Samba

dingdongboomNetworking and Communications

Oct 27, 2013 (3 years and 5 months ago)

102 views

SAMBA


(ORIGINAL SLIDES BY

DR. JAMES WALDEN, NKU)



CT320: Advanced Network and System Administration

Slide
#
1

CT320 :
Advanced Network and
System Administration

Topics

CT320:
Advanced Network and System Administration

Slide
#
2

1.
Why Samba?

2.
Workgroups

3.
NetBIOS

4.
Daemons

5.
samba.conf

6.
Security

7.
Users

8.
Passwords

9.
Permissions

What is Samba?

CT320: Advanced Network and System Administration

Slide
#
3

Open source UNIX implementation of SMB.


SMB


Server Message Block


Protocol for sharing files, printers, serial ports,
Communications such as
named pipes

Samba
servers provide:


File sharing.


Printer sharing.


Network browsing.


WINS name resolution.


Primary and backup domain controllers.

Why Samba?

CT320: Advanced Network and System Administration

Slide
#
4

1.
Free

2.
Faster than Windows SMB servers

3.
More reliable than Windows servers

4.
Handles heterogenous networks

Workgroups

CT320: Advanced Network and System Administration

Slide
#
5

NetBIOS

CT320: Advanced Network and System Administration

Slide
#
6


Designed to run over older network types


Token ring


NetBEUI


IPX


NetBIOS over TCP/IP (NBT or NetBT)


Name service


Datagram communication


Session
-
based communication

Name Registration

CT320: Advanced Network and System Administration

Slide
#
7

Machines requests names and either:

1. NetBIOS name server (NBNS) handles req.

2. Client with name defends ownership.

Name Resolution

CT320: Advanced Network and System Administration

Slide
#
8

Machines asks which host has name X:

NetBIOS name server (NBNS) handles req.

Client with name responds with its address.

Node Types

CT320: Advanced Network and System Administration

Slide
#
9

b
-
node:

Uses broadcast naming only.

p
-
node:

Uses NBNS naming only.

m
-
node:

Broadcast registration, then notifies NBNS
of name. Broadcast resolution, fails over to NBNS.

h
-
node:

Uses NBNS, then fails over to broadcast.
Default for most Windows.

NetBIOS Namespace

CT320: Advanced Network and System Administration

Slide
#
10

15
-
character flat namespace.

Legal: A
-
Za
-
z0
-
9 ! @ # $ % ^ & ( )


‘ {} ~

Names have an associated resource type.

00: Standard workstation service.

03: Windows messenger service.

1B: Domain master browser service.

1D: Master browser.

20: File and print server.

NetBIOS Browsing

CT320: Advanced Network and System Administration

Slide
#
11


Finding computers and resources on net.


Contain master for computers.


Contain individual host for resources.


Local master browser maintains list of hosts.


If local master down, election determines which machine
becomes new local master browser.

Daemons

CT320: Advanced Network and System Administration

Slide
#
12

nmbd

Name resolution and registration; browsing.

Supports NetBIOS name server and WINS.

smbd

File and print sharing; authentication.

winbindd

NT and ADS domain service.

Not needed if not using domains.


/etc/samba/smb.conf

CT320: Advanced Network and System Administration

Slide
#
13

Ini format configuration file.

[section] section descriptors.

[global] section values apply to all sections.

Other sections describe shared resources.

var = value format

Many, many options.

# and ; are comments

Validate with
testparm

command.

Example /etc/samba/smb.conf

CT320: Advanced Network and System Administration

Slide
#
14

[global]


workgroup = DOCS


netbios name = DOCS_SRV


security = share

[data]


comment = Documentation Server


path = /export


read only = Yes


guest only = Yes

Samba Firewalling

CT320: Advanced Network and System Administration

Slide
#
15

Port 137
: NetBIOS network browsing.


Port 138
: NetBIOS name service.


Port 139
: File/print sharing.


Port 445
: Used by W2k/XP when NetBIOS over
TCP/IP disabled.

Authentication Types

CT320: Advanced Network and System Administration

Slide
#
16

Share

Shares have one or more passwords.

Anyone with password can access share.

User

Each share configured to allow certain users.

Samba server verifies user/password pairs.

Server

Same as user
-
level, but uses another server.

Domain

Domain controller provides authentication types.

