diff options
Diffstat (limited to 'docs/htmldocs/using_samba/ch01.html')
| -rw-r--r-- | docs/htmldocs/using_samba/ch01.html | 3193 |
1 files changed, 0 insertions, 3193 deletions
diff --git a/docs/htmldocs/using_samba/ch01.html b/docs/htmldocs/using_samba/ch01.html deleted file mode 100644 index 98a687f08e..0000000000 --- a/docs/htmldocs/using_samba/ch01.html +++ /dev/null @@ -1,3193 +0,0 @@ -<html> -<body bgcolor="#ffffff"> - -<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76" -hspace="10" align="left" /> - -<h1 class="head0">Chapter 1. Learning the Samba</h1> - - -<p><a name="INDEX-1"/>Samba -is an extremely useful networking tool for anyone who has both -Windows and Unix systems on his network. Running on a Unix system, it -allows Windows to share files and printers on the Unix host, and it -also allows Unix users to access resources shared by Windows systems.</p> - -<p>Although it might seem natural to use a Windows server to serve files -and printers to a network containing Windows clients, there are good -reasons for preferring a Samba server for this duty. Samba is -reliable software that runs on reliable Unix operating systems, -resulting in fewer problems and a low cost of maintenance. Samba also -offers better performance under heavy loads, outperforming Windows -2000 Server by a factor of 2 to 1 on identical PC hardware, according -to published third-party benchmarks. When common, inexpensive PC -hardware fails to meet the demands of a huge client load, the Samba -server can easily be moved to a proprietary "big -iron" Unix mainframe, which can outperform Windows -running on a PC many times. If all that weren't -enough, Samba has a very nice cost advantage: it's -free. Not only is the software itself freely available, but also no -client licenses are required, and it runs on high-quality, free -operating systems such as Linux and FreeBSD.</p> - -<p>After reading the previous paragraph, you might come to the -conclusion that Samba is commonly used by large organizations with -thousands of users on their networks—and you'd -be right! But Samba's user base includes -organizations all over the planet, of all types and sizes: from -international corporations, to medium and small businesses, to -individuals who run Samba on their Linux laptops. In the last case, a -tool such as VMware is used to run Windows on the same computer, with -Samba enabling the two operating systems to share files.</p> - -<p>The types of users vary even more—Samba is used by -corporations, banks and other financial institutions, government and -military organizations, schools, public libraries, art galleries, -families, and even authors! This book was developed on a Linux system -running VMware and Windows 2000, with Adobe FrameMaker running on -Windows and the document files served by Samba from the Linux -filesystem.</p> - -<p>Does all this whet your technological appetite? If so, we encourage -you to keep reading, learn about Samba, and follow our examples to -set up a Samba server of your own. In this and upcoming chapters, we -will tell you exactly how to get started.</p> - - - -<div class="sect1"><a name="samba2-CHP-1-SECT-1"/> - -<h2 class="head1">What Is Samba?</h2> - -<p><a name="INDEX-2"/>Samba -is a suite of Unix applications that speak the -<a name="INDEX-3"/><a name="INDEX-4"/>Server -Message Block (SMB) protocol. Microsoft Windows operating systems and -the OS/2 operating system use SMB to perform client-server networking -for file and printer sharing and associated operations. By supporting -this protocol, Samba enables computers running Unix to get in on the -action, communicating with the same networking protocol as Microsoft -Windows and appearing as another Windows system on the network from -the perspective of a Windows client. A <a name="INDEX-5"/>Samba -server offers the following services:</p> - -<ul><li> -<p>Share one or more directory trees</p> -</li><li> -<p>Share one or more Distributed filesystem (Dfs) trees</p> -</li><li> -<p>Share printers installed on the server among Windows clients on the -network</p> -</li><li> -<p>Assist clients with network browsing</p> -</li><li> -<p>Authenticate clients logging onto a Windows domain</p> -</li><li> -<p>Provide or assist with Windows Internet Name Service (WINS) -name-server resolution</p> -</li></ul> -<p>The Samba suite also includes client tools that allow users on a Unix -system to access folders and printers that Windows systems and Samba -servers offer on the network.</p> - -<p>Samba is the brainchild of Andrew <a name="INDEX-6"/>Tridgell, who currently heads the Samba -development team. Andrew started the project in 1991, while working -with a Digital Equipment Corporation (DEC) software suite called -Pathworks, created for connecting DEC VAX computers to computers made -by other companies. Without knowing the significance of what he was -doing, Andrew created a file-server program for an odd protocol that -was part of Pathworks. That protocol later turned out to be SMB. A -few years later, he expanded upon his custom-made SMB server and -began distributing it as a product on the Internet under the name -"SMB Server." However, Andrew -couldn't keep that name—it already belonged to -another company's product—so he tried the -following Unix renaming approach:</p> - -<blockquote><pre class="code">$ <tt class="userinput"><b>grep -i '^s.*m.*b' /usr/dict/words</b></tt></pre></blockquote> - -<p>And the response was:</p> - -<blockquote><pre class="code">salmonberry -samba -sawtimber -scramble</pre></blockquote> - -<p>Thus, the name "Samba" was born.</p> - -<p>Today, the Samba suite revolves around a pair of Unix daemons that -provide shared resources—called <em class="firstterm">shares -</em>or s<em class="firstterm">ervices</em>—to SMB clients -on the network. These are:</p> - -<dl> -<dt><b><a name="INDEX-7"/>smbd</b></dt> -<dd> -<p>A daemon that handles file and printer sharing and provides -authentication and authorization for SMB clients.</p> -</dd> - - - -<dt><b><a name="INDEX-8"/>nmbd</b></dt> -<dd> -<p>A daemon that supports NetBIOS Name Service and WINS, which is -Microsoft's implementation of a NetBIOS Name Server -(NBNS). It also assists with network browsing.</p> -</dd> - -</dl> - -<p>Samba is currently maintained and extended by a group of volunteers -under the active supervision of Andrew Tridgell. Like the Linux -operating system, Samba is distributed as open source software -(<a href="http://opensource.org">http://opensource.org</a>) by its -authors and is distributed under the GNU General Public License -(GPL). Since its inception, development of Samba has been sponsored -in part by the Australian National University, where Andrew Tridgell -earned his Ph.D. Since then, many other organizations have sponsored -Samba developers, including LinuxCare, VA Linux Systems, -Hewlett-Packard, and IBM. It is a true testament to Samba that both -commercial and noncommercial entities are prepared to spend money to -support an open source effort.