SAMBA NAVEEN K PRASADAM IMRAN RIAZ. HISTORY Samba is the brainchild of Andrew Tridgell, who...
-
Upload
silvester-lane -
Category
Documents
-
view
215 -
download
1
Transcript of SAMBA NAVEEN K PRASADAM IMRAN RIAZ. HISTORY Samba is the brainchild of Andrew Tridgell, who...
SAMBA
NAVEEN K PRASADAM
IMRAN RIAZ
HISTORY
Samba is the brainchild of Andrew Tridgell, who currently heads the Samba development team from his home of Canberra, Australia. SAMBA project was born in 1991 when Andrew created a fileserver program for his local network that supported an odd DEC protocol from Digital Pathworks. Tridgell followed Unix renaming approach to get the name grep -i 's.*m.*b' /usr/dict/words salmonberry samba sawtimber scramble is the result.Thus the name "Samba" was born.
SERVICES
Share one or more filesystemsShare printers installed on both the server and its clientsAssist clients with Network Neighborhood browsingAuthenticate clients logging onto a Windows domainProvide or assist with WINS name server resolution
SAMBA IN ACTION
SHARING A DISK SERVICE
SHARING A PRINTER
VIEW FROM UNIX SIDE# smbstatusSamba version 2.0.4Service uid gid pid machine----------------------------------------------network davecb davecb 7470 phoenix (192.168.220.101) Sun May 16 network davecb davecb 7589 chimaera (192.168.220.102) Sun May 16 Locked files:Pid DenyMode R/W Oplock Name--------------------------------------------------7589 DENY_NONE RDONLY EXCLUSIVE+BATCH /home/samba/quicken/inet/common/system/help.bmp Sun May 16 21:23:40 19997470 DENY_WRITE RDONLY NONE /home/samba/word/office/findfast.exe Sun May 16 20:51:08 19997589 DENY_WRITE RDONLY EXCLUSIVE+BATCH /home/samba/quicken/lfbmp70n.dll Sun May 16 21:23:39 19997589 DENY_WRITE RDWR EXCLUSIVE+BATCH /home/samba/quicken/inet/qdata/runtime.dat Sun May 16 21:23:41 19997470 DENY_WRITE RDONLY EXCLUSIVE+BATCH /home/samba/word/office/osa.exe Sun May 16 20:51:09 19997589 DENY_WRITE RDONLY NONE /home/samba/quicken/qversion.dll Sun May 16 21:20:33 19997470 DENY_WRITE RDONLY NONE /home/samba/quicken/qversion.dll Sun May 16 20:51:11 1999Share mode memory usage (bytes): 1043432(99%) free + 4312(0%) used + 832(0%) overhead = 1048576(100%) total
UNDERSTANDING NETBIOS
In 1984, IBM authored a simple application programming interface (API) for networking its computers called the Network Basic Input/Output System (NetBIOS). The NetBIOS API provided a rudimentary design for an application to connect and share data with other computers. NetBIOS, however, originally had to exchange instructions with computers across IBM PC or Token Ring networks. NETBIOS required a low-level transport protocol to carry its requests from one computer to the next.
UNDERSTANDING NETBIOS
In late 1985, IBM released one such protocol, which it merged with the NetBIOS API to become the NetBIOS Extended User Interface ( NetBEUI).
NetBEUI was designed for small local area networks (LANs), and it let each machine claim a name (up to 15 characters) that wasn't already in use on the network.
In 1987, the Internet Engineering Task Force (IETF) published a series of standardization documents, titled RFC 1001 and 1002, that outlined how NetBIOS would work over a TCP/UDP network.
NBT
NBT offers• A name service• Two communication services
Data grams Sessions
Name service
In the NetBIOS world, when each machine comes online, it wants to claim a name for itself; this is called name registration However, no two machines in the same workgroup should be able to claim the same name.There are two different approaches to ensuring that this doesn't happen:Use a NetBIOS Name Server (NBNS) to keep track of which hosts have registered a NetBIOS name. Allow each machine on the network to defend its name in the event that another machine attempts to use it.
