11

INFO 321Server Technologies II

2

What is Samba?

◊ Samba is essentially a TCP/IP file and print server for Microsoft Windows clients • It can support any SMB/CIFS-enabled client

◊ SMB/CIFS?• SMB is Server (or Session) Message Block • Common Internet File System (CIFS) is

Windows File Sharing

3

SMB

◊ SMB was originally developed to run over NetBIOS (Network Basic Input Output System) LANs in the mid-1980’s• SMB was originally for MS-DOS and PC-DOS • SMB is the file sharing protocol inside CIFS • The inventor of SMB was Dr. Barry Feigenbaum

of IBM, who initially called it BAF• Notice the name Samba contains SaMBa

4

SMB◊ As of Windows 2000, the connection

to NetBIOS was removed, thankfully • There exists NBT (NetBIOS over TCP/IP)

SMB over TCP/IP without NBT is "naked" When running naked, SMB defaults to using

TCP port 445 instead of the NBT Session Service port (TCP/139)

◊ SMB should work over any transport protocol

5

CIFS◊ CIFS is a network file system plus a set

of auxiliary services supported by a bunch of underlying protocols• Most of which are not particularly well

documented by Microsoft; you may faint now

• CIFS is "Microsoft's way of doing network file sharing“ since about 1996

◊ There is no RFC number for SMB or CIFS• Microsoft's implementations are the de facto

CIFS standards

6

So what?

◊ “One of Samba’s big strengths is that you can use it to blend your mix of Windows and Linux machines together without requiring a separate Windows server. Samba includes support for Active Directory, Unicode, new authentication and filename mangling systems, printing support, trust relationships, LDAP integration and loadable RPC modules.” • From The Unofficial Samba HOWTO

7

If that’s not enough

◊ “Samba is software that can be run on a platform other than Microsoft Windows, for example, UNIX, Linux, IBM System 390, OpenVMS, and other operating systems. Samba uses the TCP/IP protocol that is installed on the host server. When correctly configured, it allows that host to interact with a Microsoft Windows client or server as if it is a Windows file and print server.” • From What is Samba?

8

Samba Today

◊ Samba is on version 3.5.6 (as of January 19, 2011), and is available for the following platforms• UNIX - AIX (IBM UNIX), HP-UX (HP UNIX),

Solaris (Sun UNIX)• Linux - Debian, Fedora, RedHat, SuSE• MVS (IBM mainframes)• Novell (NetWare)• VMS (was DEC, now HP OpenVMS)

From http://us1.samba.org/samba/ftp/Binary_Packages/

9

SMB addressing - UNC

◊ A Universal Naming Convention (UNC) path might look something like this: • \\ubiqx\cifs\SMB.html

◊ ...and would parse out like this: • ubiqx = The name of the server• cifs = The directory path• SMB.html = The file name

Much of this section adapted from Implementing CIFS

No!

10

SMB addressing - UNC◊ UNC doesn't provide a protocol specification

• That's not because it always assumes SMB• The UNC format can support all sorts of

filesharing protocols, but it is up to the underlying OS or application to figure out which one to use

◊ Protocol and transport discovery are handled by trial-and-error, with each possibility tested until something works• You might imagine a system with AppleTalk,

NetWare, and SMB all enabled has a lot of work to do

11

UNC◊ The UNC format is handled natively by

Microsoft & IBM's family of operating systems: DOS, OS/2, & Windows• Samba's smbclient utility can also parse

UNC names, but it does so at the application level rather than within the OS and it only ever tries to deal with SMB

• Even so, smbclient must handle both NBT and naked transport, which can be tricky

12

UNC

◊ SMB is the server identifier field because it will accept addresses in addition to names

◊ Recognized server names are:• NetBIOS names• DNS hostnames• IP addresses

◊ Going from an IP address to a NetBIOS name involves guesswork

13

Share names

◊ The directory path looks just like a directory path, but there is one small thing that makes it different; that thing is called the "share name“• A given directory can have one or many share

names

◊ The idea is similar to symbolic links (symlinks) in Unix, or shortcuts in Windows• The share is a named pointer--with its own set of

attributes--to the object being made available

14

File name◊ File names are straightforward, right?