</p> - -<p>Microsoft has also contributed by offering its definition of the SMB -protocol to the Internet Engineering Task Force (IETF) in 1996 as the -<a name="INDEX-9"/><a name="INDEX-10"/>Common -Internet File System (CIFS). Although we prefer to use the term -"SMB" in this book, you will also -often find the protocol being referred to as -"CIFS." This is especially true on -Microsoft's web site.</p> - - -</div> - - - -<div class="sect1"><a name="samba2-CHP-1-SECT-2"/> - -<h2 class="head1">What Can Samba Do for Me?</h2> - -<p><a name="INDEX-11"/>As explained earlier, Samba can help -Windows and Unix computers coexist in the same network. However, -there are some specific reasons why you might want to set up a Samba -server on your network:</p> - -<ul><li> -<p>You don't want to pay for—or -can't afford—a full-fledged Windows server, -yet you still need the functionality that one provides.</p> -</li><li> -<p>The Client Access Licenses (CALs) that Microsoft requires for each -Windows client to access a Windows server are unaffordable.</p> -</li><li> -<p>You want to provide a common area for data or user directories to -transition from a Windows server to a Unix one, or vice versa.</p> -</li><li> -<p>You want to share printers among Windows and Unix workstations.</p> -</li><li> -<p>You are supporting a group of computer users who have a mixture of -Windows and Unix computers.</p> -</li><li> -<p>You want to integrate Unix and Windows authentication, maintaining a -single database of user accounts that works with both systems.</p> -</li><li> -<p>You want to network Unix, Windows, Macintosh (OS X), and other -systems using a single protocol.</p> -</li></ul> -<p>Let's take a quick tour of -<a name="INDEX-12"/>Samba in action. Assume that we have -the following basic network configuration: a Samba-enabled Unix -system, to which we will assign the name <tt class="literal">toltec</tt>, -and a pair of Windows clients, to which we will assign the names -<tt class="literal">maya</tt> and <tt class="literal">aztec</tt>, all connected -via a local area network (LAN). Let's also assume -that <tt class="literal">toltec</tt> also has a local inkjet printer -connected to it, <tt class="literal">lp</tt>, and a disk share named -<tt class="literal">spirit</tt>—both of which it can offer to the -other two computers. A graphic of this network is shown in <a href="ch01.html#samba2-CHP-1-FIG-1">Figure 1-1</a>.</p> - -<div class="figure"><a name="samba2-CHP-1-FIG-1"/><img src="figs/sam2_0101.gif"/></div><h4 class="head4">Figure 1-1. A simple network set up with a Samba server</h4> - -<p>In this network, each computer listed shares the same -<em class="firstterm">workgroup</em>. A workgroup is a group name tag -that identifies an arbitrary collection of computers and their -resources on an SMB network. Several workgroups can be on the network -at any time, but for our basic network example, -we'll have only one: the METRAN workgroup.</p> - - -<div class="sect2"><a name="samba2-CHP-1-SECT-2.1"/> - -<h3 class="head2">Sharing a Disk Service</h3> - -<p><a name="INDEX-13"/><a name="INDEX-14"/><a name="INDEX-15"/>If everything is properly -configured, we should be able to see the Samba server, -<tt class="literal">toltec</tt>, through the Network Neighborhood of the -<tt class="literal">maya</tt> Windows desktop. In fact, <a href="ch01.html#samba2-CHP-1-FIG-2">Figure 1-2</a> shows the Network Neighborhood of the -<tt class="literal">maya</tt> computer, including <tt class="literal">toltec</tt> -and each computer that resides in the METRAN workgroup. Note the -Entire Network icon at the top of the list. As we just mentioned, -more than one workgroup can be on an SMB network at any given time. -If a user clicks the Entire Network icon, she will see a list of all -the workgroups that currently exist on the network.</p> - -<div class="figure"><a name="samba2-CHP-1-FIG-2"/><img src="figs/sam2_0102.gif"/></div><h4 class="head4">Figure 1-2. The Network Neighborhood directory</h4> - -<p>We can take a closer look at the <tt class="literal">toltec</tt> server by -double-clicking its icon. This contacts <tt class="literal">toltec</tt> -itself and requests a list of its -<em class="firstterm">shares</em>—the file and printer -resources—that the computer provides. In this case, a printer -named <tt class="literal">lp</tt>, a home directory named -<tt class="literal">jay</tt>, and a disk share named -<tt class="literal">spirit</tt> are on the server, as shown in <a href="ch01.html#samba2-CHP-1-FIG-3">Figure 1-3</a>. Note that the Windows display shows hostnames -in mixed case (Toltec). Case is irrelevant in hostnames, so you might -see toltec, Toltec, and TOLTEC in various displays or command output, -but they all refer to a single system. Thanks to Samba, Windows 98 -sees the Unix server as a valid SMB server and can access the -<tt class="literal">spirit</tt> folder as if it were just another system -folder.</p> - -<div class="figure"><a name="samba2-CHP-1-FIG-3"/><img src="figs/sam2_0103.gif"/></div><h4 class="head4">Figure 1-3. Shares available on the Toltec server as viewed from maya</h4> - -<p>One popular Windows feature is the ability to map a drive letter -(such as E:, F:, or Z:) to a shared directory on the network using -the Map Network Drive option in Windows Explorer.<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a> -Once you do so, your applications can access the folder across the -network using the drive letter. You can store data on it, install and -run programs from it, and even password-protect it against unwanted -visitors. See <a href="ch01.html#samba2-CHP-1-FIG-4">Figure 1-4</a> for an example of mapping -a <a name="INDEX-16"/><a name="INDEX-17"/>drive letter to a network -directory.</p> - -<div class="figure"><a name="samba2-CHP-1-FIG-4"/><img src="figs/sam2_0104.gif"/></div><h4 class="head4">Figure 1-4. Mapping a network drive to a Windows drive letter</h4> - -<p>Take a look at the Path: entry in the dialog box of <a href="ch01.html#samba2-CHP-1-FIG-4">Figure 1-4</a>. An equivalent way to represent a directory on -a network computer is by using two backslashes, followed by the name -of the networked computer, another backslash, and the networked -directory of the computer, as shown here:</p> - -<blockquote><pre class="code">\\<em class="replaceable">network-computer</em>\<em class="replaceable">directory</em></pre></blockquote> - -<p>This is known as the <em class="firstterm"/><a name="INDEX-18"/>Universal -Naming Convention (UNC)</em> in the Windows world. For example, the dialog -box in <a href="ch01.html#samba2-CHP-1-FIG-4">Figure 1-4</a> represents the network directory -on the <tt class="literal">toltec</tt> server as:</p> - -<blockquote><pre class="code">\\toltec\spirit</pre></blockquote> - -<p>If this looks somewhat familiar to you, you're -probably thinking of <em class="firstterm">uniform resource -locators</em><a name="INDEX-19"/><a name="INDEX-20"/> (URLs), which are addresses that web -browsers such as Netscape Navigator and Internet Explorer use to -resolve systems across the Internet. Be sure not to confuse the two: -URLs such as <a href="http://www.oreilly.com">http://www.oreilly.com</a> use forward slashes -instead of backslashes, and they precede the initial slashes with the -data transfer protocol (i.e., ftp, http) and a colon (:). In reality, -URLs and UNCs are two completely separate things, although sometimes -you can specify an SMB share using a URL rather than a UNC. As a URL, -the <em class="filename">\\toltec\spirit</em> share would be specified as -<em class="filename">smb://toltec/spirit</em>.