Professional Documents
Culture Documents
Server Technologies II
What is Samba?
Samba is essentially a TCP/IP file and
print server for Microsoft Windows
clients
It can support any SMB/CIFS-enabled client
SMB/CIFS?
SMB is Server (or Session) Message Block
Common Internet File System (CIFS) is
Windows File Sharing
SMB
SMB was originally developed to run over
NetBIOS (Network Basic Input Output
System) LANs in the mid-1980s
SMB was originally for MS-DOS and PC-DOS
SMB is the file sharing protocol inside CIFS
The inventor of SMB was Dr. Barry Feigenbaum
of IBM, who initially called it BAF
Notice the name Samba contains SaMBa
SMB
As of Windows 2000, the connection
to NetBIOS was removed, thankfully
There exists NBT (NetBIOS over TCP/IP)
SMB over TCP/IP without NBT is "naked"
When running naked, SMB defaults to using
TCP port 445 instead of the NBT Session
Service port (TCP/139)
CIFS
CIFS is a network file system plus a set
of auxiliary services supported by a
bunch of underlying protocols
Most of which are not particularly well
documented by Microsoft; you may faint now
CIFS is "Microsoft's way of doing network file
sharing since about 1996
So what?
One of Sambas big strengths is that you
can use it to blend your mix of Windows
and Linux machines together without
requiring a separate Windows server.
Samba includes support for Active
Directory, Unicode, new authentication
and filename mangling systems, printing
support, trust relationships, LDAP
integration and loadable RPC modules.
From The Unofficial Samba HOWTO
6
Samba Today
Samba is on version 3.5.6 (as of
January 19, 2011), and is available for
the following platforms
UNIX - AIX (IBM UNIX), HP-UX (HP UNIX),
Solaris (Sun UNIX)
Linux - Debian, Fedora, RedHat, SuSE
MVS (IBM mainframes)
Novell (NetWare)
VMS (was DEC, now HP OpenVMS)
From
http://us1.samba.org/samba/ftp/Binary_Packages/
No!
10
UNC
The UNC format is handled natively by
Microsoft & IBM's family of operating
systems: DOS, OS/2, & Windows
Samba's smbclient utility can also parse
UNC names, but it does so at the
application level rather than within the OS
and it only ever tries to deal with SMB
Even so, smbclient must handle both NBT
and naked transport, which can be tricky
11
UNC
SMB is the server identifier field
because it will accept addresses in
addition to names
Recognized server names are:
NetBIOS names
DNS hostnames
IP addresses
Share names
The directory path looks just like a directory
path, but there is one small thing that
makes it different; that thing is called the
"share name
A given directory can have one or many share
names
13
File name
File names are straightforward, right?
No.
Windows is case insensitive
But UNIX and Linux are case sensitive
SMB URL
Fortunately, there such a thing as an
SMB URL
It fits into the general URI syntax and
can be used to specify files, directories,
and other SMB-shared stuff
It is intended as a more portable, and
more complete way to specify SMB
paths at the application level
15
Reach out
and touch an SMB server
To do this we need two steps to
identify who were talking to, and
how
Server identifier interpretation
Transport discovery
16
Server identifier
interpretation
Try a URL like this
smb://server/
Assuming the servers name is server
Server identifier
interpretation
18
19
Transport discovery
Try running naked
Open a TCP connection to port 445 on
the server, but do not send an NBT
SESSION REQUEST--just start sending
SMB messages and see if that works
Can we do something?
