SAMBA

NAVEEN K PRASADAM

IMRAN RIAZ

HISTORY

Samba is the brainchild of Andrew Tridgell, who currently heads the Samba development team from his home of Canberra, Australia. SAMBA project was born in 1991 when Andrew created a fileserver program for his local network that supported an odd DEC protocol from Digital Pathworks. Tridgell followed Unix renaming approach to get the name grep -i 's.*m.*b' /usr/dict/words salmonberry samba sawtimber scramble is the result.Thus the name "Samba" was born.

SERVICES

Share one or more filesystemsShare printers installed on both the server and its clientsAssist clients with Network Neighborhood browsingAuthenticate clients logging onto a Windows domainProvide or assist with WINS name server resolution

SAMBA IN ACTION

SHARING A DISK SERVICE

SHARING A PRINTER

VIEW FROM UNIX SIDE# smbstatusSamba version 2.0.4Service uid gid pid machine----------------------------------------------network davecb davecb 7470 phoenix (192.168.220.101) Sun May 16 network davecb davecb 7589 chimaera (192.168.220.102) Sun May 16 Locked files:Pid DenyMode R/W Oplock Name--------------------------------------------------7589 DENY_NONE RDONLY EXCLUSIVE+BATCH /home/samba/quicken/inet/common/system/help.bmp Sun May 16 21:23:40 19997470 DENY_WRITE RDONLY NONE /home/samba/word/office/findfast.exe Sun May 16 20:51:08 19997589 DENY_WRITE RDONLY EXCLUSIVE+BATCH /home/samba/quicken/lfbmp70n.dll Sun May 16 21:23:39 19997589 DENY_WRITE RDWR EXCLUSIVE+BATCH /home/samba/quicken/inet/qdata/runtime.dat Sun May 16 21:23:41 19997470 DENY_WRITE RDONLY EXCLUSIVE+BATCH /home/samba/word/office/osa.exe Sun May 16 20:51:09 19997589 DENY_WRITE RDONLY NONE /home/samba/quicken/qversion.dll Sun May 16 21:20:33 19997470 DENY_WRITE RDONLY NONE /home/samba/quicken/qversion.dll Sun May 16 20:51:11 1999Share mode memory usage (bytes): 1043432(99%) free + 4312(0%) used + 832(0%) overhead = 1048576(100%) total

UNDERSTANDING NETBIOS

In 1984, IBM authored a simple application programming interface (API) for networking its computers called the Network Basic Input/Output System (NetBIOS). The NetBIOS API provided a rudimentary design for an application to connect and share data with other computers. NetBIOS, however, originally had to exchange instructions with computers across IBM PC or Token Ring networks. NETBIOS required a low-level transport protocol to carry its requests from one computer to the next.

UNDERSTANDING NETBIOS

In late 1985, IBM released one such protocol, which it merged with the NetBIOS API to become the NetBIOS Extended User Interface ( NetBEUI).

NetBEUI was designed for small local area networks (LANs), and it let each machine claim a name (up to 15 characters) that wasn't already in use on the network.

In 1987, the Internet Engineering Task Force (IETF) published a series of standardization documents, titled RFC 1001 and 1002, that outlined how NetBIOS would work over a TCP/UDP network.

NBT

NBT offers• A name service• Two communication services

Data grams Sessions

Name service

In the NetBIOS world, when each machine comes online, it wants to claim a name for itself; this is called name registration However, no two machines in the same workgroup should be able to claim the same name.There are two different approaches to ensuring that this doesn't happen:Use a NetBIOS Name Server (NBNS) to keep track of which hosts have registered a NetBIOS name. Allow each machine on the network to defend its name in the event that another machine attempts to use it.

NBNS versus non-NBNS name registration

NBNS versus non-NBNS name registration

there must be a way to resolve a NetBIOS name to a specific IP address as mentioned earlier; this is known as name resolution Have each machine report back its IP address when it "hears" a broadcast request for its NetBIOS name.Use the NBNS to help resolve NetBIOS names to IP addresses.