</p> - -<p>Once the network drive is set up, Windows and its programs behave as -if the networked directory were a local disk. If you have any -applications that support multiuser functionality on a network, you -can install those programs on the network drive.<a name="FNPTR-2"/><a href="#FOOTNOTE-2">[2]</a> <a href="ch01.html#samba2-CHP-1-FIG-5">Figure 1-5</a> shows the -resulting network drive as it would appear with other storage devices -in the Windows 98 client. Note the pipeline attachment in the icon -for the J: drive; this indicates that it is a network drive rather -than a fixed drive.</p> - -<div class="figure"><a name="samba2-CHP-1-FIG-5"/><img src="figs/sam2_0105.gif"/></div><h4 class="head4">Figure 1-5. The Network directory mapped to the client drive letter J</h4> - -<p>My Network Places, found in Windows Me, 2000, and XP, works -differently from Network Neighborhood. It is necessary to click a few -more icons, but eventually we can get to the view of the -<tt class="literal">toltec</tt> server as shown in <a href="ch01.html#samba2-CHP-1-FIG-6">Figure 1-6</a>. This is from a Windows 2000 system. Setting -up the network drive using the Map Network Drive option in Windows -2000 works similarly to other Windows versions. <a name="INDEX-21"/><a name="INDEX-22"/><a name="INDEX-23"/></p> - -<div class="figure"><a name="samba2-CHP-1-FIG-6"/><img src="figs/sam2_0106.gif"/></div><h4 class="head4">Figure 1-6. Shares available on Toltec (viewed from dine)</h4> - - -</div> - - -<div class="sect2"><a name="samba2-CHP-1-SECT-2.2"/> - -<h3 class="head2">Sharing a Printer</h3> - -<p><a name="INDEX-24"/><a name="INDEX-25"/><a name="INDEX-26"/>You probably noticed that the printer -<tt class="literal">lp</tt> appeared under the available shares for -<tt class="literal">toltec</tt> in <a href="ch01.html#samba2-CHP-1-FIG-3">Figure 1-3</a>. This -indicates that the Unix server has a printer that can be shared by -the various SMB clients in the workgroup. Data sent to the printer -from any of the clients will be spooled on the Unix server and -printed in the order in which it is received.</p> - -<p><a name="INDEX-27"/><a name="INDEX-28"/>Setting up a Samba-enabled -printer on the Windows side is even easier than setting up a disk -share. By double-clicking the printer and identifying the -manufacturer and model, you can install a driver for this printer on -the Windows client. Windows can then properly format any information -sent to the network printer and access it as if it were a local -printer. On Windows 98, double-clicking the Printers icon in the -Control Panel opens the Printers window shown in <a href="ch01.html#samba2-CHP-1-FIG-7">Figure 1-7</a>. Again, note the pipeline attachment below the -printer, which identifies it as being on a network.</p> - -<div class="figure"><a name="samba2-CHP-1-FIG-7"/><img src="figs/sam2_0107.gif"/></div><h4 class="head4">Figure 1-7. A network printer available on Toltec</h4> - - -<div class="sect3"><a name="samba2-CHP-1-SECT-2.2.1"/> - -<h3 class="head3">Seeing things from the Unix side</h3> - -<p><a name="INDEX-29"/><a name="INDEX-30"/>As mentioned earlier, Samba -appears in Unix as a set of daemon programs. You can view them with -the Unix <a name="INDEX-31"/><em class="emphasis">ps</em> command; you can -read any messages they generate through custom debug files or the -Unix <em class="emphasis">syslog</em> (depending on how Samba is set up); -and you can configure them from a single Samba configuration file: -<em class="emphasis">smb.conf</em>. In addition, if you want to get an idea of -what the daemons are doing, Samba has a program called -<em class="emphasis">smbstatus</em><a name="INDEX-32"/> that will lay it all on the line. Here -is how it works:</p> - -<blockquote><pre class="code"># <tt class="userinput"><b>smbstatus</b></tt> -Processing section "[homes]" -Processing section "[printers]" -Processing section "[spirit]" - -Samba version 2.2.6 -Service uid gid pid machine ------------------------------------------ -spirit jay jay 7735 maya (172.16.1.6) Sun Aug 12 12:17:14 2002 -spirit jay jay 7779 aztec (172.16.1.2) Sun Aug 12 12:49:11 2002 -jay jay jay 7735 maya (172.16.1.6) Sun Aug 12 12:56:19 2002 - -Locked files: -Pid DenyMode R/W Oplock Name --------------------------------------------------- -7735 DENY_WRITE RDONLY NONE /u/RegClean.exe Sun Aug 12 13:01:22 2002 - -Share mode memory usage (bytes): - 1048368(99%) free + 136(0%) used + 72(0%) overhead = 1048576(100%) total</pre></blockquote> - -<p>The Samba status from this output provides three sets of data, each -divided into separate sections. The first section tells which systems -have connected to the Samba server, identifying each client by its -machine name (<tt class="literal">maya</tt> and <tt class="literal">aztec</tt>) -and IP (Internet Protocol) address. The second section reports the -name and status of the files that are currently in use on a share on -the server, including the read/write status and any locks on the -files. Finally, Samba reports the amount of memory it has currently -allocated to the shares that it administers, including the amount -actively used by the shares plus additional overhead. (Note that this -is not the same as the total amount of memory that the -<em class="emphasis">smbd</em> or <em class="emphasis">nmbd</em> processes are -using.)</p> - -<p>Don't worry if you don't understand -these statistics; they will become easier to understand as you move -through the book.</p> - - -</div> - - -</div> - - -</div> - - - -<div class="sect1"><a name="samba2-CHP-1-SECT-3"/> - -<h2 class="head1">Getting Familiar with an SMB Network</h2> - -<p><a name="INDEX-33"/>Now that you have had a brief tour of -Samba, let's take some time to get familiar with -Samba's adopted environment: an SMB network. -Networking with SMB is significantly different from working with -common TCP/IP protocols such as FTP and Telnet because there are -several new concepts to learn and a lot of information to cover. -First, we will discuss the basic concepts behind an SMB network, -followed by some Microsoft implementations of it, and finally we will -show you where a Samba server can and cannot fit into the picture.</p> - - -<div class="sect2"><a name="samba2-CHP-1-SECT-3.1"/> - -<h3 class="head2">Understanding NetBIOS</h3> - -<p>To begin, let's step back in time. In 1984, IBM -authored a simple application programming interface (API) for -networking its computers, called the <em class="firstterm">Network Basic -Input/Output System -</em>(<a name="INDEX-34"/>NetBIOS). -The NetBIOS API provided a rudimentary design for an application to -connect and share data with other computers.