. code -> password) • Server sends random message to client to encrypt • Client encrypts using the local encrypted password • Client sends encrypted message • Server encrypts the random message to and checks • if the two match -> client authenticated
1-Server sends random message to client to encrypt • 2-Client encrypts using the local encrypted password • 3-Client sends encrypted message • 4-Server encrypts the random message to and checks • 5-if the two match -> client authenticated client Samba server (encrypted pw) 1-rtrner$6&ddf 2- encrypt (encrypted pw) encrypted message 4- encrypt 3 encrypted message OK (or not) 5-compare
Good and Bad • Good • Never sends plain-text across net • hard to pick up the random text (not impossible) • Bad • must have encrypted passwords on both machines • to spoof, you only need the encrypted password not the original one!!! (shadow vs passwd) • root must know either the actual password or the encrypted version or have user enter in unix…. ----> none easy
How is it set up in linux? • The encrypted passwords used are WINDOWS passwords NOT unix! • Two basic Windows styles • Lan Manager • NT • Samba stores another password file with both encryptions • Users may be in one file and not the other • unix application smbpasswd (also file name) will populate the file but must enter pw.
Setting up the smbpasswd username Username:LanManEncrypt:Ntencrypt:…. ……... userpass LanMan encryption NT encryption console smbpasswd program smbpasswd file >smbpasswd -a username Enter password: userpass Retype: userpass >
Other considerations • Entry in smb.conf (smb password file) indicates smb password files proper location • Entry in smb.conf (encrypt passwords) set to yes • Although not necessary, typically want the users in the unix passwd to be entered in smbpasswd to allow for unix home directory access.