NBNS versus non-NBNS name resolution

Node Types

b-node -Uses broadcast registration and reolution only

p-node -Uses point-to-point registration and resolution only

m-node -Uses broadcast for registration. If successful, it notifies the NBNS server of the result. Uses broadcast for resolution; uses NBNS server if broadcast is unsuccessful

h-node -Uses NBNS server for registration and resolution; uses broadcast if the NBNS server is unresponsive or inoperative.

The structure of NetBIOS names

DATAGRAMS

Packets of data are simply sent or broadcast from one machine to another without regard for the order that they arrive at the destination, or even if they arrive at all.The datagram service has no stable connection between one machine and another

Datagrams, therefore, are used for quickly sending simple blocks of data to one or more machines.

SESSIONS

Sessions are a communication method that, in theory, offers the ability to detect problematic or inoperable connections between two NetBIOS applications.

It helps to think of an NBT session in terms of a telephone call.

Each side knows who the caller and the called machine is, and can communicate with the simple primitives

MICROSOFT IMPLEMENTATIONS

WINDOWS DOMAINS

A Windows domain goes a step further. It is a workgroup of SMB machines that has one addition: a server acting as a domain controller.

Windows domains are called "Windows NT domains

A simple Windows domain

RESPONSIBILITIES

AUTHENTICATION-Authentication is the process of granting or denying a user access to a shared resource on another network machine

Each domain controller uses a security account manager (SAM) to maintain a list of username-password combinations.

Using a domain controller for authentication

Primary and backup domain controllers

Redundancy is a key idea behind a Windows domain The domain controller that is currently active on a domain is called the primary domain controller (PDC). Backup domain controllers (BDCs) in the domain as well, which will take over in the event that the primary domain controller fails or becomes inaccessible BDCs frequently synchronize their SAM data with the primary domain controller so that, if the need arises, any one of them can perform DC services

Browsing

Levels of browsing

Browsing a list of machines (with shared resources)

Browsing the shared resources of a specific machine

BROWSING

THE computer which maintains list of the machines that are currently accessible through the network is called the local master browser.

The list that it maintains is called the browse list.

Machines on a subnet use the browse list in order to cut down on the amount of network traffic generated while browsing .

BROWSING

To browse the actual resources on a machine, a user must connect to the specific machine. Browsing the list of resources on a machine can be done by clicking on the machine's icon when it is presented in the Network Neighborhood in Windows 95/98 or NT. Each of the servers on a Windows workgroup is required to announce its presence to the local master browser after it has registered a NetBIOS name .

Windows Internet Name Service (WINS)

The Windows Internet Name Service (WINS) is Microsoft's implementation of a NetBIOS name server (NBNS). WINS is dynamic: when a client first comes online, it is required to report its hostname, its address, and its workgroup to the local WINS server .This WINS server will retain the information so long as the client periodically refreshes its WINS registration, which indicates that it's still connected to the network.

Samba Distribution

smbd The smbd daemon is responsible for managing the

shared resources between the Samba server machine and its clients. It provides file, print, and browser services to SMB clients across one or more networks.

smdb handles all notifications between the Samba server and the network clients. In addition, it is responsible for user authentication, resource locking, and data sharing through the SMB protocol.

Samba DistributionThe Samba distribution also comes with a small set of Unix command-line tools:smbclient

An FTP-like Unix client that can be used to connect to Samba sharessmbtar

A program for backing up data in shares, similar to the Unix tar commandnmblookup

A program that provides NetBIOS over TCP/IP name lookupssmbpasswd

A program that allows an administrator to change the encrypted passwords used by Samba

smbstatus A program for reporting the current network connections to the shares on a Samba

servertestparm

A simple program to validate the Samba configuration filetestprns

A program that tests whether various printers are recognized by the smbd daemon

Samba 2.0

NT Domains

Ease of Administration

Performance

Compatibility Improvements

Smbwrapper

INSTALLATION

Download the source or binary files.Read the installation documentation.Configure a make file.Compile the server code.Install the server files.Create a Samba configuration file.Test the configuration file.Start the Samba daemons.Test the Samba daemons.

