Samba Overview and Config Lab

Download Report

Transcript Samba Overview and Config Lab

Samba
Integrating SMB file systems with
UNIX
Samba
• Provides a file server compatible with
Windows 9x and NT .. SMB
• Can function in NETBIOS name browsing
as seen in network neighborhood
• Provides for authentication of users
• Provides an NT domain server
General Questions to Consider
•
•
•
•
•
How do the protocols relate?
How are connections made?
What is network browsing?
What is a workgroup?
What is a domain?
How do protocols relate?
• SMB is a file/resource protocol (Server
Message Block)
– files
– printers
Application
DISK REQUEST
Op System
Local Disk
FAT32/16/..
Remote Disk
SMB
NETBIOS
More on which
protocol later!
NETBEUI
TCP/IP
IPX
How are connections made?
• This at the level of SMB:
– Negotiate which level of SMB to use
• As SMB evolves, different versions abound
– Set up a session
• Validate the client requesting connection
– Tree Connect
• Connect to a specific resource
– disk
– printer
What is network Browsing?
• PCs turn on and off as users come and go
• Resources are not static
• Users need to see what resources are
available
• Browsing is a means of determining what is
available for use
– printers
– files
– etc.
Two means of browsing
Client
Workstation
Broadcast requests
Server
Workstation
Client
Register Resource
WINS requests
Workstation
Server
Workstation
What is a workgroup?
• A collection of computers
• Each can provide a network resource
• Each provides authentication for its own
resources
FileServer
PrintServer
request
request
consent
User
consent
What is a domain?
• Like a workgroup
• Central Authentication
Domain Controller
consent
consent
FileServer
PrintServer
request
request
User
Setting up Samba
• Install either directly or using rpm for red-hat
• Usually installs in /usr/local/samba
• Edit the smb.conf file to configure server
• Activities
– set up a file share
– set up a “user” share
Samba setup continued
• configure the smb.conf file to identify
resources you want to share
• configure the unix system to be consistent with
the smb.conf specifications
• run testparm to validate the smb.conf file
• start smbd and nmdb
• test the installation from unix with smbclient
• make sure Win 98 allows plain text login
• browse and connect via Win 98
General setup in smb.conf
• [global]
– netbios name = YourMachineName
– workgroup = YourWorkgroup
– security = user
• “user” security determines access to a
resource based on who the user is and the
associated password required of that user.
Setting up a file share
multiple users in a group
smb.conf
• [SHARENAME]
–
–
–
–
–
–
(name of resource)
comment = description when browsed
writeable = yes
valid users = @groupname
(unix group)
locking = yes
create mode = 660
directory mode = 770
Setting up a file share
multiple users in a group
unix system
• Set up a directory in /export/smb
– e.g. /export/smb/SHARENAME
• set permissions
– chgrp groupname SHARENAME
– chmod 770 SHARENAME
– chmod g+s SHARENAME
• make an entry in /etc/group for groupname
• make an entry in /etc/passwd for EACH user
Check smb.conf for validity
• In /usr/local/samba/bin is testparm
• testparm -s smb.conf
• Checks for invalid section names etc
• Prints all default values NOT specified in
the smb.conf file.
• Run the daemons
– /usr/local/samba/bin/nmbd -D
– /usr/local/samba/bin/smbd -D
Testing samba locally
• Use smbclient
• smbclient -L YourMachineName -N
– lists resources at your machine
• smbclient //YourMachineName/SHARENAME -U user
– logs you into the resource you just created as long as
the user name is in the group which shares the resource.
– And assuming you enter the correct password.
• Try it from a non-local unix box.
Win98 with plain-text login
• Win 98 and Win 95/OSR2 have been modified to
use encrypted login
• Suffice to say samba does not with basic install.
• Long-run -> set up samba to do encryption
• Short-run -> make WIN 98 do plain text
• Make registry entry:
[HKLM\System\CurrentControlSet\Services\VxD\VNETSUP]
“EnablePlainTextPassword”=dword:00000001
using regedit.exe
Browse using Win 98/95
• Log into Win 98 as a user of the group in unix
• Easiest way is to use Network Neighborhood and
click Entire Network. You should see
YourMachineName and after clicking that you
should see the SHARENAME
• OR net use \\YourMachineName\Sharename L:
– will mount the resource as drive L:
• OR use Windows Explorer to map network drive
Using Samba for user accounts
User accounts
• Set up the network users as local unix users
on the samba server
• Put accounts in /home/… with standard
user names in /etc/passwd
• set up smb.conf as indicated on next slide
• Be sure to set logins from Win 98 to use
plain text as indicated on a previous slide
smb.conf for user login
• [homes]
–
–
–
–
–
–
–
comment = Unix home directory
path = %H
writeable = yes
valid users = %S
create mode = 0600
directory mode = 0700
locking = no
not sure why for this one
Logging on from Win 98/95
• Possible problems
– Case sensitivity
– Name length
• Using SMB for share level security
– Unix still associates by user
– searches ALL users (groups etc) to determine if
password transmitted is the password of
ANYONE with ownership.
– More complicated than this
– Try to use “user” security
Windows and passwords
Why is this complicated
and
how is it implemented?
Basic Problem
• Sending PLAIN-TEXT passwords across the
net is a major issue.
• Less problematic in a LAN (where you are
using Samba)
• Still a fundamental concerns of administrators
• First review plain text transmission
• Second examine encrypted transmission
• Third examine how to set it up in linux
Plain text
linux samba server
thisuser
W98
thispassw
1-encryption
thispassw
213jkj23423kj*&l3
3-accept
2-compare
/etc/passwd (shadow)
thisuser:213jkj23423kj*&l3:..
NOTE: W98 user must log on with same user name (thisuser) as in unix
Avoiding Plain-text transmission
• Much more complicated process to avoid plaintext over the net.
• Important to remember - PASSWORD
ENCRYTION ALGORITHMS ARE NOT
REVERSIBLE! (e.g. code -> password)
–
–
–
–
–
Server sends random message to client to encrypt
Client encrypts using the local encrypted password
Client sends encrypted message
Server encrypts the random message to and checks
if the two match -> client authenticated
1-Server sends random message to client to encrypt
2-Client encrypts using the local encrypted password
3-Client sends encrypted message
4-Server encrypts the random message to and checks
5-if the two match -> client authenticated
Samba server
client
1-rtrner$6&ddf
(encrypted pw)
2- encrypt
(encrypted pw)
4- encrypt
encrypted message
5-compare
encrypted message
3
OK (or not)
Good and Bad
• Good
– Never sends plain-text across net
– hard to pick up the random text (not impossible)
• Bad
– must have encrypted passwords on both machines
– to spoof, you only need the encrypted password
not the original one!!! (shadow vs passwd)
– root must know either the actual password or the
encrypted version or have user enter in unix….
----> none easy
How is it set up in linux?
• The encrypted passwords used are
WINDOWS passwords NOT unix!
• Two basic Windows styles
– Lan Manager
– NT
• Samba stores another password file with both
encryptions
• Users may be in one file and not the other
• unix application smbpasswd (also file name)
will populate the file but must enter pw.
Setting up the smbpasswd
username
userpass
Username:LanManEncrypt:Ntencrypt:….
……...
LanMan encryption
NT encryption
console
smbpasswd program
smbpasswd file
>smbpasswd -a username
Enter password: userpass
Retype: userpass
>
Other considerations
• Entry in smb.conf (smb password file) indicates
smb password files proper location
• Entry in smb.conf (encrypt passwords) set to
yes
• Although not necessary, typically want the users
in the unix passwd to be entered in smbpasswd to
allow for unix home directory access.