Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Server Technologies II

advertisement 
INFO 321
Server Technologies II
1
What is Samba?
◊ Samba is essentially a TCP/IP file and
print server for Microsoft Windows clients
• It can support any SMB/CIFS-enabled client
◊ SMB/CIFS?
• SMB is Server (or Session) Message Block
• Common Internet File System (CIFS) is
Windows File Sharing
2
SMB
◊ SMB was originally developed to run over
NetBIOS (Network Basic Input Output
System) LANs in the mid-1980’s
• SMB was originally for MS-DOS and PC-DOS
• SMB is the file sharing protocol inside CIFS
• The inventor of SMB was Dr. Barry
Feigenbaum of IBM, who initially called it BAF
• Notice the name Samba contains SaMBa
3
SMB
◊ As of Windows 2000, the connection to
NetBIOS was removed, thankfully
• There exists NBT (NetBIOS over TCP/IP)
SMB over TCP/IP without NBT is "naked"
When running naked, SMB defaults to using TCP
port 445 instead of the NBT Session Service port
(TCP/139)
◊ SMB should work over any transport
protocol
4
CIFS
◊ CIFS is a network file system plus a set of
auxiliary services supported by a bunch of
underlying protocols
• Most of which are not particularly well
documented by Microsoft; you may faint now
• CIFS is "Microsoft's way of doing network file
sharing“ since about 1996
◊ There is no RFC number for SMB or CIFS
• Microsoft's implementations are the de facto
CIFS standards
5
So what?
◊ “One of Samba’s big strengths is that you can
use it to blend your mix of Windows and Linux
machines together without requiring a separate
Windows server. Samba includes support for
Active Directory, Unicode, new authentication
and filename mangling systems, printing
support, trust relationships, LDAP integration
and loadable RPC modules.”
• From The Unofficial Samba HOWTO
6
If that’s not enough
◊ “Samba is software that can be run on a
platform other than Microsoft Windows, for
example, UNIX, Linux, IBM System 390,
OpenVMS, and other operating systems. Samba
uses the TCP/IP protocol that is installed on the
host server. When correctly configured, it allows
that host to interact with a Microsoft Windows
client or server as if it is a Windows file and print
server.”
• From What is Samba?
7
Samba Today
◊ Samba is on version 3.5.6 (as of January
19, 2011), and is available for the
following platforms
• UNIX - AIX (IBM UNIX), HP-UX (HP UNIX),
Solaris (Sun UNIX)
• Linux - Debian, Fedora, RedHat, SuSE
• MVS (IBM mainframes)
• Novell (NetWare)
• VMS (was DEC, now HP OpenVMS)
From http://us1.samba.org/samba/ftp/Binary_Packages/
8
SMB addressing - UNC
◊ A Universal Naming Convention (UNC)
path might look something like this:
• \\ubiqx\cifs\SMB.html
◊ ...and would parse out like this:
• ubiqx = The name of the server
• cifs = The directory path
• SMB.html = The file name
No!
Much of this section adapted from Implementing CIFS
9
SMB addressing - UNC
◊ UNC doesn't provide a protocol specification
• That's not because it always assumes SMB
• The UNC format can support all sorts of filesharing
protocols, but it is up to the underlying OS or
application to figure out which one to use
◊ Protocol and transport discovery are handled by
trial-and-error, with each possibility tested until
something works
• You might imagine a system with AppleTalk,
NetWare, and SMB all enabled has a lot of work to do
10
UNC
◊ The UNC format is handled natively by
Microsoft & IBM's family of operating
systems: DOS, OS/2, & Windows
• Samba's smbclient utility can also parse
UNC names, but it does so at the application
level rather than within the OS and it only
ever tries to deal with SMB
• Even so, smbclient must handle both NBT
and naked transport, which can be tricky
11
UNC
◊ SMB is the server identifier field because it
will accept addresses in addition to names
◊ Recognized server names are:
• NetBIOS names
• DNS hostnames
• IP addresses
◊ Going from an IP address to a NetBIOS
name involves guesswork
12
Share names
◊ The directory path looks just like a directory
path, but there is one small thing that makes it
different; that thing is called the "share name“
• A given directory can have one or many share names
◊ The idea is similar to symbolic links (symlinks) in
Unix, or shortcuts in Windows
• The share is a named pointer--with its own set of
attributes--to the object being made available
13
File name
◊ File names are straightforward, right? No.