</p> - -<p>It's helpful to think of the NetBIOS API as -networking extensions to the standard BIOS API calls. The BIOS -contains low-level code for performing filesystem operations on the -local computer. NetBIOS originally had to exchange instructions with -computers across IBM PC or Token Ring networks. It therefore required -a low-level transport protocol to carry its requests from one -computer to the next.</p> - -<p>In late 1985, IBM released one such protocol, which it merged with -the NetBIOS API to become the <em class="firstterm">NetBIOS Extended User -Interface</em> (<em class="emphasis">NetBEUI</em> ). -<a name="INDEX-35"/>NetBEUI was -designed for small LANs, and it let each computer claim a name (up to -15 characters) that wasn't already in use on the -network. By a "small LAN," we mean -fewer than 255 nodes on the network—which was considered a -generous number in 1985!</p> - -<p>The NetBEUI protocol was very popular with networking applications, -including those running under Windows for Workgroups. Later, -implementations of NetBIOS over Novell's IPX -networking protocols also emerged, which competed with NetBEUI. -However, the networking protocols of choice for the burgeoning -Internet community were TCP/IP and UDP/IP, and implementing the -NetBIOS APIs over those protocols soon became a necessity.</p> - -<p>Recall that TCP/IP uses numbers to represent computer addresses -(192.168.220.100, for instance) while NetBIOS uses only names. This -was a major issue when trying to mesh the two protocols together. In -1987, the IETF published standardization documents, titled RFC 1001 -and 1002, that outlined how NetBIOS would work over a TCP/UDP -network. This set of documents still governs each implementation that -exists today, including those provided by Microsoft with its Windows -operating systems, as well as the Samba suite.</p> - -<p>Since then, the standard that this document governs has become known -as <em class="firstterm">NetBIOS over -TCP/IP</em><a name="INDEX-36"/><a name="INDEX-37"/><a name="INDEX-38"/>, or NBT for short.<a name="FNPTR-3"/><a href="#FOOTNOTE-3">[3]</a> </p> - -<p>The NBT standard (RFC 1001/1002) -currently outlines a trio of services on a network:</p> - -<ul><li> -<p>A name service</p> -</li><li> -<p>Two communication services:</p> -<ul><li> -<p>Datagrams</p> -</li> - -<li> -<p>Sessions</p> -</li></ul> -</li> -</ul> - -<p>The <a name="INDEX-39"/>name -service solves the name-to-address problem mentioned earlier; it -allows each computer to declare a specific name on the network that -can be translated to a machine-readable IP address, much like -today's Domain Name System (DNS) on the Internet. -The <a name="INDEX-40"/>datagram and <a name="INDEX-41"/>session services are both -secondary communication protocols used to transmit data back and -forth from NetBIOS computers across the network.</p> - - -</div> - - -<div class="sect2"><a name="samba2-CHP-1-SECT-3.2"/> - -<h3 class="head2">Getting a Name</h3> - -<p><a name="INDEX-42"/><a name="INDEX-43"/>In the NetBIOS world, when each -computer comes online, it wants to claim a name for itself; this is -called <em class="firstterm">name registration</em>. However, no two -computers in the same workgroup should be able to claim the same -name; this would cause endless confusion for any computer that wanted -to communicate with either of them. There are two different -approaches to ensuring that this doesn't happen:</p> - -<ul><li> -<p>Use an <em class="firstterm"/>NBNS</em> to keep track of which hosts have -registered a NetBIOS name.</p> -</li><li> -<p>Allow each computer on the network to defend its name in the event -that another computer attempts to use it.</p> -</li></ul> -<p><a href="ch01.html#samba2-CHP-1-FIG-8">Figure 1-8</a> illustrates a (failed) name -registration, with and without an NBNS.</p> - -<div class="figure"><a name="samba2-CHP-1-FIG-8"/><img src="figs/sam2_0108.gif"/></div><h4 class="head4">Figure 1-8. Broadcast versus NBNS name registration</h4> - -<p><a name="INDEX-44"/><a name="INDEX-45"/>As mentioned earlier, -there must be a way to resolve a NetBIOS name to a specific IP -address; this is known as <em class="firstterm">name resolution</em>. -There are two different approaches with NBT here as well:</p> - -<ul><li> -<p>Have each computer report back its IP address when it -"hears" a broadcast request for its -NetBIOS name.</p> -</li><li> -<p>Use an NBNS to help resolve NetBIOS names to IP addresses.</p> -</li></ul> -<p><a href="ch01.html#samba2-CHP-1-FIG-9">Figure 1-9</a> illustrates the two types of name -resolution.</p> - -<div class="figure"><a name="samba2-CHP-1-FIG-9"/><img src="figs/sam2_0109.gif"/></div><h4 class="head4">Figure 1-9. Broadcast versus NBNS name resolution</h4> - -<p>As you might expect, having an NBNS on your network can help out -tremendously. To see exactly why, let's look at the -broadcast method.</p> - -<p>Here, when a client computer boots, it will -<a name="INDEX-46"/>broadcast a -message declaring that it wishes to register a specified NetBIOS name -as its own. If nobody objects to the use of the name, it keeps the -name. On the other hand, if another computer on the local subnet is -currently using the requested name, it will send a message back to -the requesting client that the name is already taken. This is known -as <em class="firstterm">defending</em><a name="INDEX-47"/><a name="INDEX-48"/> the hostname. This type of system -comes in handy when one client has unexpectedly dropped off the -network—another can take its name unchallenged—but it -does incur an inordinate amount of traffic on the network for -something as simple as name registration.</p> - -<p>With an NBNS, the same thing occurs, except the communication is -confined to the requesting computer and the NBNS. No broadcasting -occurs when the computer wishes to register the name; the -registration message is simply sent directly from the client to the -NBNS, and the NBNS replies regardless of whether the name is already -taken. This is known as <em class="firstterm">point-to-point -communication</em><a name="INDEX-49"/>, and it is often beneficial on -networks with more than one subnet. This is because routers are -generally configured to block incoming packets that are broadcast to -all computers in the subnet.</p> - -<p>The same principles apply to name resolution. Without an NBNS, -NetBIOS name resolution would also be done with a broadcast -mechanism. All request packets would be sent to each computer in the -network, with the hope that one computer that might be affected will -respond directly back to the computer that asked. Using an NBNS and -point-to-point communication for this purpose is far less taxing on -the network than flooding the network with broadcasts for every -name-resolution request.