NBNS versus non-NBNS name registration
NBNS versus non-NBNS name registration
there must be a way to resolve a NetBIOS name to a specific IP address as mentioned earlier; this is known as name resolution Have each machine report back its IP address when it "hears" a broadcast request for its NetBIOS name.Use the NBNS to help resolve NetBIOS names to IP addresses.
NBNS versus non-NBNS name resolution
Node Types
b-node -Uses broadcast registration and reolution only
p-node -Uses point-to-point registration and resolution only
m-node -Uses broadcast for registration. If successful, it notifies the NBNS server of the result. Uses broadcast for resolution; uses NBNS server if broadcast is unsuccessful
h-node -Uses NBNS server for registration and resolution; uses broadcast if the NBNS server is unresponsive or inoperative.
The structure of NetBIOS names
DATAGRAMS
Packets of data are simply sent or broadcast from one machine to another without regard for the order that they arrive at the destination, or even if they arrive at all.The datagram service has no stable connection between one machine and another
Datagrams, therefore, are used for quickly sending simple blocks of data to one or more machines.
SESSIONS
Sessions are a communication method that, in theory, offers the ability to detect problematic or inoperable connections between two NetBIOS applications.
It helps to think of an NBT session in terms of a telephone call.
Each side knows who the caller and the called machine is, and can communicate with the simple primitives
MICROSOFT IMPLEMENTATIONS
WINDOWS DOMAINS
A Windows domain goes a step further. It is a workgroup of SMB machines that has one addition: a server acting as a domain controller.
Windows domains are called "Windows NT domains
A simple Windows domain
RESPONSIBILITIES
AUTHENTICATION-Authentication is the process of granting or denying a user access to a shared resource on another network machine
Each domain controller uses a security account manager (SAM) to maintain a list of username-password combinations.
Using a domain controller for authentication
Primary and backup domain controllers
Redundancy is a key idea behind a Windows domain The domain controller that is currently active on a domain is called the primary domain controller (PDC). Backup domain controllers (BDCs) in the domain as well, which will take over in the event that the primary domain controller fails or becomes inaccessible BDCs frequently synchronize their SAM data with the primary domain controller so that, if the need arises, any one of them can perform DC services
Browsing
Levels of browsing
Browsing a list of machines (with shared resources)
Browsing the shared resources of a specific machine
BROWSING
THE computer which maintains list of the machines that are currently accessible through the network is called the local master browser.
The list that it maintains is called the browse list.
Machines on a subnet use the browse list in order to cut down on the amount of network traffic generated while browsing .
BROWSING
To browse the actual resources on a machine, a user must connect to the specific machine. Browsing the list of resources on a machine can be done by clicking on the machine's icon when it is presented in the Network Neighborhood in Windows 95/98 or NT. Each of the servers on a Windows workgroup is required to announce its presence to the local master browser after it has registered a NetBIOS name .
Windows Internet Name Service (WINS)
The Windows Internet Name Service (WINS) is Microsoft's implementation of a NetBIOS name server (NBNS). WINS is dynamic: when a client first comes online, it is required to report its hostname, its address, and its workgroup to the local WINS server .This WINS server will retain the information so long as the client periodically refreshes its WINS registration, which indicates that it's still connected to the network.
Samba Distribution
smbd The smbd daemon is responsible for managing the
shared resources between the Samba server machine and its clients. It provides file, print, and browser services to SMB clients across one or more networks.
smdb handles all notifications between the Samba server and the network clients. In addition, it is responsible for user authentication, resource locking, and data sharing through the SMB protocol.
Samba DistributionThe Samba distribution also comes with a small set of Unix command-line tools:smbclient
An FTP-like Unix client that can be used to connect to Samba sharessmbtar
A program for backing up data in shares, similar to the Unix tar commandnmblookup
A program that provides NetBIOS over TCP/IP name lookupssmbpasswd
A program that allows an administrator to change the encrypted passwords used by Samba
smbstatus A program for reporting the current network connections to the shares on a Samba
servertestparm
A simple program to validate the Samba configuration filetestprns
A program that tests whether various printers are recognized by the smbd daemon
Samba 2.0
NT Domains
Ease of Administration
Performance
Compatibility Improvements
Smbwrapper
INSTALLATION
Download the source or binary files.Read the installation documentation.Configure a make file.Compile the server code.Install the server files.Create a Samba configuration file.Test the configuration file.Start the Samba daemons.Test the Samba daemons.
