INFO 321

Server Technologies II

What is Samba?
Samba is essentially a TCP/IP file and
print server for Microsoft Windows
clients
It can support any SMB/CIFS-enabled client

SMB/CIFS?
SMB is Server (or Session) Message Block
Common Internet File System (CIFS) is
Windows File Sharing

SMB
SMB was originally developed to run over
NetBIOS (Network Basic Input Output
System) LANs in the mid-1980s
SMB was originally for MS-DOS and PC-DOS
SMB is the file sharing protocol inside CIFS
The inventor of SMB was Dr. Barry Feigenbaum
of IBM, who initially called it BAF
Notice the name Samba contains SaMBa

SMB
As of Windows 2000, the connection
to NetBIOS was removed, thankfully
There exists NBT (NetBIOS over TCP/IP)
SMB over TCP/IP without NBT is "naked"
When running naked, SMB defaults to using
TCP port 445 instead of the NBT Session
Service port (TCP/139)

SMB should work over any transport

protocol
4

CIFS
CIFS is a network file system plus a set
of auxiliary services supported by a
bunch of underlying protocols
Most of which are not particularly well
documented by Microsoft; you may faint now
CIFS is "Microsoft's way of doing network file
sharing since about 1996

There is no RFC number for SMB or CIFS

Microsoft's implementations are the de facto
CIFS standards

So what?
One of Sambas big strengths is that you
can use it to blend your mix of Windows
and Linux machines together without
requiring a separate Windows server.
Samba includes support for Active
Directory, Unicode, new authentication
and filename mangling systems, printing
support, trust relationships, LDAP
integration and loadable RPC modules.
From The Unofficial Samba HOWTO
6

If thats not enough

Samba is software that can be run on a
platform other than Microsoft Windows, for
example, UNIX, Linux, IBM System 390,
OpenVMS, and other operating systems.
Samba uses the TCP/IP protocol that is
installed on the host server. When
correctly configured, it allows that host to
interact with a Microsoft Windows client or
server as if it is a Windows file and print
server.
From What is Samba?
7

Samba Today
Samba is on version 3.5.6 (as of
January 19, 2011), and is available for
the following platforms
UNIX - AIX (IBM UNIX), HP-UX (HP UNIX),
Solaris (Sun UNIX)
Linux - Debian, Fedora, RedHat, SuSE
MVS (IBM mainframes)
Novell (NetWare)
VMS (was DEC, now HP OpenVMS)
From
http://us1.samba.org/samba/ftp/Binary_Packages/

SMB addressing - UNC

A Universal Naming Convention
(UNC) path might look something like
this:
\\ubiqx\cifs\SMB.html

...and would parse out like this:

No!

ubiqx = The name of the server

cifs = The directory path
SMB.html = The file name
Much of this section adapted from
Implementing CIFS

SMB addressing - UNC

UNC doesn't provide a protocol specification
That's not because it always assumes SMB
The UNC format can support all sorts of
filesharing protocols, but it is up to the underlying
OS or application to figure out which one to use

Protocol and transport discovery are handled

by trial-and-error, with each possibility
tested until something works
You might imagine a system with AppleTalk,
NetWare, and SMB all enabled has a lot of work to
do

10

UNC
The UNC format is handled natively by
Microsoft & IBM's family of operating
systems: DOS, OS/2, & Windows
Samba's smbclient utility can also parse
UNC names, but it does so at the
application level rather than within the OS
and it only ever tries to deal with SMB
Even so, smbclient must handle both NBT
and naked transport, which can be tricky

11

UNC
SMB is the server identifier field
because it will accept addresses in
addition to names
Recognized server names are:
NetBIOS names
DNS hostnames
IP addresses

Going from an IP address to a NetBIOS

name involves guesswork
12

Share names
The directory path looks just like a directory
path, but there is one small thing that
makes it different; that thing is called the
"share name
A given directory can have one or many share
names

The idea is similar to symbolic links

(symlinks) in Unix, or shortcuts in Windows
The share is a named pointer--with its own set of
attributes--to the object being made available

13

File name
File names are straightforward, right?
No.
Windows is case insensitive
But UNIX and Linux are case sensitive

Other problem areas include

filename lengths
valid characters
file access permissions
the end-of-line delimiter in text files
14

