SAMBA

SAMBA Server Message Block File & Print Server

Service Profile • Type: System-V managed service • Packages: samba-common, samba-client • Daemons: nmbd, smbd • Script: smb • Ports: 137/udp, 138/udp 139/tcp • Configuration: /etc/samba/smb.conf

SaMBa • Client & Server for the Common Internet File System (CIFS) • Microsoft's name for its SMB protocol implementation • Contains components of the LanManager and NetBIOS protocols • Samba may provide performance improvements over ‘native’ CIFS • Hhtp://www.samba.org

The goal of SAMBA • A single integrated work-group spanning Windows and Linux machines

The view from Windows • Linux based resources look identical to Windows based resources. • Using Universal Naming conventions (UNC): • \\toltec\spirit

The view from Linux # smbstatus Processing section "[homes]“ Processing section "[printers]“ Processing section "[spirit]“ Samba version 2.2.6 Service uid gid pid machine spirit jay jay 7735 maya (172.16.1.6) Sun Aug 12 12:17 2005 spirit jay jay 7779 aztec (172.16.1.2) Sun Aug 12 12:49 2005 jay jay jay 7735 maya (172.16.1.6) Sun Aug 12 12:56 2005

The view from Linux Locked files: Pid DenyMode R/W Oplock Name ----------------------------------------------------------------------------------------------------- 7735 DENY_WRITE RDONLY NONE /u/RegClean.exe Sun Aug 12 13:01:22 2005 Share mode memory usage (bytes): 1048368(99%) free + 136(0%) used + 72(0%) overhead = 1048576(100%) total

Samba Services • Authentication & Authorization of users • File & Printer Sharing • Name Resolution • Provides some capabilities of a WINS server • Maps between NetBIOS names to IP addresses • Note that WINS is independent and unrelated to DNS • Browsing (service announcements)

NetBIOS Names • 16 Bytes in length • 15 bytes for the selected name • All standard characters a-z, A-Z, 0-9 and ! @ # $ % ^ & ( ) - ' { } . ~ are allowed. • It is normal practise to use the same machine name for the DNS record and the NetBIOS record. • The 16th byte indicates the unique service provided by the machine

Examples of NetBIOS resource types Named resource Hexadecimal byte value Standard Workstation Service 00 Messenger Service 03 RAS Server Service 06 Domain Master Browser Service 1B (associated with primary domain controller) Master Browser name 1D NetDDE Service 1F Fileserver (including printer server) 20 RAS Client Service 21 Network Monitor Agent BE Network Monitor Utility BF

Querying NetBIOS names C:\>nbtstat -a toltec NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- TOLTEC <00> UNIQUE Registered TOLTEC <03> UNIQUE Registered TOLTEC <20> UNIQUE Registered ...

Workgroups • SMB groups are the same as Windows Workgroups. • There are predefined group resource types. • Nbtstat output: NetBIOS Remote Machine Name Table Name Type Status ---------------------------------------------------------------- METRAN <00> GROUP Registered METRAN <1E> GROUP Registered ..__MSBROWSE__.<01> GROUP Registered

Smb.conf sections • Similar layout to the windows.ini file split into different [ … ] sections • [global]: generic server or global settings which apply to each share • [homes]: used to grant some or all users access to their home directories • [printers]: defines printer resources and services

Sample global section # Simple global section [global] Log file = /var/log/samba/samba.log Load printers=yes Max log size=50 Netbios name=RHL Server string=Samba Server Workgroup=Tardis

Configuring File and Directory Sharing • Shares should have their own [ … ] section • Options include • Public- can be accessed by guest account • Browseable – share is visible in browse lists • Writeable – resource is read and write enabled • Printable – resource is a printer, not a disk • Group: all connections to the share use the specified group as their primary group

Example # share Ronan’s Home Dir [ronan-home] Comment= Ronan’s Home Directory Path = /home/rbradley Browseable=yes Writeable=yes Public = yes createMode=0664 DirectoryMode=0775 maxConnections=1 Printable = no

Printing • Printers defined in /etc/cups/printers.conf • Global options as follows: • [printers] • path = /var/spool/samba • browsable = yes • public = yes • guest ok = yes • writeable = no • printable = yes

Printing • [LibertyLane] • Comment = Staff Printer LaserJet 5 • printer = prll • valid users = rbradley smcneally • path = /var/spool/prll • public = no • writeable = no • printable = yes • By default, samba assumes printing is via cups, this can be overridden with the printing= parameter in the [global] section

Other examples • [lp] • print command = lpr -s -P %p %s; rm %s • printable = yes • browseable = no • [nec-raw] • comment = Main PostScript printer driver for Windows clients printer • driver = NEC SilentWriter 95 • printable = yes • browseable = yes

Supporting WINS Turn WINS support on add in [global]: wins support = yes The SaMBa server will maintain a database of NetBIOS to IP mapping and acts as a name server for these mappings Specify the name resolution order name resolve order = wins lmhosts bcast Note that this example shows the the default order and is therefore unnecessary

Name resolution options host means use the system resolver library to determine the IP address of a name lmhosts means to read name-IP mappings from the NetBIOS lmhosts file /etc/samba/lmhosts If this doesn’t exist, lmhosts lookup will be skipped wins tells the server to maintain a WINS database Names will be added and updated as clients connect bcast uses the NetBIOS broadcast mechanism to find the addresses of all hosts Broadcast storms