</p> - -<p>It can be argued that broadcast packets do not cause significant -problems in modern, high-bandwidth networks of hosts with fast CPUs, -if only a small number of hosts are on the network, or the demand for -bandwidth is low. There are certainly cases where this is true; -however, our advice throughout this book is to avoid relying on -broadcasts as much as possible. This is a good rule to follow for -large, busy networks, and if you follow our advice when configuring a -small network, your network will be able to grow without encountering -problems later on that might be difficult to diagnose. <a name="INDEX-50"/><a name="INDEX-51"/></p> - - -</div> - - -<div class="sect2"><a name="samba2-CHP-1-SECT-3.3"/> - -<h3 class="head2">Node Types</h3> - -<p><a name="INDEX-52"/><a name="INDEX-53"/>How can you tell what strategy each -client on your network will use when performing name registration and -resolution? Each computer on an NBT network earns one of the -following designations, depending on how it handles name registration -and resolution: <a name="INDEX-54"/><a name="INDEX-55"/><a name="INDEX-56"/><a name="INDEX-57"/>b-node, p-node, m-node, and h-node. The -behaviors of each type of node are summarized in <a href="ch01.html#samba2-CHP-1-TABLE-1">Table 1-1</a>.</p> - -<a name="samba2-CHP-1-TABLE-1"/><h4 class="head4">Table 1-1. NetBIOS node types</h4><table border="1"> - - - -<tr> -<th> -<p>Role</p> -</th> -<th> -<p>Value</p> -</th> -</tr> - - -<tr> -<td> -<p>b-node</p> -</td> -<td> -<p>Uses broadcast registration and resolution only.</p> -</td> -</tr> -<tr> -<td> -<p>p-node</p> -</td> -<td> -<p>Uses point-to-point registration and resolution only.</p> -</td> -</tr> -<tr> -<td> -<p>m-node (mixed)</p> -</td> -<td> -<p>Uses broadcast for registration. If successful, it notifies the NBNS -of the result. Uses broadcast for resolution; uses the NBNS if -broadcast is unsuccessful.</p> -</td> -</tr> -<tr> -<td> -<p>h-node (hybrid)</p> -</td> -<td> -<p>Uses the NBNS for registration and resolution; uses broadcast if the -NBNS is unresponsive or inoperative.</p> -</td> -</tr> - -</table> - -<p>In the case of Windows clients, you will usually find them listed as -h-nodes or hybrid nodes. The first three node types appear in RFC -1001/1002, and h-nodes were invented later by Microsoft, as a more -fault-tolerant method.</p> - -<p>You can find the node type of a Windows 95/98/Me computer by running -the <em class="emphasis">winipcfg</em><a name="INDEX-58"/><a name="INDEX-59"/> command from the Start -→ Run dialog (or from an MS-DOS prompt) and clicking -the More Info>> button. On Windows NT/2000/XP, you can use the -<tt class="literal">ipconfig</tt><a name="INDEX-60"/><a name="INDEX-61"/><a name="INDEX-62"/><a name="INDEX-63"/> -<tt class="literal">/all</tt> command in a command-prompt window. In either -case, search for the line that says <tt class="literal">Node Type</tt>.</p> - - -</div> - - -<div class="sect2"><a name="samba2-CHP-1-SECT-3.4"/> - -<h3 class="head2">What's in a Name?</h3> - -<p>The names <a name="INDEX-64"/><a name="INDEX-65"/>NetBIOS uses are quite different -from the DNS hostnames you might be familiar with. First, NetBIOS -names exist in a flat namespace. In other words, there are no -hierarchical levels, such as in <tt class="literal">oreilly.com</tt> (two -levels) or <em class="emphasis">ftp</em><em class="emphasis">.samba.org</em> (three -levels). NetBIOS names consist of a single unique string such as -<tt class="literal">navaho</tt> or <tt class="literal">hopi</tt> within each -workgroup or domain. Second, NetBIOS names are allowed to be only 15 -characters and can consist only of standard alphanumeric characters -(a-z, A-Z, 0-9) and the following:</p> - -<blockquote><pre class="code">! @ # $ % ^ & ( ) - ' { } . ~</pre></blockquote> - -<p>Although you are allowed to use a <a name="INDEX-66"/><a name="INDEX-67"/><a name="INDEX-68"/>period (.) in a NetBIOS name, we recommend -against it because those names are not guaranteed to work in future -versions of NBT.</p> - -<p>It's not a coincidence that all valid DNS names are -also valid NetBIOS names. In fact, the unqualified DNS name for a -Samba server is often reused as its NetBIOS name. For example, if you -had a system with a hostname of <tt class="literal">mixtec.ora.com</tt> , -its NetBIOS name would likely be MIXTEC (followed by 9 spaces).</p> - - -<div class="sect3"><a name="samba2-CHP-1-SECT-3.4.1"/> - -<h3 class="head3">Resource names and types</h3> - -<p><a name="INDEX-69"/><a name="INDEX-70"/>With NetBIOS, a computer not -only advertises its presence, but also tells others what types of -services it offers. For example, <tt class="literal">mixtec</tt> can -indicate that it's not just a workstation, but that -it's also a file server and can receive Windows -Messenger messages. This is done by adding a 16th byte to the end of -the machine (resource) name, called the <em class="firstterm">resource -type</em>, and registering the name multiple times, once for -each service that it offers. See <a href="ch01.html#samba2-CHP-1-FIG-10">Figure 1-10</a>.</p> - -<div class="figure"><a name="samba2-CHP-1-FIG-10"/><img src="figs/sam2_0110.gif"/></div><h4 class="head4">Figure 1-10. The structure of NetBIOS names</h4> - -<p>The 1-byte resource type indicates a unique service that the named -computer provides. In this book, you will often see the resource type -shown in angled brackets (<>) after the NetBIOS name, such as:</p> - -<blockquote><pre class="code">MIXTEC<00></pre></blockquote> - -<p>You can see which names are registered for a particular NBT computer -using the Windows command-line -<em class="emphasis">nbtstat</em><a name="INDEX-71"/> utility. -Because these services are unique (i.e., there cannot be more than -one registered), you will see them listed as type UNIQUE in the -output. For example, the following partial output describes the -<tt class="literal">toltec</tt> server:</p> - -<blockquote><pre class="code">C:\><tt class="userinput"><b>nbtstat -a toltec</b></tt> - - NetBIOS Remote Machine Name Table - Name Type Status ---------------------------------------------- -TOLTEC <00> UNIQUE Registered -TOLTEC <03> UNIQUE Registered -TOLTEC <20> UNIQUE Registered -...</pre></blockquote> - -<p>This says the server has registered the NetBIOS name -<tt class="literal">toltec</tt> as a machine (computer) name, as a -recipient of messages from the Windows Messenger service, and as a -file server. Some possible attributes a name can have are listed in -<a href="ch01.html#samba2-CHP-1-TABLE-2">Table 1-2</a>.</p> - -<a name="samba2-CHP-1-TABLE-2"/><h4 class="head4">Table 1-2. NetBIOS unique resource types</h4><table border="1"> - - - -<tr> -<th> -<p>Named resource</p> -</th> -<th> -<p>Hexadecimal byte value</p> -</th> -</tr> - - -<tr> -<td> -<p>Standard Workstation Service</p> -</td> -<td> -<p>00</p> -</td> -</tr> -<tr> -<td> -<p>Messenger Service</p> -</td> -<td> -<p>03</p> -</td> -</tr> -<tr> -<td> -<p>RAS Server Service</p> -</td> -<td> -<p>06</p> -</td> -</tr> -<tr> -<td> -<p>Domain Master Browser Service (associated with primary domain controller)</p> -</td> -<td> -<p>1B</p> -</td> -</tr> -<tr> -<td> -<p>Master Browser name</p> -</td> -<td> -<p>1D</p> -</td> -</tr> -<tr> -<td> -<p>NetDDE Service</p> -</td> -<td> -<p>1F</p> -</td> -</tr> -<tr> -<td> -<p>Fileserver (including printer server)</p> -</td> -<td> -<p>20</p> -</td> -</tr> -<tr> -<td> -<p>RAS Client Service</p> -</td> -<td> -<p>21</p> -</td> -</tr> -<tr> -<td> -<p>Network Monitor Agent</p> -</td> -<td> -<p>BE</p> -</td> -</tr> -<tr> -<td> -<p>Network Monitor Utility</p> -</td> -<td> -<p>BF</p> -</td> -</tr> - -</table> - - -</div> - - - -<div class="sect3"><a name="samba2-CHP-1-SECT-3.4.2"/> - -<h3 class="head3">Group names and types</h3> - -<p>SMB also uses the concept of groups, with which computers can -register themselves. Earlier we mentioned that the computers in our -example belonged to a -<em class="firstterm">workgroup</em><a name="INDEX-73"/>, -which is a partition of computers on the same network. For example, a -business might very easily have an ACCOUNTING and a SALES workgroup, -each with different servers and printers. In the Windows world, a -workgroup and an -<a name="INDEX-74"/>SMB -group are the same thing.