◊ Windows is case insensitive
• But UNIX and Linux are case sensitive
◊ Other problem areas include
•
•
•
•
filename lengths
valid characters
file access permissions
the end-of-line delimiter in text files
14
SMB URL
◊ Fortunately, there such a thing as an SMB
URL
• It fits into the general URI syntax and can be
used to specify files, directories, and other
SMB-shared stuff
• It is intended as a more portable, and more
complete way to specify SMB paths at the
application level
15
Reach out
◊ … and touch an SMB server
◊ To do this we need two steps to identify
who we’re talking to, and how
• Server identifier interpretation
• Transport discovery
16
Server identifier interpretation
◊ Try a URL like this
• smb://server/
• Assuming the server’s name is ‘server’
◊ To resolve the name server, try
◊ It could be an IPv4 address
• That’s easy; and IPv6 addresses should be in
brackets, smb://[fe80::240:f4ff:fe1f:8243]/
17
Server identifier interpretation
◊ It could be a NetBIOS Name
• Look for un-escaped dots in the NetBIOS
name
• smb://my%2Enode.scope/ has a NetBIOS
Name of ‘my.node’ and Scope ID of ‘scope’
• Use a NBT Name Query to get the server’s IP
address
◊ It could be a DNS name
• Try DNS to get the IP address
18
Port number please?
◊ Now we need to divine the port number
• Port 139 is for NBT
• Port 445 is for raw TCP
• Which one applies?
◊ And if other security protocols are being
used, higher port numbers could apply
◊ So this is another mess to figure out, if
you weren’t given it
19
Transport discovery
◊ Try running naked
• Open a TCP connection to port 445 on the
server, but do not send an NBT SESSION
REQUEST--just start sending SMB messages
and see if that works
◊ Try NBT transport
◊ Try reverse-mapping a NetBIOS Name
20
Can we do something?
◊ All that was just to establish a connection
to an SMB server
◊ Now we can look at SMB commands
◊ They may contain a
header, parameters,
and data
Image from http://www.ubiqx.org/cifs/figures/smb-03.html
21
SMB Header
◊ The SMB header typically has eight 4-Byte
lines
• SMB_HEADER {
• PROTOCOL = "\xffSMB" (4B)
• COMMAND = <SMB Command code (1 B)>
The CIFS Technical Reference lists these
• STATUS = <Status code> (4B)
• FLAGS = <Old flags> (1 B)
22
SMB Header
• FLAGS2 = <New flags> (2 B)
• EXTRA = <Sometimes used for additional
data> (12 B)
The PidHigh subfield is used to accommodate
systems that have 32-bit Process IDs
The 8-byte Signature subfield is for SMB message
signing, as in a digital signature
When not in use, these fields must be filled with
zeros
23
SMB Header
• TID = <Tree ID> (2B)
The SMB used to open a share is called a "Tree
Connect“; the TID field is used to identify
connections to shares once they have been
established
• PID = <Process ID> (2B)
The "Process ID" is set by the client, and is
intended as an identifier for the process sending
the SMB request
The most important thing to note regarding the
PID is that file locking and access modes are
maintained relative to the value in this field
24
SMB Header
• UID = <User ID> (2B)
The "User ID" is also known as a VUID (Virtual
User ID)
It is assigned by the server after the user logs in,
and is valid until the user logs off
It does not need to be the user's actual User ID on
the server system
25
SMB Header
• MID = <Multiplex ID> (2B) }
The "Multiplex ID“ is used by the client to keep
track of multiple outstanding requests
The server must echo back the MID and the PID
provided in the client request
The client can use those values to make sure that
the reply is matched up to the correct request
26
SMB Message Parameters
◊ SMB_PARAMETERS {
◊ WordCount = <Number of words in the
Words array> (1 B)
◊ Words[WordCount] = <SMB parameters;
varies with SMB command>
(2*WordCount B) }
• The SMB_PARAMETERS.Words block is limited
in length to 510 bytes
27
SMB Message Parameters
◊ Each SMB message type (species?) has a
different record structure that is carried in
the Words block
◊ Think of that structure as representing the
parameters passed to a function (the
function identified by the SMB command
code listed in the header)
28
SMB Message Data
◊ SMB_DATA {
◊ ByteCount = <Number of bytes in the
Bytes field> (2 B)
◊ Bytes[ByteCount] = <Contents varies with
SMB command> (ByteCount B) }
• SMB_DATA.Bytes may be as much as 65,535
bytes in length
29
Parameters vs Data blocks
◊ So if the Parameters block and the Data
block look alike, it’s not just you
• “…any functional distinction that may have
separated the Parameter and Data blocks has
been blurred” - Implementing CIFS
30
AndX messages
◊ SMB can form a linked list of related
messages using a format called AndX
messages
◊ The AndX message has two fields in a 4Byte line
• AndXCommand (1 B)
• (reserved) (1 B)
• AndXOffset (2 B)
31
Figure from http://www.ubiqx.org/cifs/figures/smb-05.html
AndX messages
◊ The AndXCommand field provides the SMB
command code for the next AndX block in
the list (not the current one)
• The AndXOffset value in each AndX parameter
block gives the offset (relative to the start of
the SMB) of the next AndX block; AndXOffset
of the last AndX block has a value of zero (0)
32
AndX messages
◊ The AndXOffset contains the byte index,
relative to the start of the SMB header, of
that next AndX block--think of it as a
pointer
• Since the AndXOffset value is independent of
the SMB_PARAMETERS.WordCount and
SMB_DATA.ByteCount values, it is possible to
provide padding between the AndX blocks
33
Start the conversation
◊ After establishing the transport protocol,
the SMB client and server can exchange
messages
◊ The first one is always NEGOTIATE
PROTOCOL REQUEST/RESPONSE, which
does just that
◊ It’s followed by SESSION SETUP REQUEST
• Didn’t we already do that?