Setting Up Windows 95/98 Computers

Accounts and Passwords

The Passwords Properties panel                   

                                                                                               

Changing the Windows password

The Change Passwords tab

                                                                                                                                        

The Change Windows Password dialog box

Windows Networking profiles

SETTING UP THE NETWORK

The Windows 95/98 Network panel

Adding TCP/IP

Selecting a protocol to install

Adding TCP/IP

Selecting a protocol to install

Configuring TCP/IP

Selecting the correct TCP/IP protocol

STCP/IP Properties panel

STCP/IP Properties panel

There are seven tabs near the top of this panel, and you will need to configure four of them:

IP address

DNS configuration

WINS configuration

Bindings

DNS Configuration tab

WINS Configuration tab

The WINS Configuration tab

The Bindings tab

The Bindings tab

Setting Your Name and Workgroup

The Identification tab

Accessing the Samba Server

Shares on Server

Setting Up Windows NT 4.0 Computers

There are six basic steps:

Assign the machine a name.

Install the Workstation service.

Install the TCP/IP protocol.

Set the machine's name and IP address.

Configure the DNS and WINS name services.

Bind the protocol and service together.

SMB/CIFS

SMB/CIFS. SMB/CIFS is the protocol that Windows 95/98 and NT machines use to communicate with the Samba server and each other At a high level, the SMB protocol suite is relatively simple It includes commands forOpening and closing a fileCreating and deleting files and directoriesReading and writing a fileSearching for filesQueueing and dequeueing files to a print spool

SMB Format

SMB is a "request-response" protocol

A client sends an SMB request to a server, and the server sends an SMB response back to the client.

Smb contains

The header, which is a fixed size

Command string, whose size can vary dramatically based on the contents of the message.

SMB Clients and Servers

Two computers that both have resources to share

SMB Clients and Servers

The important points in Samba terminology:

A server is a machine with a resource to share.

A client is a machine that wishes to use that resource.

A server can be a client (of another computer's resource) at any given time

A Simple SMB Connection

Establish a virtual connection.

Negotiate the protocol variant to speak.

Set session parameters.

Make a tree connection to a resource.

Establishing a virtual connection

User first makes a request to access a network disk or send a print job to a remote printer

NetBIOS takes care of making a connection at the session layer.

The result is a bidirectional virtual channel between the client and server

Negotiating the Protocol Variant

The client sends a message to the server to negotiate an SMB protocol The client sets its tree identifier (TID) field to zero, since it does not yet know what TID to use The command in the message is SMBnegprot, a request to negotiate a protocol variant that will be used for the entire session The server responds to the SMBnegprot request with an index into the list of variants that the client offered

Set Session and Login Parameters

To transmit session and login parameters for the session.This includes the account name and password (if there is one), the workgroup name, the maximum size of data that can be transferredNumber of pending requests that may be in the queue at any one time.

Making Connection to a Resource

"A" for a disk or file

"LPT1" for a spooled output

"COMM" for a direct-connect printer or modem

"IPC" for a named pipe

Samba Configuration File

[global] ...

[homes] ...

[printers] ...

[test] ...

Samba Configuration File[global] log level = 1 max log size = 1000 socket options = TCP_NODELAY IPTOS_LOWDELAY guest ok = no [homes] browseable = no map archive = yes [printers] path = /usr/tmp guest ok = yes printable = yes min print space = 2000 [test] browseable = yes read only = yes guest ok = yes path = /export/samba/test

Browsing and Advanced Disk Shares

Browsing

Preventing Browsing

Default Services

Browsing Elections

Domain Master Browser

Multiple subnets

Browsing

Multiple subnets

Browsing

Browsing Options Announce as Announce version Browseable Browse list Auto services Default Service Local master

Browsing

lm announce lm interval preferred master OS level Remote browse sync Remote announce