Setting Up Windows 95/98 Computers
Accounts and Passwords
The Passwords Properties panel
Changing the Windows password
The Change Passwords tab
The Change Windows Password dialog box
Windows Networking profiles
SETTING UP THE NETWORK
The Windows 95/98 Network panel
Adding TCP/IP
Selecting a protocol to install
Adding TCP/IP
Selecting a protocol to install
Configuring TCP/IP
Selecting the correct TCP/IP protocol
STCP/IP Properties panel
STCP/IP Properties panel
There are seven tabs near the top of this panel, and you will need to configure four of them:
IP address
DNS configuration
WINS configuration
Bindings
DNS Configuration tab
WINS Configuration tab
The WINS Configuration tab
The Bindings tab
The Bindings tab
Setting Your Name and Workgroup
The Identification tab
Accessing the Samba Server
Shares on Server
Setting Up Windows NT 4.0 Computers
There are six basic steps:
Assign the machine a name.
Install the Workstation service.
Install the TCP/IP protocol.
Set the machine's name and IP address.
Configure the DNS and WINS name services.
Bind the protocol and service together.
SMB/CIFS
SMB/CIFS. SMB/CIFS is the protocol that Windows 95/98 and NT machines use to communicate with the Samba server and each other At a high level, the SMB protocol suite is relatively simple It includes commands forOpening and closing a fileCreating and deleting files and directoriesReading and writing a fileSearching for filesQueueing and dequeueing files to a print spool
SMB Format
SMB is a "request-response" protocol
A client sends an SMB request to a server, and the server sends an SMB response back to the client.
Smb contains
The header, which is a fixed size
Command string, whose size can vary dramatically based on the contents of the message.
SMB Clients and Servers
Two computers that both have resources to share
SMB Clients and Servers
The important points in Samba terminology:
A server is a machine with a resource to share.
A client is a machine that wishes to use that resource.
A server can be a client (of another computer's resource) at any given time
A Simple SMB Connection
Establish a virtual connection.
Negotiate the protocol variant to speak.
Set session parameters.
Make a tree connection to a resource.
Establishing a virtual connection
User first makes a request to access a network disk or send a print job to a remote printer
NetBIOS takes care of making a connection at the session layer.
The result is a bidirectional virtual channel between the client and server
Negotiating the Protocol Variant
The client sends a message to the server to negotiate an SMB protocol The client sets its tree identifier (TID) field to zero, since it does not yet know what TID to use The command in the message is SMBnegprot, a request to negotiate a protocol variant that will be used for the entire session The server responds to the SMBnegprot request with an index into the list of variants that the client offered
Set Session and Login Parameters
To transmit session and login parameters for the session.This includes the account name and password (if there is one), the workgroup name, the maximum size of data that can be transferredNumber of pending requests that may be in the queue at any one time.
Making Connection to a Resource
"A" for a disk or file
"LPT1" for a spooled output
"COMM" for a direct-connect printer or modem
"IPC" for a named pipe
Samba Configuration File
[global] ...
[homes] ...
[printers] ...
[test] ...