SMB URL
Fortunately, there such a thing as an
SMB URL
It fits into the general URI syntax and
can be used to specify files, directories,
and other SMB-shared stuff
It is intended as a more portable, and
more complete way to specify SMB
paths at the application level

15

Reach out
and touch an SMB server
To do this we need two steps to
identify who were talking to, and
how
Server identifier interpretation
Transport discovery

16

Server identifier
interpretation
Try a URL like this
smb://server/
Assuming the servers name is server

To resolve the name server, try

It could be an IPv4 address
Thats easy; and IPv6 addresses should
be in brackets, smb://
[fe80::240:f4ff:fe1f:8243]/
17

Server identifier
interpretation

It could be a NetBIOS Name

Look for un-escaped dots in the NetBIOS

name
smb://my%2Enode.scope/ has a NetBIOS
Name of my.node and Scope ID of scope
Use a NBT Name Query to get the servers
IP address

It could be a DNS name

Try DNS to get the IP address

18

Port number please?

Now we need to divine the port number
Port 139 is for NBT
Port 445 is for raw TCP
Which one applies?

And if other security protocols are being

used, higher port numbers could apply
So this is another mess to figure out, if
you werent given it

19

Transport discovery
Try running naked
Open a TCP connection to port 445 on
the server, but do not send an NBT
SESSION REQUEST--just start sending
SMB messages and see if that works

Try NBT transport

Try reverse-mapping a NetBIOS
Name
20

Can we do something?
All that was just to establish a
connection to an SMB server
Now we can look at SMB commands
They may contain a
header, parameters,
and data

Image from http://www.ubiqx.org/cifs/figures/smb03.html

21

SMB Header
The SMB header typically has eight 4Byte lines
SMB_HEADER {
PROTOCOL = "\xffSMB" (4B)
COMMAND = <SMB Command code (1
B)>
The CIFS Technical Reference lists these

STATUS = <Status code> (4B)

FLAGS = <Old flags> (1 B)
22

SMB Header
FLAGS2 = <New flags> (2 B)
EXTRA = <Sometimes used for
additional data> (12 B)
The PidHigh subfield is used to
accommodate systems that have 32-bit
Process IDs
The 8-byte Signature subfield is for SMB
message signing, as in a digital signature
When not in use, these fields must be filled
with zeros

23

SMB Header
TID = <Tree ID> (2B)
The SMB used to open a share is called a "Tree
Connect; the TID field is used to identify
connections to shares once they have been
established

PID = <Process ID> (2B)

The "Process ID" is set by the client, and is
intended as an identifier for the process
sending the SMB request
The most important thing to note regarding the
PID is that file locking and access modes are
maintained relative to the value in this field

24

SMB Header
UID = <User ID> (2B)
The "User ID" is also known as a VUID
(Virtual User ID)
It is assigned by the server after the user
logs in, and is valid until the user logs off
It does not need to be the user's actual User
ID on the server system

25

SMB Header
MID = <Multiplex ID> (2B) }
The "Multiplex ID is used by the client to
keep track of multiple outstanding requests
The server must echo back the MID and the
PID provided in the client request
The client can use those values to make
sure that the reply is matched up to the
correct request

26

SMB Message Parameters

SMB_PARAMETERS {
WordCount = <Number of words in
the Words array> (1 B)
Words[WordCount] = <SMB
parameters; varies with SMB
command> (2*WordCount B) }
The SMB_PARAMETERS.Words block is
limited in length to 510 bytes
27

SMB Message Parameters

Each SMB message type (species?)
has a different record structure that
is carried in the Words block
Think of that structure as
representing the parameters passed
to a function (the function identified
by the SMB command code listed in
the header)
28

SMB Message Data

SMB_DATA {
ByteCount = <Number of bytes in
the Bytes field> (2 B)
Bytes[ByteCount] = <Contents
varies with SMB command>
(ByteCount B) }
SMB_DATA.Bytes may be as much as
65,535 bytes in length
29

Parameters vs Data blocks

So if the Parameters block and the
Data block look alike, its not just you
any functional distinction that may
have separated the Parameter and Data
blocks has been blurred - Implementing
CIFS

30

AndX messages
SMB can form a linked list of related
messages using a format called AndX
messages
The AndX message has two fields in
a 4-Byte line
AndXCommand (1 B)
(reserved) (1 B)
AndXOffset (2 B)
31