</p> - -<p>Continuing our -<em class="emphasis">nbtstat</em><a name="INDEX-75"/> example, -the <tt class="literal">toltec</tt> Samba server is also a member of the -METRAN workgroup (the GROUP attribute hex 00) and will participate in -elections for the browse master (GROUP attribute 1E). Here is the -remainder of the <em class="emphasis">nbtstat</em> output:</p> - -<blockquote><pre class="code"> NetBIOS Remote Machine Name Table - Name Type Status ---------------------------------------------- -METRAN <00> GROUP Registered -METRAN <1E> GROUP Registered -..__MSBROWSE__.<01> GROUP Registered</pre></blockquote> - -<p>The possible group attributes a computer can have are illustrated in -<a href="ch01.html#samba2-CHP-1-TABLE-3">Table 1-3</a>. More -<a name="INDEX-76"/><a name="INDEX-77"/>information -is available in <em class="emphasis">Windows NT in a Nutshell</em> by Eric -<a name="INDEX-78"/>Pearce, also -published by O'Reilly.</p> - -<a name="samba2-CHP-1-TABLE-3"/><h4 class="head4">Table 1-3. NetBIOS group resource types</h4><table border="1"> - - - -<tr> -<th> -<p>Named resource</p> -</th> -<th> -<p>Hexadecimal byte value</p> -</th> -</tr> - - -<tr> -<td> -<p>Standard Workstation group</p> -</td> -<td> -<p>00</p> -</td> -</tr> -<tr> -<td> -<p>Logon server</p> -</td> -<td> -<p>1C</p> -</td> -</tr> -<tr> -<td> -<p>Master Browser name</p> -</td> -<td> -<p>1D</p> -</td> -</tr> -<tr> -<td> -<p>Normal Group name (used in browser elections)</p> -</td> -<td> -<p>1E</p> -</td> -</tr> -<tr> -<td> -<p>Internet Group name (administrative)</p> -</td> -<td> -<p>20</p> -</td> -</tr> -<tr> -<td> -<p><tt class="literal"><01><02>_ _MSBROWSE_ _<02></tt></p> -</td> -<td> -<p>01</p> -</td> -</tr> - -</table> - -<p>The final entry, <tt class="literal">_ _ MSBROWSE _ _</tt> -<a name="INDEX-80"/>, is used to announce a group to other -master browsers. The nonprinting characters in the name show up as -dots in an <em class="emphasis">nbtstat</em> printout. -Don't worry if you don't understand -all of the resource or group types. Some of them you will not need -with Samba, and others you will pick up as you move through the rest -of the chapter. The important thing to remember here is the logistics -of the naming mechanism.</p> - - -</div> - - - -<div class="sect3"><a name="samba2-CHP-1-SECT-3.4.3"/> - -<h3 class="head3">Scope ID</h3> - -<p>In the dark ages of SMB networking before NetBIOS groups were -introduced, you could use a very primitive method to isolate groups -of computers from the rest of the network. Each SMB packet contains a -field called the <em class="firstterm">scope -ID</em><a name="INDEX-81"/><a name="INDEX-82"/>, with the idea being that -systems on the network could be configured to accept only packets -with a scope ID matching that of their configuration. This feature -was hardly ever used and unfortunately lingers in modern -implementations. Some of the utilities included in the Samba -distribution allow the scope ID to be set. Setting the scope ID in a -network is likely to cause problems, and we are mentioning scope ID -only so that you will not be confused by it when you later encounter -it in various places.</p> - - -</div> - - -</div> - - -<div class="sect2"><a name="samba2-CHP-1-SECT-3.5"/> - -<h3 class="head2">Datagrams and Sessions</h3> - -<p>At this point, let's digress to discuss the -responsibility of NBT: to provide connection services between two -NetBIOS computers. -<a name="INDEX-83"/>NBT -offers two services: the <em class="firstterm">session -service</em><a name="INDEX-84"/> and the -<em class="firstterm">datagram service</em><a name="INDEX-85"/>. -Understanding how these two services work is not essential to using -Samba, but it does give you an idea of how NBT works and how to -troubleshoot Samba when it doesn't work.</p> - -<p>The datagram service has no stable connection between computers. -Packets of data are simply sent or broadcast from one computer to -another, without regard to the order in which they arrive at the -destination, or even if they arrive at all. The use of datagrams -requires less processing overhead than sessions, although the -reliability of the connection can suffer. Datagrams, therefore, are -used for quickly sending nonvital blocks of data to one or more -computers. The datagram service communicates using the simple -primitives shown in <a href="ch01.html#samba2-CHP-1-TABLE-4">Table 1-4</a>.</p> - -<a name="samba2-CHP-1-TABLE-4"/><h4 class="head4">Table 1-4. Datagram primitives</h4><table border="1"> - - - -<tr> -<th> -<p>Primitive</p> -</th> -<th> -<p>Description</p> -</th> -</tr> - - -<tr> -<td> -<p>Send Datagram</p> -</td> -<td> -<p>Send datagram packet to computer or groups of computers.</p> -</td> -</tr> -<tr> -<td> -<p>Send Broadcast Datagram</p> -</td> -<td> -<p>Broadcast datagram to any computer waiting with a Receive Broadcast -datagram.</p> -</td> -</tr> -<tr> -<td> -<p>Receive Datagram</p> -</td> -<td> -<p>Receive a datagram from a computer.</p> -</td> -</tr> -<tr> -<td> -<p>Receive Broadcast Datagram</p> -</td> -<td> -<p>Wait for a Broadcast datagram.</p> -</td> -</tr> - -</table> - -<p>The session service is more complex. Sessions are a communication -method that, in theory, offers the ability to detect problematic or -inoperable connections between two NetBIOS applications. It helps to -think of an NBT session as being similar to a telephone call, an -analogy that obviously influenced the design of the CIFS standard.</p> - -<p>Once the connection is made, it remains open throughout the duration -of the conversation, each side knows who the caller and the called -computer are, and each can communicate with the simple primitives -shown in <a href="ch01.html#samba2-CHP-1-TABLE-5">Table 1-5</a>.</p> - -<a name="samba2-CHP-1-TABLE-5"/><h4 class="head4">Table 1-5. Session primitives</h4><table border="1"> - - - -<tr> -<th> -<p>Primitive</p> -</th> -<th> -<p>Description</p> -</th> -</tr> - - -<tr> -<td> -<p>Call</p> -</td> -<td> -<p>Initiate a session with a computer listening under a specified name.</p> -</td> -</tr> -<tr> -<td> -<p>Listen</p> -</td> -<td> -<p>Wait for a call from a known caller or any caller.</p> -</td> -</tr> -<tr> -<td> -<p>Hang-up</p> -</td> -<td> -<p>Exit a call.</p> -</td> -</tr> -<tr> -<td> -<p>Send</p> -</td> -<td> -<p>Send data to the other computer.