Username mapping

CT320: Advanced Network and System Administration

Slide
#
17

Samba server username checks

1.
Check for exact username.

2.
Checks for username in lowercase.

3.
Checks for Username in lc, first letter uc.

Username map file

File specified in smb.conf.


username map = /etc/samba/usermap

Contains UNIX / Samba username pairs:


darwin = DouglasArwin


jwalden = James Walden


users = @accounts


nobody = *

Access Control

CT320: Advanced Network and System Administration

Slide
#
18

valid users

Only these users have access.

Group names preceded by @ sign.

invalid users

These users do not have access.

Takes precedence over
valid users

tag.

admin users

These users have root access to share.


Samba Passwords

CT320: Advanced Network and System Administration

Slide
#
19

Stored in
/etc/samba/smbpasswd

Set by
smbpaswd

command.

Account Backends

CT320: Advanced Network and System Administration

Slide
#
20

Plaintext

Passes plaintext auth to /etc/{passwd,shadow}

Smbpasswd

Text file with encrypted NT passwords.

tdbsam

Binary database with smbpassword + SAM info.

ldapsam

LDAP with POSIX + sambaSamAccount objs.

Password Synchronization

CT320: Advanced Network and System Administration

Slide
#
21

Configuration options:

unix password sync = yes

passwd program = /usr/bin/passwd %u

passwd chat = *old*password* %o
\
n
*new*password* %n
\
n *new*password* %n
\
n
*changed*

Sharing Home Directories

CT320: Advanced Network and System Administration

Slide
#
22

Use special
[homes]

share.

If user attempts to connect to share not

specified in
/etc/smb.conf
:

1.
Creates new disk share called [username]

2.
Share path is set to username’s home dir.

3.
Options to set to [globals] + [homes] options, with [homes]
options winning any conflicts.

4.
Samba connects user to new share.

Caveat
: may not want root, bin, &c to share.

Permission Mapping

CT320: Advanced Network and System Administration

Slide
#
23

MS DOS Permissions


Read
-
only


System


Hidden


Archive

UNIX Permissions


Read


Write


eXecute

Preserve MS DOS file permissions on UNIX:

Since MS DOS uses file extensions instead of X bits,

map perms to owner, group, and world execute bits.

Ex: map archive = yes, map system = yes, map hidden = yes

Creation Masks

CT320: Advanced Network and System Administration

Slide
#
24

Samba masks

UNIX octal permissions: file and directory.

Execute bits used for permission mapping.

Can set user and group ownerships too.

Example


[data]


create mask = 755


directory mask = 755


force user = joe


force group = accounting

ACLs

CT320: Advanced Network and System Administration

Slide
#
25


Samba can map NT ACLs to POSIX ACLs.


nt acl support = yes


If not set, maps NT ACLs to UNIX rwx perms.


POSIX ACLs do not support all NT ACLs


Ex:
Take Ownership

Additional Features

CT320: Advanced Network and System Administration

Slide
#
26

1.
Samba domain controllers.

2.
Samba/LDAP integration.

3.
Using Samba from Windows.

4.
Samba Print servers.

References

CT320: Advanced Network and System Administration

Slide
#
27

1.
Aeleen Frisch
, Essential System Administration, 3
rd

edition
,
O’Reilly, 2002.

2.
Evi Nemeth et al,
UNIX System Administration Handbook, 3
rd

edition
, Prentice Hall, 2001.

3.
RedHat,
Red Hat Enterprise Linux 4 System Administration
Guide
,
http://www.redhat.com/docs/manuals/enterprise/RHEL
-
4
-
Manual/sysadmin
-
guide/
, 2005.

4.
John H. Terpstra,
,
Jelmer R. Vernooij,

Official Samba
-
3
HOWTO and Reference Guide, 2
nd

Edition
, Prentice Hall PTR,
http://www.samba.org/samba/docs/man/Samba
-
HOWTO
-
Collection/
, 2005.

5.
John H. Terpstra,
Samba
-
3 by Example: Practical Exercises to
Successful Deployment, 2nd Edition
,
Prentice Hall PTR,
http://www.samba.org/samba/docs/Samba3
-
ByExample.pdf
,
2005.

6.
Jay Ts, Robert Eckstein, David Collier
-
Brown,
Using Samba,
2
nd

edition
,
http://www.samba.org/samba/docs/using_samba/toc.html
,
O’Reilly, 2003.