No.◊ Windows is case insensitive

• But UNIX and Linux are case sensitive

◊ Other problem areas include• filename lengths• valid characters• file access permissions• the end-of-line delimiter in text files

15

SMB URL

◊ Fortunately, there such a thing as an SMB URL• It fits into the general URI syntax and

can be used to specify files, directories, and other SMB-shared stuff

• It is intended as a more portable, and more complete way to specify SMB paths at the application level

16

Reach out

◊ … and touch an SMB server ◊ To do this we need two steps to

identify who we’re talking to, and how• Server identifier interpretation • Transport discovery

17

Server identifier interpretation

◊ Try a URL like this• smb://server/ • Assuming the server’s name is ‘server’

◊ To resolve the name server, try◊ It could be an IPv4 address

• That’s easy; and IPv6 addresses should be in brackets, smb://[fe80::240:f4ff:fe1f:8243]/

18

Server identifier interpretation

◊ It could be a NetBIOS Name• Look for un-escaped dots in the NetBIOS

name• smb://my%2Enode.scope/ has a NetBIOS

Name of ‘my.node’ and Scope ID of ‘scope’• Use a NBT Name Query to get the server’s

IP address

◊ It could be a DNS name• Try DNS to get the IP address

19

Port number please?

◊ Now we need to divine the port number• Port 139 is for NBT• Port 445 is for raw TCP • Which one applies?

◊ And if other security protocols are being used, higher port numbers could apply

◊ So this is another mess to figure out, if you weren’t given it

20

Transport discovery

◊ Try running naked• Open a TCP connection to port 445 on

the server, but do not send an NBT SESSION REQUEST--just start sending SMB messages and see if that works

◊ Try NBT transport ◊ Try reverse-mapping a NetBIOS

Name

21

Can we do something?

◊ All that was just to establish a connection to an SMB server

◊ Now we can look at SMB commands◊ They may contain a

header, parameters, and data

Image from http://www.ubiqx.org/cifs/figures/smb-03.html

22

SMB Header

◊ The SMB header typically has eight 4-Byte lines• SMB_HEADER { • PROTOCOL = "\xffSMB" (4B)• COMMAND = <SMB Command code (1

B)> The CIFS Technical Reference lists these

• STATUS = <Status code> (4B)• FLAGS = <Old flags> (1 B)

23

SMB Header• FLAGS2 = <New flags> (2 B)• EXTRA = <Sometimes used for

additional data> (12 B)The PidHigh subfield is used to

accommodate systems that have 32-bit Process IDs

The 8-byte Signature subfield is for SMB message signing, as in a digital signature

When not in use, these fields must be filled with zeros

24

SMB Header• TID = <Tree ID> (2B)

The SMB used to open a share is called a "Tree Connect“; the TID field is used to identify connections to shares once they have been established

• PID = <Process ID> (2B) The "Process ID" is set by the client, and is

intended as an identifier for the process sending the SMB request

The most important thing to note regarding the PID is that file locking and access modes are maintained relative to the value in this field

25

SMB Header

• UID = <User ID> (2B) The "User ID" is also known as a VUID

(Virtual User ID)It is assigned by the server after the user

logs in, and is valid until the user logs offIt does not need to be the user's actual User

ID on the server system

26

SMB Header

• MID = <Multiplex ID> (2B) }The "Multiplex ID“ is used by the client to

keep track of multiple outstanding requestsThe server must echo back the MID and the

PID provided in the client requestThe client can use those values to make

sure that the reply is matched up to the correct request

27

SMB Message Parameters

◊ SMB_PARAMETERS { ◊ WordCount = <Number of words in

the Words array> (1 B)◊ Words[WordCount] = <SMB

parameters; varies with SMB command> (2*WordCount B) }• The SMB_PARAMETERS.Words block is

limited in length to 510 bytes

28

SMB Message Parameters

◊ Each SMB message type (species?) has a different record structure that is carried in the Words block

◊ Think of that structure as representing the parameters passed to a function (the function identified by the SMB command code listed in the header)

29

SMB Message Data

◊ SMB_DATA { ◊ ByteCount = <Number of bytes in

the Bytes field> (2 B)◊ Bytes[ByteCount] = <Contents

varies with SMB command> (ByteCount B) } • SMB_DATA.Bytes may be as much as

65,535 bytes in length

30

Parameters vs Data blocks

◊ So if the Parameters block and the Data block look alike, it’s not just you• “…any functional distinction that may

have separated the Parameter and Data blocks has been blurred” - Implementing CIFS

31

AndX messages

◊ SMB can form a linked list of related messages using a format called AndX messages