Samba Configuration File[global] log level = 1 max log size = 1000 socket options = TCP_NODELAY IPTOS_LOWDELAY guest ok = no [homes] browseable = no map archive = yes [printers] path = /usr/tmp guest ok = yes printable = yes min print space = 2000 [test] browseable = yes read only = yes guest ok = yes path = /export/samba/test
Browsing and Advanced Disk Shares
Browsing
Preventing Browsing
Default Services
Browsing Elections
Domain Master Browser
Multiple subnets
Browsing
Multiple subnets
Browsing
Browsing Options Announce as Announce version Browseable Browse list Auto services Default Service Local master
Browsing
lm announce lm interval preferred master OS level Remote browse sync Remote announce
File system Differences
Hiding and Vetoing Files
File system Differences
Links An error dialog trying to follow symbolic
links when forbidden by Samba
File system Differences
File System Options unix realname don’t descend follow symlinks getwd cache wide links hide files hide dot files veto files delete veto files
File Permissions and Attributes on MS-DOS and Unix
DOS and Windows file properties
File Permissions and Attributes on MS-DOS and Unix
How Samba and Unix view the permissions of a file
File Permissions and Attributes on MS-DOS and Unix
Creation masks
File and Directory Permission Options create mask directory mask force create mode force directory mode force group
File Permissions and Attributes on MS-DOS and
Unix force user delete readonly map archive map system map hidden
Name Mangling and Case
The Samba Mangling Operation virtuosity.dat VIRTU~F1.DAT .htaccess HTACC~U0._ _ _ hello.java HELLO~1F.JAV team.config.txt TEAMC~04.TXT
antidisestablishmentarianism.txt ANTID~E3.TXT
antidiseast.txt ANTID~9K.TXT Representing and resolving filenames with Samba
Name Mangling and Case
Mangling Options case sensitive default case preserve case short preserve case mangled names mangle case mangling char mangled stack mangled map
Locks and Oplocks
Opportunistic Locking
Locks and Oplocks
Unix and Locking share modes locking strict locking blocking locks oplocks
Locks and Oplocks
fake oplocks kernel oplocks veto oplock files lock directory
Users
Users and Groups
[dave] path = /home/dave comment = Dave's home directory writeable = yes valid users = dave
Abbreviation of user's home directory by using the %H variable
[dave] comment = %U home directory writeable = yes valid users = dave path = %H
Users and Groups
The [home] Share Samba creates a new disk share called [sofia]
with the path specified in the [homes] section. If there is no path option specified in [homes], Samba initializes it to her home directory.
Samba initializes the new share's options from the defaults in [globals], and any overriding options in [homes] with the exception of browseable.
Samba connects sofia's client to that share.
Controlling Access to Shares
Guest Access [sales] path = /home/sales comment = Fiction Corp Sales Data writeable = yes guest ok = yes guest account = ftp guest only = yes
Access Control Options admin users valid users and invalid users
Controlling Access to Shares
read list and write list max connections guest only guest account
Username Otpions username map username level
Security
Authentication Security
Share-level Security
Authentication Security
Share Level Security Share Level Security Options Only user username
User-level SecurityDomain-level Security Adding a Samba server to a Windows NT Domain
Authentication Security
Server Level Security
A typical system setup using server level security
PasswordsDisabling encrypted password on the client
The smbpasswd fileStructure of the smbpasswd file entry
(actually one line)
Passwords Adding entries to smbpasswd Changing the encrypted password
Password SynchronizationPassword Configuration Options Unix password sync encrypt passwords passwd program passwd chat
Passwords
passwd chat debug password level update encrypted null passwords Smb passwd file hosts equiv use rhosts
Domain
Windows DomainsConfiguring Samba for Windows Domain Logons Windows 95/98 clients Windows NT clients Creating trust accounts for NT clients
Domain Options domain logons domain group map domain user map local group map revalidate
Windows DomainsConfiguring Windows Clients for Domain Logons
Configuring a Windows 95/98 client for domain logon
Windows Domains Windows 95/98 Windows NT 4.0Configuring a Windows NT client for domain logons
Logon Scripts Samba with logon Script option
[global] domain logons = yes security = user workgroup = SIMPLE os level = 34 local master = yes preferred master = yes domain master = yes logon script = %U.bat [netlogon] comment = The
domain logon service path = /export/samba/logon public = no writeable = no browsable = no
Logon ScriptsRoaming profiles
Local profiles versus roaming profiles
Logon Scripts
Mandatory profiles