File system Differences

Hiding and Vetoing Files

File system Differences

Links An error dialog trying to follow symbolic

links when forbidden by Samba

File system Differences

File System Options unix realname don’t descend follow symlinks getwd cache wide links hide files hide dot files veto files delete veto files

File Permissions and Attributes on MS-DOS and Unix

DOS and Windows file properties

File Permissions and Attributes on MS-DOS and Unix

How Samba and Unix view the permissions of a file

File Permissions and Attributes on MS-DOS and Unix

Creation masks

File and Directory Permission Options create mask directory mask force create mode force directory mode force group

File Permissions and Attributes on MS-DOS and

Unix force user delete readonly map archive map system map hidden

Name Mangling and Case

The Samba Mangling Operation virtuosity.dat VIRTU~F1.DAT .htaccess HTACC~U0._ _ _ hello.java HELLO~1F.JAV team.config.txt TEAMC~04.TXT

antidisestablishmentarianism.txt ANTID~E3.TXT

antidiseast.txt ANTID~9K.TXT Representing and resolving filenames with Samba

Name Mangling and Case

Mangling Options case sensitive default case preserve case short preserve case mangled names mangle case mangling char mangled stack mangled map

Locks and Oplocks

Opportunistic Locking

Locks and Oplocks

Unix and Locking share modes locking strict locking blocking locks oplocks

Locks and Oplocks

fake oplocks kernel oplocks veto oplock files lock directory

Users

Users and Groups

[dave] path = /home/dave comment = Dave's home directory writeable = yes valid users = dave

Abbreviation of user's home directory by using the %H variable

[dave] comment = %U home directory writeable = yes valid users = dave path = %H

Users and Groups

The [home] Share Samba creates a new disk share called [sofia]

with the path specified in the [homes] section. If there is no path option specified in [homes], Samba initializes it to her home directory.

Samba initializes the new share's options from the defaults in [globals], and any overriding options in [homes] with the exception of browseable.

Samba connects sofia's client to that share.

Controlling Access to Shares

Guest Access [sales] path = /home/sales comment = Fiction Corp Sales Data writeable = yes guest ok = yes guest account = ftp guest only = yes

Access Control Options admin users valid users and invalid users

Controlling Access to Shares

read list and write list max connections guest only guest account

Username Otpions username map username level

Security

Authentication Security

Share-level Security

Authentication Security

Share Level Security Share Level Security Options Only user username

User-level SecurityDomain-level Security Adding a Samba server to a Windows NT Domain

Authentication Security

Server Level Security

A typical system setup using server level security

PasswordsDisabling encrypted password on the client

The smbpasswd fileStructure of the smbpasswd file entry

(actually one line)

Passwords Adding entries to smbpasswd Changing the encrypted password

Password SynchronizationPassword Configuration Options Unix password sync encrypt passwords passwd program passwd chat

Passwords

passwd chat debug password level update encrypted null passwords Smb passwd file hosts equiv use rhosts

Domain

Windows DomainsConfiguring Samba for Windows Domain Logons Windows 95/98 clients Windows NT clients Creating trust accounts for NT clients

Domain Options domain logons domain group map domain user map local group map revalidate

Windows DomainsConfiguring Windows Clients for Domain Logons

Configuring a Windows 95/98 client for domain logon

Windows Domains Windows 95/98 Windows NT 4.0Configuring a Windows NT client for domain logons

Logon Scripts Samba with logon Script option

[global] domain logons = yes security = user workgroup = SIMPLE os level = 34 local master = yes preferred master = yes domain master = yes logon script = %U.bat [netlogon] comment = The

domain logon service path = /export/samba/logon public = no writeable = no browsable = no

Logon ScriptsRoaming profiles

Local profiles versus roaming profiles

Logon Scripts

Mandatory profiles

Logon Script Options logon script logon path logon drive logon home

Logon Scripts

Other Connection Scripts root preexec preexec postexec root postexec

Working with NIS and NFS nis homedir and homedir map

Printing and Naming Resolution

Sending Print Jobs to Samba

Print CommandsPrinting VariablesA Manual Printing SetupThe [printers] ShareTest PrintingSetting Up and Testing a Windows Client