</p> -</td> -</tr> -<tr> -<td> -<p>Receive</p> -</td> -<td> -<p>Receive data from the other computer.</p> -</td> -</tr> -<tr> -<td> -<p>Session Status</p> -</td> -<td> -<p>Get information on requested sessions.</p> -</td> -</tr> - -</table> - -<p>Sessions are the backbone of resource sharing on an NBT network. They -are typically used for establishing stable connections from client -computers to disk or printer shares on a server. The client -"calls" the server and starts -trading information such as which files it wishes to open, which data -it wishes to exchange, etc. These calls can last a long -time—hours, even days—and all of this occurs within the -context of a single connection. If there is an error, the session -software (TCP) will retransmit until the data is received properly, -unlike the "punt-and-pray" approach -of the datagram service (UDP).</p> - -<p>In truth, while sessions are supposed to handle problematic -communications, they sometimes don't. If the -connection is interrupted, session information that is open between -the two computers might become invalid. If that happens, the only way -to regain the session information is for the same two computers to -call each other again and start over.</p> - -<p>If you want more information on each service, we recommend you look -at RFC 1001. However, there are two important things to remember -here:</p> - -<ul><li> -<p><a name="INDEX-88"/>Sessions always -occur between two NetBIOS computers. If a session service is -interrupted, the client is supposed to store sufficient state -information for it to reestablish the connection. However, in -practice, this often does not happen.</p> -</li><li> -<p><a name="INDEX-89"/>Datagrams can -be broadcast to multiple computers, but they are unreliable. In other -words, there is no way for the source to know that the datagrams it -sent have indeed arrived at their destinations. <a name="INDEX-90"/></p> -</li></ul> - -</div> - - -</div> - - - -<div class="sect1"><a name="samba2-CHP-1-SECT-4"/> - -<h2 class="head1">An Introduction to the SMB Protocol</h2> - -<p><a name="INDEX-91"/>Now -we're going to cover some low-level technical -details and explore the elementals of the SMB protocol. You probably -don't need to know much about this to implement a -simple Samba network, and therefore you might want to skip or skim -over this section and go on to the next one -("Windows Workgroups and Domains") -on your first reading. However, assuming you are going to be -responsible for long-term maintenance of a Samba network, it will -help if you understand how it actually works. You will more easily be -able to diagnose and correct any odd problems that pop up.</p> - -<p>At a high level, the SMB protocol suite is relatively simple. It -includes commands for all the file and print operations that you -might perform on a local disk or printer, such as:</p> - -<ul><li> -<p>Opening and closing files</p> -</li><li> -<p>Creating and deleting files and directories</p> -</li><li> -<p>Reading and writing files</p> -</li><li> -<p>Searching for files</p> -</li><li> -<p>Queueing and dequeueing files in a print spool</p> -</li></ul> -<p>Each operation can be encoded into an SMB message and transmitted to -and from a server. The original name -"SMB" comes from the way in which -the commands are formatted: they are versions of the standard DOS -system-call data structures, or <em class="firstterm">Server Message -Blocks</em>, redesigned for transmitting to another computer -across a network.</p> - - -<div class="sect2"><a name="samba2-CHP-1-SECT-4.1"/> - -<h3 class="head2">SMB Format</h3> - -<p>Richard <a name="INDEX-92"/>Sharpe of the Samba team defines SMB as -a <em class="firstterm">request-response</em> protocol.<a name="FNPTR-4"/><a href="#FOOTNOTE-4">[4]</a> In effect, -this means that a client sends an SMB request to a server and the -server sends an SMB response back to the client. In only one rare -circumstance does a server send a message that is not in response to -a client.</p> - -<p>An <a name="INDEX-94"/>SMB message is not as complex as you -might think. Let's take a closer look at the -internal structure of such a message. It can be broken down into two -parts: the <em class="firstterm">header</em>, which is a fixed size, and -the <em class="firstterm">command string</em>, whose size can vary -dramatically based on the contents of the message.</p> - - -<div class="sect3"><a name="samba2-CHP-1-SECT-4.1.1"/> - -<h3 class="head3">SMB header format</h3> - -<p><a href="ch01.html#samba2-CHP-1-TABLE-6">Table 1-6</a> shows the format of an -<a name="INDEX-95"/>SMB header. The COM field identifies -the command being performed. SMB commands are not required to use all -the fields in the SMB header. For example, when a client first -attempts to connect to a server, it does not yet have a tree -identifier (TID) value—one is assigned after it successfully -connects—so a null TID is placed in its header field. Other -fields can be padded with zeros when not used.</p> - -<p>The <a name="INDEX-96"/>SMB header fields are listed in <a href="ch01.html#samba2-CHP-1-TABLE-6">Table 1-6</a>.</p> - -<a name="samba2-CHP-1-TABLE-6"/><h4 class="head4">Table 1-6. SMB header fields</h4><table border="1"> - - - - -<tr> -<th> -<p>Field</p> -</th> -<th> -<p>Size (bytes)</p> -</th> -<th> -<p>Description</p> -</th> -</tr> - - -<tr> -<td> -<p><tt class="literal">0xFF 'SMB</tt>'</p> -</td> -<td> -<p><tt class="literal">1</tt></p> -</td> -<td> -<p>Protocol identifier</p> -</td> -</tr> -<tr> -<td> -<p><tt class="literal">COM</tt></p> -</td> -<td> -<p><tt class="literal">1</tt></p> -</td> -<td> -<p>Command code, from 0x00 to 0xFF</p> -</td> -</tr> -<tr> -<td> -<p><tt class="literal">RCLS</tt></p> -</td> -<td> -<p><tt class="literal">1</tt></p> -</td> -<td> -<p>Error class</p> -</td> -</tr> -<tr> -<td> -<p><tt class="literal">REH</tt></p> -</td> -<td> -<p><tt class="literal">1</tt></p> -</td> -<td> -<p>Reserved</p> -</td> -</tr> -<tr> -<td> -<p><tt class="literal">ERR</tt></p> -</td> -<td> -<p><tt class="literal">2</tt></p> -</td> -<td> -<p>Error code</p> -</td> -</tr> -<tr> -<td> -<p><tt class="literal">REB</tt></p> -</td> -<td> -<p><tt class="literal">1</tt></p> -</td> -<td> -<p>Reserved</p> -</td> -</tr> -<tr> -<td> -<p><tt class="literal">RES</tt></p> -</td> -<td> -<p><tt class="literal">14</tt></p> -</td> -<td> -<p>Reserved</p> -</td> -</tr> -<tr> -<td> -<p><tt class="literal">TID</tt></p> -</td> -<td> -<p><tt class="literal">2</tt></p> -</td> -<td> -<p>TID; a unique ID for a resource in use by the client</p> -</td> -</tr> -<tr> -<td> -<p><tt class="literal">PID</tt></p> -</td> -<td> -<p><tt class="literal">2</tt></p> -</td> -<td> -<p>Caller process ID</p> -</td> -</tr> -<tr> -<td> -<p><tt class="literal">UID</tt></p> -</td> -<td> -<p><tt class="literal">2</tt></p> -</td> -<td> -<p>User identifier</p> -</td> -</tr> -<tr> -<td> -<p><tt class="literal">MID</tt></p> -</td> -<td> -<p><tt class="literal">2</tt></p> -</td> -<td> -<p>Multiplex identifier; used to route requests inside a process</p> -</td> -</tr> - -</table> - - -</div> - - - -<div class="sect3"><a name="samba2-CHP-1-SECT-4.1.2"/> - -<h3 class="head3">SMB command format</h3> - -<p>Immediately after the header is a variable number of bytes that -constitute an <a name="INDEX-97"/>SMB command or reply. Each command, -such as Open File (COM field identifier: <tt class="literal">SMBopen</tt>) -or Get Print Queue (<tt class="literal">SMBsplretq</tt> ), has its own set -of parameters and data. Like the SMB header fields, not all of the -command fields need to be filled, depending on the specific command. -For example, the Get Server Attributes -(<tt class="literal">SMBdskattr</tt>) command sets the WCT and BCC fields -to zero. The fields of the command segment are shown in <a href="ch01.html#samba2-CHP-1-TABLE-7">Table 1-7</a>.