Logon Script Options logon script logon path logon drive logon home
Logon Scripts
Other Connection Scripts root preexec preexec postexec root postexec
Working with NIS and NFS nis homedir and homedir map
Printing and Naming Resolution
Sending Print Jobs to Samba
Print CommandsPrinting VariablesA Manual Printing SetupThe [printers] ShareTest PrintingSetting Up and Testing a Windows Client
Sending Print Jobs to Samba
Automatically Setting Up Printer Drivers Install the drivers on windows client Create a printer definition file Create a PRINTER$ share Modify the Samba configuration file Testing the configuration
Printing to Windows Client Printers
BSD printersSystem V printersSamba Printing Options Printing Printable Printer printer driver printer driver file printer driver location lpq cache time
Printing to Windows Client Printers
postscript print command, lpq command. Lprm command,
lppause command, lpresume command load printers printcap name min print space queuepause command queueresume command
Name Resolution with Samba
The LMHOSTS FileSetting up Samba to use another WINS Server Setting up Samba as a WINS ServerName Resolution Configuration Options wins support wins server wins proxy dns proxy
Name Resolution with Samba
name resolve order max ttl max wins ttl min wins ttl
Additional Samba Information
Supporting programmers
Time Synchronization time server wins offset dos filetimes dos filetime resolution fake directory create times
Magic Scripts
magic script
magic output
Internationalization
client code page
character set
coding system
valid chars
WinPopup Messages
message command
Recently Added Options
change notify timeout
machine password timeout
stat cache
stat cache size
Miscellaneous Options
Deadtime
dfree command
fstype
keep alive
max mux
max open files
max xmit
Miscellaneous Options
nt pipe support
nt smb support
ole locking compatibility
panic action
set directory
smbrun
status
Miscellaneous Options
strict sync
sync always
strip dot
Backups with smbtar
Troubleshooting Samba
The Tool Bag
Samba Logs Log levels Activating and deactivating logging Logging by individual client machines or users
Samba Test UtilitiesUnix Utilities Using trace Using tcpdump
The Fault Tree
How to use the fault treeTrouble Shooting Low-level IP Testing the networking software with ping Testing local name services with ping Testing the networking hardware with ping Testing connections with ping
Troubleshooting TCP Testing TCP with FTP
The Fault Tree
Troubleshooting Server Daemons Before you start Looking for daemon process with ps Looking for daemons bound to ports Checking smbd with telnet Testing daemons with testparm
Troubleshooting SMB Connections A minimal smb.conf file
The Fault Tree
Testing locally with smbclient Testing connections with smbclient Testing connections with NET USE Testing connections with Windows
Explorer
Troubleshooting Browsing A minimal smb.conf file
????
X-Window System
Anitha Nallamalla
X-Windowing System• Device independent graphical and windowing software.
• Developed by MIT in 1984.
• The most current version used is X11.
• Before X every manufacturer used to have their own proprietary windowing system.
• However with X the programmer can write a single application in a single language and run this program on different machines.
Configuring the X-Windows Server
Once the X-Windows is running, the configuration program Xf86config can be used.The primary configuration file for X Server is /etc/XF86config or /etc/X11/XF86config.This is divided into three sections:
- The screen section. - The device section. - The monitor section.
The general form is section “section name” section info endsection
X-Windows System Architecture
X-Windows System Architecture
The main body of application programming is carried out using widget set which interfaces to Xlib called the XTintrinsics.
Both the XTintrinsics and the widget set are written in C and built-on top of Xlib.
The widget set is essentially a library of pre-programmed graphic routines.
The XTintrinsics provide a framework that allows the application programmer to combine these components to produce a user interface.
X-Windows Principles
Background Display
The display of information in X are bit-mapped.
X like other windowing systems divides the screen into various parts that control input and output.
Each window can act as a standard terminal.
All applications need not have a single window.
Each sub-window is called a child window
X-Windows Principles
X-System Concepts and Definitions
X requires a system that consists of workstations capable of bit-mapped graphics.
A display is defined as a workstation consisting of a keyboard, a pointing device and one or more screens.
Components of X-Windows
Any X-Windows system consists of two distinct partsX Server, andOne or more Clients.