Sending Print Jobs to Samba

Automatically Setting Up Printer Drivers Install the drivers on windows client Create a printer definition file Create a PRINTER$ share Modify the Samba configuration file Testing the configuration

Printing to Windows Client Printers

BSD printersSystem V printersSamba Printing Options Printing Printable Printer printer driver printer driver file printer driver location lpq cache time

Printing to Windows Client Printers

postscript print command, lpq command. Lprm command,

lppause command, lpresume command load printers printcap name min print space queuepause command queueresume command

Name Resolution with Samba

The LMHOSTS FileSetting up Samba to use another WINS Server Setting up Samba as a WINS ServerName Resolution Configuration Options wins support wins server wins proxy dns proxy

Name Resolution with Samba

name resolve order max ttl max wins ttl min wins ttl

Additional Samba Information

Supporting programmers

Time Synchronization time server wins offset dos filetimes dos filetime resolution fake directory create times

Magic Scripts

magic script

magic output

Internationalization

client code page

character set

coding system

valid chars

WinPopup Messages

message command

Recently Added Options

change notify timeout

machine password timeout

stat cache

stat cache size

Miscellaneous Options

Deadtime

dfree command

fstype

keep alive

max mux

max open files

max xmit

Miscellaneous Options

nt pipe support

nt smb support

ole locking compatibility

panic action

set directory

smbrun

status

Miscellaneous Options

strict sync

sync always

strip dot

Backups with smbtar

Troubleshooting Samba

The Tool Bag

Samba Logs Log levels Activating and deactivating logging Logging by individual client machines or users

Samba Test UtilitiesUnix Utilities Using trace Using tcpdump

The Fault Tree

How to use the fault treeTrouble Shooting Low-level IP Testing the networking software with ping Testing local name services with ping Testing the networking hardware with ping Testing connections with ping

Troubleshooting TCP Testing TCP with FTP

The Fault Tree

Troubleshooting Server Daemons Before you start Looking for daemon process with ps Looking for daemons bound to ports Checking smbd with telnet Testing daemons with testparm

Troubleshooting SMB Connections A minimal smb.conf file

The Fault Tree

Testing locally with smbclient Testing connections with smbclient Testing connections with NET USE Testing connections with Windows

Explorer

Troubleshooting Browsing A minimal smb.conf file

????

X-Window System

Anitha Nallamalla

X-Windowing System• Device independent graphical and windowing software.

• Developed by MIT in 1984.

• The most current version used is X11.

• Before X every manufacturer used to have their own proprietary windowing system.

• However with X the programmer can write a single application in a single language and run this program on different machines.

Configuring the X-Windows Server

Once the X-Windows is running, the configuration program Xf86config can be used.The primary configuration file for X Server is /etc/XF86config or /etc/X11/XF86config.This is divided into three sections:

- The screen section. - The device section. - The monitor section.

The general form is section “section name” section info endsection

X-Windows System Architecture

X-Windows System Architecture

The main body of application programming is carried out using widget set which interfaces to Xlib called the XTintrinsics.

Both the XTintrinsics and the widget set are written in C and built-on top of Xlib.

The widget set is essentially a library of pre-programmed graphic routines.

The XTintrinsics provide a framework that allows the application programmer to combine these components to produce a user interface.

X-Windows Principles

Background Display

The display of information in X are bit-mapped.

X like other windowing systems divides the screen into various parts that control input and output.

Each window can act as a standard terminal.

All applications need not have a single window.

Each sub-window is called a child window

X-Windows Principles

X-System Concepts and Definitions

X requires a system that consists of workstations capable of bit-mapped graphics.

A display is defined as a workstation consisting of a keyboard, a pointing device and one or more screens.

Components of X-Windows

Any X-Windows system consists of two distinct partsX Server, andOne or more Clients.

As X is a networked window system the client can communicate with the server via

TCP-IP over the ethernet link.Alternative protocols and communication media such as DECnet or even thru serial line.