◊ The AndX message has two fields in a 4-Byte line• AndXCommand (1 B)• (reserved) (1 B)• AndXOffset (2 B)

32

AndX messages

◊ The AndXCommand field provides the SMB command code for the next AndX block in the list (not the current one)• The AndXOffset value in each AndX

parameter block gives the offset (relative to the start of the SMB) of the next AndX block; AndXOffset of the last AndX block has a value of zero (0)

Figure from http://www.ubiqx.org/cifs/figures/smb-05.html

33

AndX messages

◊ The AndXOffset contains the byte index, relative to the start of the SMB header, of that next AndX block--think of it as a pointer• Since the AndXOffset value is

independent of the SMB_PARAMETERS.WordCount and SMB_DATA.ByteCount values, it is possible to provide padding between the AndX blocks

34

Start the conversation

◊ After establishing the transport protocol, the SMB client and server can exchange messages

◊ The first one is always NEGOTIATE PROTOCOL REQUEST/RESPONSE, which does just that

◊ It’s followed by SESSION SETUP REQUEST • Didn’t we already do that?

35

Transport vs user sessions

◊ No, we established the transport layer session; now it’s time to establish a user logon session

◊ In the second message in the handout, we have • AccountName = "GUEST“

◊ This is to log on as the GUEST user

36

Find a tree

◊ Once a user logon is done, often the next command is to find the shared directory tree• TREE CONNECT does this

◊ Recall the tree concept identifies shared folders

37

SMB Connection

◊ After transport disconnect, all resources are released, not too surprisingly

Figure from http://www.ubiqx.org/cifs/figures/smb-06.html

38

Ok, enough SMB!

◊ Aren’t you glad someone wrote Samba to do all this stuff for you? Who, you ask?• Aussie Andrew Tridgell reverse engineered

SMB and started Samba in 1992

◊ Samba exists only on the non-Windows side; a Windows system only needs to be configured for ‘Microsoft networking’

Much of this section is from (Nemeth, 2007) and the Samba3-

HOWTO

39

Samba = Unix CIFS server

◊ Samba can provide these services• File sharing• Network printing• Authentication and authorization• Name resolution• Service announcement

Browse file servers or printers

40

Samba services

◊ Samba can also • Do basic Windows primary domain

controller functions• With LDAP, serve as a backup domain

controller• Support some other Windows functions

such as domain logins, roaming user profiles, and CIFS print spooling

41

Samba processes◊ Samba is implemented in Linux mostly

via two processes (daemons, to be precise):• The daemon smbd provides file sharing,

network printing, authentication and authorization

• The daemon nmbd provides name resolution and service announcement

◊ Samba runs as a normal user process, binding to the CIFS sockets

42

Installing Samba

◊ Most Linux distributions include Samba, but you can download the latest from samba.org, and install it• root# rpm -Uvh samba-3.0.20-1.i386.rpm

◊ Create a mount point for shared files• root# mkdir /plans• root# chmod 755 /plans

From Samba ByExample

43

Installing Samba◊ Then install the smb.conf file (which we’ll

get to soon)

◊ Verify that the /etc/hosts file contains the following entry:• 192.168.1.1 server

◊ Start samba• root# chkconfig smb on• root# /etc/rc.d/init.d/smb restart

44

Simple smb.conf file

• # Global Parameters• [global]• workgroup = MIDEARTH• security = SHARE• [Plans]• path = /plans• read only = Yes• guest ok = Yes

45

From the PC side

◊ Make sure the PC is in the workgroup (e.g. MIDEARTH)

◊ Make sure its IP address is in the same range as the Samba system (192.168.1.x), and they have the same netmask (255.255.255.0)

◊ Find the samba server in the Network Neighborhood

46

Is Samba alive?

◊ Check samba status with• root# smbclient -L localhost -U%• The -U% option gives no user name and password

◊ And prove it can handle a login• root# smbclient -L server -Uroot%password

◊ That should establish basic file sharing

47

Samba configuration file

◊ Like most Unix-y apps, it has a ‘.conf’ file which governs how it runs• /etc/smb.conf or /etc/samba/smb.conf or

maybe /usr/local/samba/lib/smb.conf

◊ When Samba is running, it checks the conf file every few seconds, so changes will take effect quite quickly (no reboot needed)

48

Config file sections◊ Each section in the smb.conf file

(“stanza”) represents either a share or a meta-service on the Samba server• The [global] stanza contains settings

that apply to the whole Samba server

◊ Samba supports a number of meta-services, each of which serves its own purpose

From (Samba3-HOWTO)