34
Transport vs user sessions
◊ No, we established the transport layer
session; now it’s time to establish a user
logon session
◊ In the second message in the handout, we
have
• AccountName
= "GUEST“
◊ This is to log on as the GUEST user
35
Find a tree
◊ Once a user logon is done, often the next
command is to find the shared directory
tree
• TREE CONNECT does this
◊ Recall the tree concept identifies shared
folders
36
SMB Connection
◊ After transport
disconnect, all
resources are
released, not too
surprisingly
Figure from http://www.ubiqx.org/cifs/figures/smb-06.html
37
Ok, enough SMB!
◊ Aren’t you glad someone wrote Samba to
do all this stuff for you? Who, you ask?
• Aussie Andrew Tridgell reverse engineered
SMB and started Samba in 1992
◊ Samba exists only on the non-Windows
side; a Windows system only needs to be
configured for ‘Microsoft networking’
Much of this section is from (Nemeth,
2007) and the Samba3-HOWTO
38
Samba = Unix CIFS server
◊ Samba can provide these services
•
•
•
•
•
File sharing
Network printing
Authentication and authorization
Name resolution
Service announcement
Browse file servers or printers
39
Samba services
◊ Samba can also
• Do basic Windows primary domain controller
functions
• With LDAP, serve as a backup domain
controller
• Support some other Windows functions such
as domain logins, roaming user profiles, and
CIFS print spooling
40
Samba processes
◊ Samba is implemented in Linux mostly via
two processes (daemons, to be precise):
• The daemon smbd provides file sharing,
network printing, authentication and
authorization
• The daemon nmbd provides name resolution
and service announcement
◊ Samba runs as a normal user process,
binding to the CIFS sockets
41
Installing Samba
◊ Most Linux distributions include Samba,
but you can download the latest from
samba.org, and install it
• root# rpm -Uvh samba-3.0.20-1.i386.rpm
◊ Create a mount point for shared files
• root# mkdir /plans
• root# chmod 755 /plans
From Samba ByExample
42
Installing Samba
◊ Then install the smb.conf file (which we’ll
get to soon)
◊ Verify that the /etc/hosts file contains
the following entry:
• 192.168.1.1 server
◊ Start samba
• root# chkconfig smb on
• root# /etc/rc.d/init.d/smb restart
43
Simple smb.conf file
• # Global Parameters
• [global]
• workgroup = MIDEARTH
• security = SHARE
• [Plans]
• path = /plans
• read only = Yes
• guest ok = Yes
44
From the PC side
◊ Make sure the PC is in the workgroup
(e.g. MIDEARTH)
◊ Make sure its IP address is in the same
range as the Samba system (192.168.1.x),
and they have the same netmask
(255.255.255.0)
◊ Find the samba server in the Network
Neighborhood
45
Is Samba alive?
◊ Check samba status with
• root# smbclient -L localhost -U%
• The -U% option gives no user name and password
◊ And prove it can handle a login
• root# smbclient -L server -Uroot%password
◊ That should establish basic file sharing
46
Samba configuration file
◊ Like most Unix-y apps, it has a ‘.conf’ file
which governs how it runs
• /etc/smb.conf or /etc/samba/smb.conf or
maybe /usr/local/samba/lib/smb.conf
◊ When Samba is running, it checks the conf
file every few seconds, so changes will
take effect quite quickly (no reboot
needed)
47
Config file sections
◊ Each section in the smb.conf file
(“stanza”) represents either a share or
a meta-service on the Samba server
• The [global] stanza contains settings that
apply to the whole Samba server
◊ Samba supports a number of metaservices, each of which serves its own
purpose
From (Samba3-HOWTO)
48
Config file meta-services
• The [homes] stanza is a meta-service that
causes Samba to provide a personal home
share for each user
• The [printers] stanza is a meta-service that
establishes print queue support, and species
the location of the intermediate spool
directory into which print jobs are received
from Windows clients prior to being
dispatched to the UNIX/Linux print spooler
49
Really minimal smb.conf file
[global]
workgroup = WKG
netbios name = MYNAME
[share1]
path = /tmp
[share2]
path = /my shared folder
comment = Some random files
50
Security issues
◊ File sharing is naturally a security hole
◊ To control which clients can access Samba
shared resources, look for the hosts
allow clause in the smb.conf file
• It should contain only the IP addresses or
IP address ranges you trust to have access
◊ Turn on password encryption
• encrypt passwords = true
51
Security issues
◊ Password encryption makes Samba keep a
hash of the password for each user
• Recall Unix and Windows keep different user
login information
◊ To set this password, use smbpasswd
• sudo smbpasswd –a username
◊ Users can then change their password
• smbpasswd –r smbservername –U username
52
Security issues
◊ Block the Samba server from outside your
organization
• Samba uses encryption only for password
authentication, not for data transport!