Authentication There are a number of mechanisms for implementing Authentication in Samba By setting the security= setting this can be controlled by administrators User: Validation is done on a per-user basis, requiring a local smbpasswd file and also smbusers file Server: Validation done by another server share: Validation on a per-share basis. Will block all public access domain: a workgroup with a collection of authentication data is used workgroup = NAME

Local file based Authentication To create the local password file use cat /etc/passwd ¦ mksmbpasswd.sh > /etc/samba/smbpasswd Specify that passwords should be stored encrypted encrypted passwords = yes Specify the servers to be contacted for authentication information (used when security option is not user). password server = host1 host2 host3

Adding users and setting passwords To add a user smbadduser ronan.bradley:rbradley UNIX Username: Windows Username, need not match Encrypted (by default) passwords stored in /etc/samba/smbpasswd Users added with smbadduser and smbpasswd Users defined in /etc/samba/passwd must exist in /etc/passwd

Passwords Encrypted passwords stored in /etc/samba/smbpasswd Users added with smbadduser and smbpasswd Users defined in /etc/samba/passwd must exist in /etc/passwd To add a user smbadduser rbradley:rbradley UNIX Username: Windows Username, need not match

Passwords Use smbpasswd for subsequent password changes for all users Can also specify valid users in /etc/samba/passwd, but specify that a Primary Domain Controller will manage the passwords

Winbind winbind maps between windows user and group IDs and unix user and group IDs COMP+rbradley or STUDENT\srooney6 or COMP\STAFF or STUDENT:FT211-4

Linux Client access with Samba Smbclient is the standard client utility, useful for testing and for scripts Smbfs is an optional kernel component which allows Linux to mount an SMB share directly, in similar fashion to mounting an NFS share Not available on UML

Smbclient syntax If you do not specify username%password, smbclient will use the upper case version of USER or LOGNAME variable and the PASSWORD variable (if set) If you use the –U option smbclient –U rbradley%letmein Not a great idea, as the command issued is visible in the history and in the ps information Smbclient includes an ftp-like shell

Sample smbclient –L output smbclient -L toltec added interface ip=172.16.1.1 bcast=172.16.1.255 nmask=255.255.255.0 Password: Domain=[METRAN] OS=[Unix] Server=[Samba 2.2.5] Sharename Type Comment --------- ------ -------------- test Disk For testing only, please IPC$ IPC IPC Service (Samba 2.2.5) HP Printer HP 932C on Maya ADMIN$ Disk IPC Service (Samba 2.2.5) Server Comment --------- ------- MAYA Windows 98 MIXTEC Samba 2.2.5 TOLTEC Samba 2.2.5 ZAPOTEC Workgroup Master ---------------- ------- METRAN TOLTEC

Samba Daemons Nmbd: NetBIOS name server Supports resource browsing (i.e. identification of available shares and printers) Provides the WINS server (i.e. maintains the database of available NetBIOS name to IP mappings) Smbd: SMB/CIFS server Authentication and authorization File and Printer Sharing

Samba Daemon When an SMB client starts, it needs to know the IP address being used by a particular host Client broadcasts this request on the network and receives a response from nmbd containing the NetBIOS information

Configuration Testing • testparm is used to test the correct configuration of your samba settings • To check what access will be granted to a given host, you can also supply the IP address of a given host • testparm 147.252.224.78 • Will return which resources are accessible to that host

Samba Client • smbclient can be used as a command-line file retrieval/transfer tool • smbclient //machine/resource • cd directory • get file • Also allows simple view of shared resources • smbclient –L hostname • user%password may be specified with the –U option or by setting and exporting USER and PASSWORD environment variables

Samba Client • If you do not specify username%password, smbclient will use the upper case version of USER or LOGNAME variable and the PASSWORD variable (if set) • If you use the –U option • smbclient –U rbradley%letmein • Not a great idea, as the command issued is visible in the history and in the ps information • Smbclient includes an ftp-like shell

Sample smbclient –L output • smbclient -L toltec added interface ip=172.16.1.1 bcast=172.16.1.255 nmask=255.255.255.0 Password: Domain=[METRAN] OS=[Unix] Server=[Samba 2.2.5] Sharename Type Comment --------- ------ -------------- test Disk For testing only, please IPC$ IPC IPC Service (Samba 2.2.5) HP Printer HP 932C on Maya ADMIN$ Disk IPC Service (Samba 2.2.5) Server Comment --------- ------- MAYA Windows 98 MIXTEC Samba 2.2.5 TOLTEC Samba 2.2.5 ZAPOTEC Workgroup Master ---------------- ------- METRAN TOLTEC

nmblookup • Can be used to query a WINS server • To list a specific machine • nmblookup –U server –R ‘name’ • Or to list all machines • nmblookup \* • Queries a WINS server in the same way nslookup (or dig) queries a DNS server • Will return hostname and IP

smbmount • SMB file system can be supported by the LINUX kernel • Not available in UML • Can use smbmount to mount a SMB-shared resource • smbmount service mountpoint –o options • smbmount //server/resource /mnt/smb –o username=smbuser • Must set CONFIG_SMB-FS set on for smbmount to work

Samba mounts in /etc/fstab • Samba mounts can be performed automatically upon system boot by editing /etc/fstab • Specify • the UNC path • the local mount point • smbfs as the file system and a • username • //server1/resource /mnt/smb smbfs deaults,username=nobody 0 0

Samba Resources • http://info.ccone.at/INFO/Samba/introduction.html

SAMBA

SAMBA

Presentation Transcript

Samba

SAMBA

SAMBA

Samba

Samba

Samba

SAMBA

Samba

Samba

Samba

Samba

SAMBA

SAMBA