Components of X-Windows

X ServerWhen using X on a workstation,

- first task is to start-up the X Server. - it is accomplished using the script Xinit.

Starting the server in this way, using Xinit is not a good idea because, it simply starts-up the server without giving opportunity to start any clients.The normal method of starting X is to use the startx command. In this method

- first start the server.

Components of X-Windows

- check to see if the user has a personal X start-up command filename ~/.xinitrc.

If it exists

- the commands contained within it will be executed.

If it does not exist

- a simple default start-up configuration which can be found in /usr/lib/X11/xinit/xinitrc will be used.

X-ClientsEach application or task which runs under X is known as an X-Client.

Commonly used X-Clients

Xterm ClientIt is the most commonly used X-Clients.Provides a terminal window to the machine on which the Xterm client is running.

Xman ClientIt is a graphical interface to the Unix manual pages.

Xedit ClientIt is a simple text editor.

Commonly used X-Clients

Xbiff ClientIt notifies you when new mail arrives.

X-eyes ClientDraws two eyes which follow the mouse pointer around as it moves.

X-clock ClientX-clock displays an analogue clock on the screen.

Unprotected X-Windows

Communication between the X Server and an X-Client include:

X terminal modification: font management, mouse management, color mapping and keyboard mapping.

X event: keyboard and mouse.

X data : modification to the x terminal screen, such as writing text, creating a window, or drawing an image.

Unprotected X-Windows

Access and change to X communications may include:Modifying session parameters.Create/destroy windows.Capture X events.Create X events.

The local host problemRunning the display with access control enabled by using ‘Xhost-’ will guard from Xopen display.

Unprotected X-WindowsBut if an intruder who has an account on the system

can log into the host and can connect the display of the local host.It can be easily accomplished by dumping the screen of the host target

$r login target $xwd -root -display localhost:0.0>~/snarfed.xwd $exit

$xwud -in ~/snarfed.xwd

The Xlib routine problemIt has the display structure as its first argument.For an intruder the most important ways of manipulating is grabbing windows and keystrokes.

Unprotected X-Windows

Xterm log file vulnerabilityXterm program is used to provide the user with a command line prompt.Local users may gain root access to the system.

This vulnerability exists on the systems Which exists in X11(version 5 and earlier).With Xterm installed with setuid or setgid privileges.

Approaches to SecurityTwo different approaches to security:

Host Authentication.Token Authentication.

Host AuthenticationCertainly the most widely used mechanism for X

security is the xhost program.

Using xhostEach X Server maintains a list of hosts which may or may not access it.

Approaches to SecuritySome xhost commands and their syntaxes are:

To display a list of hosts allowed to access the X Server is xhost

To add a host, say bar.foo.org it is xhost + bar.foo.org

To remove that same host it is xhost - bar.foo.org

An X Server may be opened to the world by disabiling access control

xhost +

Access control may be re-enabled xhost –

Xhost has higher priority than token authentication.

Approaches to SecurityToken Authentication

The X Server can control a user’s access to an X Server thru the use of a magic cookie.

It is essentially a machine readable, randomly generated access code.

Xauth programThe Xauth program is used for editing and displaying the user’s magic cookie authorization information.

Pushing the authorization information to a remote host can be done with the command

xauth extract - $Display I rsh ahost.foo.org xauth merge -

Approaches to Security

The result is that the user who executed this command can now run X-Clients on ahost.foo.org and have them displayed on the X Server.

The key improvement here is the user who run this command is now the only user on ahost.foo.org who can connect an X-Client to their X Server.

Remedy for xterm log file vulnerabilityThere are various patches available to overcome this vulnerability.

References

http://www.linux-tutorial.info/cgi-bin/display.pl?99&0&0&0&3

http://bit.csc.lsu.edu/tutorial/Xnotes/X_lecture.html

http://www.tssp.co.uk/Literature/Supplements/XWindows.htm

http://ciac.llnl.gov/ciac/documents/ciac2316.html