Figure from http://www.ubiqx.org/cifs/figures/smb05.html

AndX messages

The AndXCommand field provides the

SMB command code for the next
AndX block in the list (not the current
one)
The AndXOffset value in each AndX
parameter block gives the offset
(relative to the start of the SMB) of the
next AndX block; AndXOffset of the last
AndX block has a value of zero (0)
32

AndX messages
The AndXOffset contains the byte
index, relative to the start of the SMB
header, of that next AndX block--think
of it as a pointer
Since the AndXOffset value is independent
of the SMB_PARAMETERS.WordCount and
SMB_DATA.ByteCount values, it is possible
to provide padding between the AndX
blocks

33

Start the conversation

After establishing the transport
protocol, the SMB client and server can
exchange messages
The first one is always NEGOTIATE
PROTOCOL REQUEST/RESPONSE, which
does just that
Its followed by SESSION SETUP
REQUEST
Didnt we already do that?
34

Transport vs user sessions

No, we established the transport
layer session; now its time to
establish a user logon session
In the second message in the
handout, we have
AccountName

= "GUEST

This is to log on as the GUEST user

35

Find a tree
Once a user logon is done, often the
next command is to find the shared
directory tree
TREE CONNECT does this

Recall the tree concept identifies

shared folders

36

SMB Connection
After transport
disconnect, all
resources are
released, not too
surprisingly

Figure from http://www.ubiqx.org/cifs/figures/smb06.html

37

Ok, enough SMB!

Arent you glad someone wrote Samba
to do all this stuff for you? Who, you
ask?
Aussie Andrew Tridgell reverse engineered
SMB and started Samba in 1992

Samba exists only on the non-Windows

side; a Windows system only needs to
be configured for Microsoft
networking
Much of this section is from
(Nemeth, 2007) and the Samba3HOWTO

38

Samba = Unix CIFS server

Samba can provide these services
File sharing
Network printing
Authentication and authorization
Name resolution
Service announcement
Browse file servers or printers

39

Samba services
Samba can also
Do basic Windows primary domain
controller functions
With LDAP, serve as a backup domain
controller
Support some other Windows functions
such as domain logins, roaming user
profiles, and CIFS print spooling

40

Samba processes
Samba is implemented in Linux mostly
via two processes (daemons, to be
precise):
The daemon smbd provides file sharing,
network printing, authentication and
authorization
The daemon nmbd provides name resolution
and service announcement

Samba runs as a normal user process,

binding to the CIFS sockets
41

Installing Samba
Most Linux distributions include
Samba, but you can download the
latest from samba.org, and install it
root# rpm -Uvh samba-3.0.20-1.i386.rpm

Create a mount point for shared files

root# mkdir /plans
root# chmod 755 /plans

From Samba ByExample

42

Installing Samba
Then install the smb.conf file (which well
get to soon)
Verify that the /etc/hosts file contains
the following entry:
192.168.1.1 server

Start samba
root# chkconfig smb on
root# /etc/rc.d/init.d/smb restart
43

Simple smb.conf file

# Global Parameters
[global]
workgroup = MIDEARTH
security = SHARE
[Plans]
path = /plans
read only = Yes
guest ok = Yes
44

From the PC side

Make sure the PC is in the workgroup
(e.g. MIDEARTH)
Make sure its IP address is in the
same range as the Samba system
(192.168.1.x), and they have the
same netmask (255.255.255.0)
Find the samba server in the Network
Neighborhood
45

Is Samba alive?
Check samba status with
root# smbclient -L localhost -U%
The -U% option gives no user name and password

And prove it can handle a login

root# smbclient -L server -Uroot%password

That should establish basic file

sharing

46

Samba configuration file

Like most Unix-y apps, it has a .conf
file which governs how it runs
/etc/smb.conf or /etc/samba/smb.conf or
maybe /usr/local/samba/lib/smb.conf

When Samba is running, it checks

the conf file every few seconds, so
changes will take effect quite quickly
(no reboot needed)
47

Config file sections

Each section in the smb.conf file
(stanza) represents either a share
or
a meta-service on the Samba server
The [global] stanza contains settings
that apply to the whole Samba server