◊ Hence might want to use firewall to block
• UDP ports 137-139
• TCP ports 137, 139, and 445
53
What are my settings?
◊ To find the current Samba settings use the
command
• testparm –v
◊ This will include all your smb.conf
settings, and other defaults
• Only override defaults for a reason –
otherwise leave them out of smb.conf
54
Encoding compatibility
◊ Try echo $LANG
◊ Samba uses UTF-8 character set
◊ If you’re using anything else, set the
character sets in Samba to be the
same as your system using, e.g.
• unix charset = ISO8859-15
• display charset = ISO8859-15
55
Removing NetBIOS support
◊ If all Windows clients are at least Win2k,
have DNS provided outside of Samba, and
you don’t need Network Neighborhood
browsing in Samba, you can remove
NetBIOS support
[global]
disable netbios = yes
name resolve order = host
56
Removing NetBIOS support
◊ Without NetBIOS support, you don’t need
to run nmbd; so remove it from Samba
startup in /etc/init.d
◊ To connect to a Samba server without
NetBIOS support, use the full DNS name
of the host
• \\server.example.com.\myshare
• The extra dot tells Windows to use DNS
57
Authentication
◊ Windows uses a challenge/response
approach to respond to an authentication
request
• If you have the same Samba username and
password as in Windows, then this will be
invisible in the background
◊ For larger scale systems, can use NIS,
LDAP or Windows authen. services
58
Authentication
◊ To merge authentication services between
Linux and Windows, make Samba act as a
Primary Domain Controller
◊ Or can use Nate Yocom’s open source
pGina (GINA = Graphical Identification
aNd Authentication) to handle almost any
authentication method
59
Basic file sharing in smb.conf
◊ If everyone has a home directory, the
[homes] stanza can share them
• [homes]
• comment = Home directories
• browseable = no
• valid users = %S
• writeable = yes
• guest ok = no
60
Basic file sharing
◊ This will allow any user to access their
home Linux directory from any Windows
system
◊ Can you see another user’s home
directory?
• Samba uses Linux file permissions through
CIFS, so usually the answer would be yes
• The valid users line prevents it though
61
Group shares
◊ A group can be defined by access control
lists (ACLs), but that’s a bit messy
◊ Easier to define a pseudo user, and have
Samba pretend people are in that group
• E.g. create a Linux ‘eng’ group, and matching
Samba user and group of the same name
• The pseudo user is the owner of the directory
62
Group shares
•
•
•
•
•
•
•
•
[eng]
valid users = @eng
force user = eng
force group = eng
path = /home/eng
nt acl support = no
create mask = 0660
force create mask = 0660
63
Group shares
•
•
•
•
security mask = 0000
directory mask = 2770
force directory mask = 2770
directory security mask = 0000
More info on these masks circa p. 324 of HOWTO
• browseable = no
• writeable = yes
• guest ok = no
64
Sources
◊ The Unofficial Samba HOWTO from
oregontechsupport.com
◊ Vernooij, Terpstra, Carter. (May 27, 2009)
Samba3-HOWTO from samba.org
◊ Samba3-ByExample from samba.org
◊ What is Samba? from samba.org
◊ Implementing CIFS, by Christopher R.
Hertel
65
Sources
◊ CIFS Technical Reference by SNIA (2002)
◊ Nemeth, Snyder, Hein. (2007) Linux
Administration Handbook. Prentice Hall,
ISBN 0131480049
66
Related documents
Brasil
Brasil
Application Multi-objective Optimization in the Design of
Application Multi-objective Optimization in the Design of
Criteria Theme - Management and Training L028 There is senior
Criteria Theme - Management and Training L028 There is senior
Protect your Small Business Customers They are a
Protect your Small Business Customers They are a
Stewart Fleming Primary School The Pioneer Academy
Stewart Fleming Primary School The Pioneer Academy
here - Carlton Community College
here - Carlton Community College
Active vocabulary list Unit 11 alphabetical
Active vocabulary list Unit 11 alphabetical
The amazing ability of continuous chromatography to adapt to a
The amazing ability of continuous chromatography to adapt to a
Download
advertisement