All that was just to establish a
connection to an SMB server
Now we can look at SMB commands
They may contain a
header, parameters,
and data
SMB Header
The SMB header typically has eight 4Byte lines
SMB_HEADER {
PROTOCOL = "\xffSMB" (4B)
COMMAND = <SMB Command code (1
B)>
The CIFS Technical Reference lists these
SMB Header
FLAGS2 = <New flags> (2 B)
EXTRA = <Sometimes used for
additional data> (12 B)
The PidHigh subfield is used to
accommodate systems that have 32-bit
Process IDs
The 8-byte Signature subfield is for SMB
message signing, as in a digital signature
When not in use, these fields must be filled
with zeros
23
SMB Header
TID = <Tree ID> (2B)
The SMB used to open a share is called a "Tree
Connect; the TID field is used to identify
connections to shares once they have been
established
24
SMB Header
UID = <User ID> (2B)
The "User ID" is also known as a VUID
(Virtual User ID)
It is assigned by the server after the user
logs in, and is valid until the user logs off
It does not need to be the user's actual User
ID on the server system
25
SMB Header
MID = <Multiplex ID> (2B) }
The "Multiplex ID is used by the client to
keep track of multiple outstanding requests
The server must echo back the MID and the
PID provided in the client request
The client can use those values to make
sure that the reply is matched up to the
correct request
26
30
AndX messages
SMB can form a linked list of related
messages using a format called AndX
messages
The AndX message has two fields in
a 4-Byte line
AndXCommand (1 B)
(reserved) (1 B)
AndXOffset (2 B)
31
AndX messages
AndX messages
The AndXOffset contains the byte
index, relative to the start of the SMB
header, of that next AndX block--think
of it as a pointer
Since the AndXOffset value is independent
of the SMB_PARAMETERS.WordCount and
SMB_DATA.ByteCount values, it is possible
to provide padding between the AndX
blocks
33
= "GUEST
35
Find a tree
Once a user logon is done, often the
next command is to find the shared
directory tree
TREE CONNECT does this
36
SMB Connection
After transport
disconnect, all
resources are
released, not too
surprisingly
37
38
39
Samba services
Samba can also
Do basic Windows primary domain
controller functions
With LDAP, serve as a backup domain
controller
Support some other Windows functions
such as domain logins, roaming user
profiles, and CIFS print spooling
40
Samba processes
Samba is implemented in Linux mostly
via two processes (daemons, to be
precise):
The daemon smbd provides file sharing,
network printing, authentication and
authorization
The daemon nmbd provides name resolution
and service announcement
Installing Samba
Most Linux distributions include
Samba, but you can download the
latest from samba.org, and install it
root# rpm -Uvh samba-3.0.20-1.i386.rpm
Installing Samba
Then install the smb.conf file (which well
get to soon)
Verify that the /etc/hosts file contains
the following entry:
192.168.1.1 server
Start samba
root# chkconfig smb on
root# /etc/rc.d/init.d/smb restart
43
Is Samba alive?
Check samba status with
root# smbclient -L localhost -U%
The -U% option gives no user name and password
46
[share1]
path = /tmp
[share2]
path = /my shared folder
comment = Some random files
50
Security issues
File sharing is naturally a security hole
To control which clients can access
Samba shared resources, look for the
hosts allow clause in the smb.conf
file
It should contain only the IP addresses or
IP address ranges you trust to have access
Security issues
Password encryption makes Samba
keep a hash of the password for each
user
Recall Unix and Windows keep different
user login information
Security issues
Block the Samba server from outside
your organization
Samba uses encryption only for
password authentication, not for data
transport!
54
Encoding compatibility
Try echo $LANG
Samba uses UTF-8 character set
If youre using anything else, set the
character sets in Samba to be the
same as your system using, e.g.
unix charset = ISO8859-15
display charset = ISO8859-15
55
Authentication
Windows uses a challenge/response
approach to respond to an
authentication request
If you have the same Samba username
and password as in Windows, then this
will be invisible in the background
Authentication
To merge authentication services
between Linux and Windows, make
Samba act as a Primary Domain
Controller
Or can use Nate Yocoms open source
pGina (GINA = Graphical
Identification aNd Authentication) to
handle almost any authentication
method
59
Group shares
A group can be defined by access control
lists (ACLs), but thats a bit messy
Easier to define a pseudo user, and have
Samba pretend people are in that group
E.g. create a Linux eng group, and matching
Samba user and group of the same name
The pseudo user is the owner of the directory
62
Group shares
[eng]
valid users = @eng
force user = eng
force group = eng
path = /home/eng
nt acl support = no
create mask = 0660
force create mask = 0660
63
Group shares
security mask = 0000
directory mask = 2770
force directory mask = 2770
directory security mask = 0000
More info on these masks circa p. 324 of
HOWTO
browseable = no
writeable = yes
guest ok = no
64
Sources
The Unofficial Samba HOWTO from
oregontechsupport.com
Vernooij, Terpstra, Carter. (May 27,
2009) Samba3-HOWTO from samba.org
Samba3-ByExample from samba.org
What is Samba? from samba.org
Implementing CIFS, by Christopher R.
Hertel
65
Sources
CIFS Technical Reference by SNIA
(2002)
Nemeth, Snyder, Hein. (2007) Linux
Administration Handbook. Prentice
Hall, ISBN 0131480049
66