49

Config file meta-services

• The [homes] stanza is a meta-service that causes Samba to provide a personal home share for each user

• The [printers] stanza is a meta-service that establishes print queue support, and species the location of the intermediate spool directory into which print jobs are received from Windows clients prior to being dispatched to the UNIX/Linux print spooler

50

Really minimal smb.conf file

[global]workgroup = WKGnetbios name = MYNAME

[share1]path = /tmp

[share2]path = /my shared foldercomment = Some random files

51

Security issues

◊ File sharing is naturally a security hole◊ To control which clients can access

Samba shared resources, look for the hosts allow clause in the smb.conf file• It should contain only the IP addresses or

IP address ranges you trust to have access

◊ Turn on password encryption• encrypt passwords = true

52

Security issues

◊ Password encryption makes Samba keep a hash of the password for each user• Recall Unix and Windows keep different

user login information

◊ To set this password, use smbpasswd• sudo smbpasswd –a username

◊ Users can then change their password• smbpasswd –r smbservername –U username

53

Security issues

◊ Block the Samba server from outside your organization • Samba uses encryption only for

password authentication, not for data transport!

◊ Hence might want to use firewall to block • UDP ports 137-139 • TCP ports 137, 139, and 445

54

What are my settings?

◊ To find the current Samba settings use the command• testparm –v

◊ This will include all your smb.conf settings, and other defaults• Only override defaults for a reason –

otherwise leave them out of smb.conf

55

Encoding compatibility

◊ Try echo $LANG◊ Samba uses UTF-8 character set◊ If you’re using anything else, set the

character sets in Samba to be the same as your system using, e.g.• unix charset = ISO8859-15• display charset = ISO8859-15

56

Removing NetBIOS support

◊ If all Windows clients are at least Win2k, have DNS provided outside of Samba, and you don’t need Network Neighborhood browsing in Samba, you can remove NetBIOS support

[global]disable netbios = yes

name resolve order = host

57

Removing NetBIOS support

◊ Without NetBIOS support, you don’t need to run nmbd; so remove it from Samba startup in /etc/init.d

◊ To connect to a Samba server without NetBIOS support, use the full DNS name of the host• \\server.example.com.\myshare• The extra dot tells Windows to use DNS

58

Authentication

◊ Windows uses a challenge/response approach to respond to an authentication request• If you have the same Samba username

and password as in Windows, then this will be invisible in the background

◊ For larger scale systems, can use NIS, LDAP or Windows authen. services

59

Authentication

◊ To merge authentication services between Linux and Windows, make Samba act as a Primary Domain Controller

◊ Or can use Nate Yocom’s open source pGina (GINA = Graphical Identification aNd Authentication) to handle almost any authentication method

60

Basic file sharing in smb.conf

◊ If everyone has a home directory, the [homes] stanza can share them• [homes]• comment = Home directories• browseable = no• valid users = %S• writeable = yes• guest ok = no

61

Basic file sharing

◊ This will allow any user to access their home Linux directory from any Windows system

◊ Can you see another user’s home directory?• Samba uses Linux file permissions

through CIFS, so usually the answer would be yes

• The valid users line prevents it though

62

Group shares

◊ A group can be defined by access control lists (ACLs), but that’s a bit messy

◊ Easier to define a pseudo user, and have Samba pretend people are in that group• E.g. create a Linux ‘eng’ group, and

matching Samba user and group of the same name

• The pseudo user is the owner of the directory

63

Group shares

• [eng]• valid users = @eng• force user = eng• force group = eng• path = /home/eng• nt acl support = no• create mask = 0660• force create mask = 0660

64

Group shares

• security mask = 0000• directory mask = 2770• force directory mask = 2770• directory security mask = 0000

More info on these masks circa p. 324 of HOWTO

• browseable = no• writeable = yes• guest ok = no

65

Sources◊ The Unofficial Samba HOWTO from

oregontechsupport.com◊ Vernooij, Terpstra, Carter. (May 27,

2009) Samba3-HOWTO from samba.org

◊ Samba3-ByExample from samba.org◊ What is Samba? from samba.org◊ Implementing CIFS, by Christopher R.

Hertel

66

Sources

◊ CIFS Technical Reference by SNIA (2002)

◊ Nemeth, Snyder, Hein. (2007) Linux Administration Handbook. Prentice Hall, ISBN 0131480049