As X is a networked window system the client can communicate with the server via
TCP-IP over the ethernet link.Alternative protocols and communication media such as DECnet or even thru serial line.
Components of X-Windows
X ServerWhen using X on a workstation,
- first task is to start-up the X Server. - it is accomplished using the script Xinit.
Starting the server in this way, using Xinit is not a good idea because, it simply starts-up the server without giving opportunity to start any clients.The normal method of starting X is to use the startx command. In this method
- first start the server.
Components of X-Windows
- check to see if the user has a personal X start-up command filename ~/.xinitrc.
If it exists
- the commands contained within it will be executed.
If it does not exist
- a simple default start-up configuration which can be found in /usr/lib/X11/xinit/xinitrc will be used.
X-ClientsEach application or task which runs under X is known as an X-Client.
Commonly used X-Clients
Xterm ClientIt is the most commonly used X-Clients.Provides a terminal window to the machine on which the Xterm client is running.
Xman ClientIt is a graphical interface to the Unix manual pages.
Xedit ClientIt is a simple text editor.
Commonly used X-Clients
Xbiff ClientIt notifies you when new mail arrives.
X-eyes ClientDraws two eyes which follow the mouse pointer around as it moves.
X-clock ClientX-clock displays an analogue clock on the screen.
Unprotected X-Windows
Communication between the X Server and an X-Client include:
X terminal modification: font management, mouse management, color mapping and keyboard mapping.
X event: keyboard and mouse.
X data : modification to the x terminal screen, such as writing text, creating a window, or drawing an image.
Unprotected X-Windows
Access and change to X communications may include:Modifying session parameters.Create/destroy windows.Capture X events.Create X events.
The local host problemRunning the display with access control enabled by using ‘Xhost-’ will guard from Xopen display.
Unprotected X-WindowsBut if an intruder who has an account on the system
can log into the host and can connect the display of the local host.It can be easily accomplished by dumping the screen of the host target
$r login target $xwd -root -display localhost:0.0>~/snarfed.xwd $exit
$xwud -in ~/snarfed.xwd
The Xlib routine problemIt has the display structure as its first argument.For an intruder the most important ways of manipulating is grabbing windows and keystrokes.
Unprotected X-Windows
Xterm log file vulnerabilityXterm program is used to provide the user with a command line prompt.Local users may gain root access to the system.
This vulnerability exists on the systems Which exists in X11(version 5 and earlier).With Xterm installed with setuid or setgid privileges.
Approaches to SecurityTwo different approaches to security:
Host Authentication.Token Authentication.
Host AuthenticationCertainly the most widely used mechanism for X
security is the xhost program.
Using xhostEach X Server maintains a list of hosts which may or may not access it.
Approaches to SecuritySome xhost commands and their syntaxes are:
To display a list of hosts allowed to access the X Server is xhost
To add a host, say bar.foo.org it is xhost + bar.foo.org
To remove that same host it is xhost - bar.foo.org
An X Server may be opened to the world by disabiling access control
xhost +
Access control may be re-enabled xhost –
Xhost has higher priority than token authentication.
Approaches to SecurityToken Authentication
The X Server can control a user’s access to an X Server thru the use of a magic cookie.
It is essentially a machine readable, randomly generated access code.
Xauth programThe Xauth program is used for editing and displaying the user’s magic cookie authorization information.
Pushing the authorization information to a remote host can be done with the command
xauth extract - $Display I rsh ahost.foo.org xauth merge -
Approaches to Security
The result is that the user who executed this command can now run X-Clients on ahost.foo.org and have them displayed on the X Server.
The key improvement here is the user who run this command is now the only user on ahost.foo.org who can connect an X-Client to their X Server.
Remedy for xterm log file vulnerabilityThere are various patches available to overcome this vulnerability.
References
http://www.linux-tutorial.info/cgi-bin/display.pl?99&0&0&0&3
http://bit.csc.lsu.edu/tutorial/Xnotes/X_lecture.html
http://www.tssp.co.uk/Literature/Supplements/XWindows.htm
http://ciac.llnl.gov/ciac/documents/ciac2316.html