CT320 : Advanced Network and System Administration

CT320: Advanced Network and System Administration

SAMBA(ORIGINAL SLIDES BY

DR. JAMES WALDEN, NKU)

Slide #1

CT320 : Advanced Network and System Administration

Topics


Slide #2

1. Why Samba?2. Workgroups3. NetBIOS4. Daemons5. samba.conf6. Security7. Users8. Passwords9. Permissions


What is Samba?Slide

#3

Open source UNIX implementation of SMB.SMB – Server Message BlockProtocol for sharing files, printers, serial ports, Communications such as named pipes

Samba servers provide:• File sharing.• Printer sharing.• Network browsing.• WINS name resolution.• Primary and backup domain controllers.


Why Samba?Slide

#4

1. Free2. Faster than Windows SMB servers3. More reliable than Windows servers4. Handles heterogenous networks


WorkgroupsSlide

#5


NetBIOSSlide

#6

Designed to run over older network types Token ring NetBEUI IPX

NetBIOS over TCP/IP (NBT or NetBT) Name service Datagram communication Session-based communication


Name RegistrationSlide

#7Machines requests names and either:1. NetBIOS name server (NBNS) handles req.2. Client with name defends ownership.


Name ResolutionSlide

#8Machines asks which host has name X:NetBIOS name server (NBNS) handles req.Client with name responds with its address.


Node TypesSlide

#9

b-node: Uses broadcast naming only.p-node: Uses NBNS naming only.m-node: Broadcast registration, then notifies

NBNS of name. Broadcast resolution, fails over to NBNS.

h-node: Uses NBNS, then fails over to broadcast. Default for most Windows.


NetBIOS NamespaceSlide #10

15-character flat namespace.Legal: A-Za-z0-9 ! @ # $ % ^ & ( ) – ‘ {} ~

Names have an associated resource type.00: Standard workstation service.03: Windows messenger service.1B: Domain master browser service.1D: Master browser.20: File and print server.


NetBIOS BrowsingSlide #11

Finding computers and resources on net. Contain master for computers. Contain individual host for resources.

Local master browser maintains list of hosts. If local master down, election determines which

machine becomes new local master browser.


DaemonsSlide #12

nmbdName resolution and registration; browsing.Supports NetBIOS name server and WINS.

smbdFile and print sharing; authentication.

winbinddNT and ADS domain service.Not needed if not using domains.


/etc/samba/smb.confSlide #13

Ini format configuration file.[section] section descriptors.

[global] section values apply to all sections.

Other sections describe shared resources.var = value formatMany, many options.# and ; are comments

Validate with testparm command.


Example /etc/samba/smb.confSlide #14

[global] workgroup = DOCS netbios name = DOCS_SRV security = share

[data] comment = Documentation Serverpath = /export read only = Yes guest only = Yes


Samba FirewallingSlide #15

Port 137: NetBIOS network browsing.

Port 138: NetBIOS name service.

Port 139: File/print sharing.

Port 445: Used by W2k/XP when NetBIOS over TCP/IP disabled.


Authentication TypesSlide #16

ShareShares have one or more passwords.Anyone with password can access share.

UserEach share configured to allow certain users.Samba server verifies user/password pairs.

ServerSame as user-level, but uses another server.

DomainDomain controller provides authentication types.


Username mappingSlide #17Samba server username checks

1. Check for exact username.2. Checks for username in lowercase.3. Checks for Username in lc, first letter uc.

Username map fileFile specified in smb.conf.

username map = /etc/samba/usermapContains UNIX / Samba username pairs:

darwin = DouglasArwinjwalden = James Waldenusers = @accountsnobody = *


Access ControlSlide #18

valid usersOnly these users have access.Group names preceded by @ sign.

invalid usersThese users do not have access.Takes precedence over valid users tag.

admin usersThese users have root access to share.


Samba PasswordsSlide #19

Stored in /etc/samba/smbpasswdSet by smbpaswd command.


Account BackendsSlide #20

PlaintextPasses plaintext auth to /etc/{passwd,shadow}

SmbpasswdText file with encrypted NT passwords.

tdbsamBinary database with smbpassword + SAM info.

ldapsamLDAP with POSIX + sambaSamAccount objs.


Password SynchronizationSlide #21

Configuration options:unix password sync = yespasswd program = /usr/bin/passwd %upasswd chat = *old*password* %o\n *new*password* %n\n *new*password* %n\n *changed*


Sharing Home DirectoriesSlide #22

Use special [homes] share.If user attempts to connect to share notspecified in /etc/smb.conf:

1. Creates new disk share called [username]2. Share path is set to username’s home dir.3. Options to set to [globals] + [homes] options, with

[homes] options winning any conflicts.4. Samba connects user to new share.

Caveat: may not want root, bin, &c to share.


Permission MappingSlide #23

MS DOS Permissions Read-only System Hidden Archive

UNIX Permissions Read Write eXecute

Preserve MS DOS file permissions on UNIX:Since MS DOS uses file extensions instead of X bits,map perms to owner, group, and world execute bits.Ex: map archive = yes, map system = yes, map hidden = yes


Creation MasksSlide #24

Samba masksUNIX octal permissions: file and directory.Execute bits used for permission mapping.Can set user and group ownerships too.

Example[data]create mask = 755directory mask = 755force user = joeforce group = accounting


ACLsSlide #25

Samba can map NT ACLs to POSIX ACLs. nt acl support = yes If not set, maps NT ACLs to UNIX rwx perms.

POSIX ACLs do not support all NT ACLs Ex: Take Ownership


Additional FeaturesSlide #26

1. Samba domain controllers.2. Samba/LDAP integration.3. Using Samba from Windows.4. Samba Print servers.


ReferencesSlide #271. Aeleen Frisch, Essential System Administration, 3rd edition,

O’Reilly, 2002.2. Evi Nemeth et al, UNIX System Administration Handbook, 3rd

edition, Prentice Hall, 2001.3. RedHat, Red Hat Enterprise Linux 4 System Administration

Guide, http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/sysadmin-guide/, 2005.

4. John H. Terpstra,, Jelmer R. Vernooij, Official Samba-3 HOWTO and Reference Guide, 2nd Edition, Prentice Hall PTR, http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/, 2005.

5. John H. Terpstra, Samba-3 by Example: Practical Exercises to Successful Deployment, 2nd Edition, Prentice Hall PTR, http://www.samba.org/samba/docs/Samba3-ByExample.pdf , 2005.

6. Jay Ts, Robert Eckstein, David Collier-Brown, Using Samba, 2nd edition, http://www.samba.org/samba/docs/using_samba/toc.html, O’Reilly, 2003.

http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/sysadmin-guide/

http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/sysadmin-guide/

http://www.phptr.com/authors/bio.asp?a=c11ae101-ab61-4805-b981-46206ca945ad

http://www.phptr.com/authors/bio.asp?a=66f58c95-c97b-4d0c-8b2d-2ff3984bd878

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/

http://www.samba.org/samba/docs/Samba3-ByExample.pdf

http://www.samba.org/samba/docs/using_samba/toc.html

CT320 : Advanced Network and System Administration

Documents

advanced network

system administrationslide

network browsing

server nbns

domain master browser

docs netbios

nbns naming

new local master browser