samba integrating smb file systems with unix. samba provides a file server compatible with windows...
Post on 20-Dec-2015
224 views
TRANSCRIPT
Samba
Integrating SMB file systems with UNIX
Samba
• Provides a file server compatible with Windows 9x and NT .. SMB
• Can function in NETBIOS name browsing as seen in network neighborhood
• Provides for authentication of users
• Provides an NT domain server
General Questions to Consider
• How do the protocols relate?
• How are connections made?
• What is network browsing?
• What is a workgroup?
• What is a domain?
How do protocols relate?
• SMB is a file/resource protocol (Server Message Block)– files– printers
Application
Op System
DISK REQUEST
FAT32/16/..
Local Disk
SMB
Remote Disk
NETBIOS
NETBEUI TCP/IP IPX
More on whichprotocol later!
How are connections made?
• This at the level of SMB:– Negotiate which level of SMB to use
• As SMB evolves, different versions abound
– Set up a session• Validate the client requesting connection
– Tree Connect• Connect to a specific resource
– disk
– printer
What is network Browsing?
• PCs turn on and off as users come and go
• Resources are not static
• Users need to see what resources are available
• Browsing is a means of determining what is available for use– printers– files– etc.
Two means of browsing
Client
Workstation WorkstationServer
Broadcast requests
Client
Workstation WorkstationServer
WINS requests
Register Resource
What is a workgroup?
• A collection of computers
• Each can provide a network resource
• Each provides authentication for its own resources
User
FileServer PrintServerrequest
consent
requestconsent
What is a domain?
• Like a workgroup
• Central Authentication
User
FileServer PrintServerrequest
consent
request
consent
Domain Controller
Setting up Samba
• Install either directly or using rpm for red-hat
• Usually installs in /usr/local/samba• Edit the smb.conf file to configure server
• Activities– set up a file share– set up a “user” share
Samba setup continued
• configure the smb.conf file to identify resources you want to share
• configure the unix system to be consistent with the smb.conf specifications
• run testparm to validate the smb.conf file
• start smbd and nmdb
• test the installation from unix with smbclient• make sure Win 98 allows plain text login
• browse and connect via Win 98
General setup in smb.conf
• [global]– netbios name = YourMachineName– workgroup = YourWorkgroup– security = user
• “user” security determines access to a resource based on who the user is and the associated password required of that user.
Setting up a file sharemultiple users in a group
smb.conf
• [SHARENAME] (name of resource)
– comment = description when browsed– writeable = yes– valid users = @groupname (unix group)
– locking = yes– create mode = 660– directory mode = 770
• Set up a directory in /export/smb– e.g. /export/smb/SHARENAME
• set permissions– chgrp groupname SHARENAME– chmod 770 SHARENAME– chmod g+s SHARENAME
• make an entry in /etc/group for groupname
• make an entry in /etc/passwd for EACH user
Setting up a file sharemultiple users in a group
unix system
Check smb.conf for validity
• In /usr/local/samba/bin is testparm• testparm -s smb.conf• Checks for invalid section names etc
• Prints all default values NOT specified in the smb.conf file.
• Run the daemons– /usr/local/samba/bin/nmbd -D– /usr/local/samba/bin/smbd -D
Testing samba locally
• Use smbclient• smbclient -L YourMachineName -N
– lists resources at your machine• smbclient //YourMachineName/SHARENAME -U user
– logs you into the resource you just created as long as the user name is in the group which shares the resource.
– And assuming you enter the correct password.
• Try it from a non-local unix box.
Win98 with plain-text login
• Win 98 and Win 95/OSR2 have been modified to use encrypted login
• Suffice to say samba does not with basic install.
• Long-run -> set up samba to do encryption
• Short-run -> make WIN 98 do plain text
• Make registry entry:
[HKLM\System\CurrentControlSet\Services\VxD\VNETSUP]“EnablePlainTextPassword”=dword:00000001 using regedit.exe
Browse using Win 98/95
• Log into Win 98 as a user of the group in unix
• Easiest way is to use Network Neighborhood and click Entire Network. You should see YourMachineName and after clicking that you should see the SHARENAME
• OR net use \\YourMachineName\Sharename L:– will mount the resource as drive L:
• OR use Windows Explorer to map network drive
Using Samba for user accounts
User accounts
• Set up the network users as local unix users on the samba server
• Put accounts in /home/… with standard user names in /etc/passwd
• set up smb.conf as indicated on next slide
• Be sure to set logins from Win 98 to use plain text as indicated on a previous slide
smb.conf for user login
• [homes]– comment = Unix home directory– path = %H– writeable = yes– valid users = %S– create mode = 0600– directory mode = 0700– locking = no not sure why for this one
Logging on from Win 98/95
• Possible problems– Case sensitivity– Name length
• Using SMB for share level security– Unix still associates by user– searches ALL users (groups etc) to determine if
password transmitted is the password of ANYONE with ownership.
– More complicated than this– Try to use “user” security
Windows and passwords
Why is this complicated
and
how is it implemented?
Basic Problem• Sending PLAIN-TEXT passwords across the
net is a major issue.
• Less problematic in a LAN (where you are using Samba)
• Still a fundamental concerns of administrators
• First review plain text transmission
• Second examine encrypted transmission
• Third examine how to set it up in linux
Plain text
linux samba server
thisuser
thispasswW98
thisuser:213jkj23423kj*&l3:..
/etc/passwd (shadow)
thispassw
1-encryption
213jkj23423kj*&l32-compare
3-accept
NOTE: W98 user must log on with same user name (thisuser) as in unix
Avoiding Plain-text transmission
• Much more complicated process to avoid plain-text over the net.
• Important to remember - PASSWORD ENCRYTION ALGORITHMS ARE NOT REVERSIBLE! (e.g. code -> password)– Server sends random message to client to encrypt– Client encrypts using the local encrypted password– Client sends encrypted message– Server encrypts the random message to and checks– if the two match -> client authenticated
1-Server sends random message to client to encrypt2-Client encrypts using the local encrypted password3-Client sends encrypted message4-Server encrypts the random message to and checks5-if the two match -> client authenticated
clientSamba server
1-rtrner$6&ddf (encrypted pw)
encrypted message
2- encrypt(encrypted pw)
encrypted message
4- encrypt3
5-compare
OK (or not)
Good and Bad• Good
– Never sends plain-text across net– hard to pick up the random text (not impossible)
• Bad– must have encrypted passwords on both machines– to spoof, you only need the encrypted password
not the original one!!! (shadow vs passwd)– root must know either the actual password or the
encrypted version or have user enter in unix…. ----> none easy
How is it set up in linux?• The encrypted passwords used are
WINDOWS passwords NOT unix!
• Two basic Windows styles– Lan Manager– NT
• Samba stores another password file with both encryptions
• Users may be in one file and not the other
• unix application smbpasswd (also file name) will populate the file but must enter pw.
Setting up the smbpasswd
console
username
userpass LanMan encryption
NT encryption
smbpasswd program smbpasswd file
Username:LanManEncrypt:Ntencrypt:….……...
>smbpasswd -a usernameEnter password: userpassRetype: userpass>
Other considerations
• Entry in smb.conf (smb password file) indicates smb password files proper location
• Entry in smb.conf (encrypt passwords) set to yes
• Although not necessary, typically want the users in the unix passwd to be entered in smbpasswd to allow for unix home directory access.