Samba supports a number of metaservices, each of which serves its

own purpose
From (Samba3-HOWTO)
48

Config file meta-services

The [homes] stanza is a meta-service
that causes Samba to provide a personal
home share for each user
The [printers] stanza is a meta-service
that establishes print queue support,
and species the location of the
intermediate spool directory into which
print jobs are received from Windows
clients prior to being dispatched to the
UNIX/Linux print spooler
49

Really minimal smb.conf file

[global]
workgroup = WKG
netbios name = MYNAME

[share1]
path = /tmp

[share2]
path = /my shared folder
comment = Some random files
50

Security issues
File sharing is naturally a security hole
To control which clients can access
Samba shared resources, look for the
hosts allow clause in the smb.conf
file
It should contain only the IP addresses or
IP address ranges you trust to have access

Turn on password encryption

encrypt passwords = true
51

Security issues
Password encryption makes Samba
keep a hash of the password for each
user
Recall Unix and Windows keep different
user login information

To set this password, use smbpasswd

sudo smbpasswd a username

Users can then change their password

smbpasswd r smbservername U username
52

Security issues
Block the Samba server from outside
your organization
Samba uses encryption only for
password authentication, not for data
transport!

Hence might want to use firewall to

block
UDP ports 137-139
TCP ports 137, 139, and 445
53

What are my settings?

To find the current Samba settings
use the command
testparm v

This will include all your smb.conf

settings, and other defaults
Only override defaults for a reason
otherwise leave them out of smb.conf

54

Encoding compatibility
Try echo $LANG
Samba uses UTF-8 character set
If youre using anything else, set the
character sets in Samba to be the
same as your system using, e.g.
unix charset = ISO8859-15
display charset = ISO8859-15

55

Removing NetBIOS support

If all Windows clients are at least
Win2k, have DNS provided outside of
Samba, and you dont need Network
Neighborhood browsing in Samba,
you can remove NetBIOS support
[global]
disable netbios = yes
name resolve order = host
56

Removing NetBIOS support

Without NetBIOS support, you dont
need to run nmbd; so remove it from
Samba startup in /etc/init.d
To connect to a Samba server
without NetBIOS support, use the full
DNS name of the host
\\server.example.com.\myshare
The extra dot tells Windows to use DNS
57

Authentication
Windows uses a challenge/response
approach to respond to an
authentication request
If you have the same Samba username
and password as in Windows, then this
will be invisible in the background

For larger scale systems, can use

NIS, LDAP or Windows authen.
services
58

Authentication
To merge authentication services
between Linux and Windows, make
Samba act as a Primary Domain
Controller
Or can use Nate Yocoms open source
pGina (GINA = Graphical
Identification aNd Authentication) to
handle almost any authentication
method
59

Basic file sharing in

smb.conf
If everyone has a home directory, the
[homes] stanza can share them
[homes]
comment = Home directories
browseable = no
valid users = %S
writeable = yes
guest ok = no
60

Basic file sharing

This will allow any user to access
their home Linux directory from any
Windows system
Can you see another users home
directory?
Samba uses Linux file permissions
through CIFS, so usually the answer
would be yes
The valid users line prevents it though
61

Group shares
A group can be defined by access control
lists (ACLs), but thats a bit messy
Easier to define a pseudo user, and have
Samba pretend people are in that group
E.g. create a Linux eng group, and matching
Samba user and group of the same name
The pseudo user is the owner of the directory

62

Group shares
[eng]
valid users = @eng
force user = eng
force group = eng
path = /home/eng
nt acl support = no
create mask = 0660
force create mask = 0660

63

Group shares
security mask = 0000
directory mask = 2770
force directory mask = 2770
directory security mask = 0000
More info on these masks circa p. 324 of
HOWTO

browseable = no
writeable = yes
guest ok = no
64

Sources
The Unofficial Samba HOWTO from
oregontechsupport.com
Vernooij, Terpstra, Carter. (May 27,
2009) Samba3-HOWTO from samba.org
Samba3-ByExample from samba.org
What is Samba? from samba.org
Implementing CIFS, by Christopher R.
Hertel

65

Sources
CIFS Technical Reference by SNIA
(2002)
Nemeth, Snyder, Hein. (2007) Linux
Administration Handbook. Prentice
Hall, ISBN 0131480049

66