</p> - -<a name="samba2-CHP-1-TABLE-7"/><h4 class="head4">Table 1-7. SMB command contents</h4><table border="1"> - - - - -<tr> -<th> -<p>Field</p> -</th> -<th> -<p>Size (bytes)</p> -</th> -<th> -<p>Description</p> -</th> -</tr> - - -<tr> -<td> -<p><tt class="literal">WCT</tt></p> -</td> -<td> -<p><tt class="literal">1</tt></p> -</td> -<td> -<p>Word count</p> -</td> -</tr> -<tr> -<td> -<p><tt class="literal">VWV</tt></p> -</td> -<td> -<p>Variable</p> -</td> -<td> -<p>Parameter words (size given by WCT)</p> -</td> -</tr> -<tr> -<td> -<p><tt class="literal">BCC</tt></p> -</td> -<td> -<p><tt class="literal">2</tt></p> -</td> -<td> -<p>Parameter byte count</p> -</td> -</tr> -<tr> -<td> -<p><tt class="literal">DATA</tt></p> -</td> -<td> -<p>Variable</p> -</td> -<td> -<p>Data (size given by BCC)</p> -</td> -</tr> - -</table> - -<p>Don't worry if you don't understand -each field; they are not necessary for using Samba at an -administrator level. However, they do come in handy when debugging -system messages. We will show you some of the more common SMB -messages that clients and servers send using a modified version of -<em class="filename">tcpdump</em> later in this section. (If you prefer an -<a name="INDEX-98"/><a name="INDEX-99"/>SMB sniffer with a graphical -interface, try Ethereal, which uses the GTK libraries; see -<a href="http://www.ethereal.com">http://www.ethereal.com</a> for more -information on this tool.)</p> - -<a name="samba2-CHP-1-NOTE-84"/><blockquote class="note"><h4 class="objtitle">TIP</h4> -<p>For more information on each command in the -<a name="INDEX-100"/>SMB protocol, see the -<em class="citetitle">CIFS Technical -Reference</em><a name="INDEX-101"/> at <a href="http://www.snia.org/tech_activities/CIFS">http://www.snia.org/tech_activities/CIFS</a>.</p> -</blockquote> - - -</div> - - - -<div class="sect3"><a name="samba2-CHP-1-SECT-4.1.3"/> - -<h3 class="head3">SMB variations</h3> - -<p>The SMB protocol has been extended with new commands several times -since its inception. Each new version is backward-compatible with the -previous versions, so it is possible for a LAN to have clients and -servers concurrently running different versions of the SMB protocol.</p> - -<p><a href="ch01.html#samba2-CHP-1-TABLE-8">Table 1-8</a> outlines the major versions of the -<a name="INDEX-102"/>SMB -protocol. Within each "dialect" of -SMB are many sub-versions that include commands supporting particular -releases of major operating systems. The ID string in column 2 is -used by clients and servers to determine in which level of the -protocol they will speak to each other.</p> - -<a name="samba2-CHP-1-TABLE-8"/><h4 class="head4">Table 1-8. SMB protocol dialects</h4><table border="1"> - - - - -<tr> -<th> -<p>Protocol name</p> -</th> -<th> -<p>ID string</p> -</th> -<th> -<p>Used by</p> -</th> -</tr> - - -<tr> -<td> -<p>Core</p> -</td> -<td> -<p><tt class="literal">PC NETWORK PROGRAM 1.0</tt></p> -</td> -<td> -</td> -</tr> -<tr> -<td> -<p><a name="INDEX-103"/>Core Plus</p> -</td> -<td> -<p><tt class="literal">MICROSOFT NETWORKS 1.03</tt></p> -</td> -<td> -</td> -</tr> -<tr> -<td> -<p><a name="INDEX-104"/>LAN Manager 1.0</p> -</td> -<td> -<p><tt class="literal">LANMAN1.0</tt></p> -</td> -<td> -</td> -</tr> -<tr> -<td> -<p>LAN Manager 2.0</p> -</td> -<td> -<p><tt class="literal">LM1.2X002</tt></p> -</td> -<td> -</td> -</tr> -<tr> -<td> -<p>LAN Manager 2.1</p> -</td> -<td> -<p><tt class="literal">LANMAN2.1</tt></p> -</td> -<td> -</td> -</tr> -<tr> -<td> -<p><a name="INDEX-105"/>NT LAN -Manager 1.0</p> -</td> -<td> -<p><tt class="literal">NT LM 0.12</tt></p> -</td> -<td> -<p>Windows NT 4.0</p> -</td> -</tr> -<tr> -<td> -<p><a name="INDEX-106"/>Samba's NT LM 0.12</p> -</td> -<td> -<p><tt class="literal">Samba</tt></p> -</td> -<td> -<p>Samba</p> -</td> -</tr> -<tr> -<td> -<p><a name="INDEX-107"/><a name="INDEX-108"/>Common -Internet File System</p> -</td> -<td> -<p><tt class="literal">CIFS 1.0</tt></p> -</td> -<td> -<p>Windows 2000/XP</p> -</td> -</tr> - -</table> - -<p>Samba implements the NT LM 0.12 specification for NT LAN Manager 1.0. -It is backward-compatible with all the other SMB variants. The CIFS -specification is, in reality, LAN Manager 0.12 with a few specific -additions.</p> - - -</div> - - -</div> - - -<div class="sect2"><a name="samba2-CHP-1-SECT-4.2"/> - -<h3 class="head2">SMB Clients and Servers</h3> - -<p><a name="INDEX-109"/><a name="INDEX-110"/>As -mentioned earlier, SMB is a client/server protocol. In the purest -sense, this means that a client sends a request to a server, which -acts on the request and returns a reply. However, the client/server -roles can often be reversed, sometimes within the context of a single -SMB session. For example, consider the two Windows 95/98/Me computers -in <a href="ch01.html#samba2-CHP-1-FIG-11">Figure 1-11</a>. The computer named -<tt class="literal">maya</tt> shares a printer to the network, and the -computer named <tt class="literal">toltec</tt> shares a disk directory. -<tt class="literal">maya</tt> is in the client role when accessing -<tt class="literal">toltec</tt>'s network drive and in the -server role when printing a job for <tt class="literal">toltec</tt>.</p> - -<div class="figure"><a name="samba2-CHP-1-FIG-11"/><img src="figs/sam2_0111.gif"/></div><h4 class="head4">Figure 1-11. Two computers that both have resources to share</h4> - -<p>This brings out an important point in Samba terminology:</p> - -<ul><li> -<p>A <em class="firstterm">server</em> is a computer with a resource to -share.</p> -</li><li> -<p>A <em class="firstterm">client</em> is a computer that wishes to use that -resource.</p> -</li><li> -<p>A computer can be a client, a server, or both, or it can be neither -at any given time.</p> -</li></ul> -<p>Microsoft Windows products have both the SMB client and server built -into the operating system, and it is common to find Windows acting as -a server, client, both, or neither at any given time in a production -network. Although Samba has been developed primarily to function as a -server, there are also ways that it and associated software can act -as an SMB client. As with Windows, it is even possible to set up a -Unix system to act as an SMB client and not as a server. See <a href="ch05.html">Chapter 5</a> for more details on this topic.</p> - - -</div> - - -<div class="sect2"><a name="samba2-CHP-1-SECT-4.3"/> - -<h3 class="head2">A Simple SMB Connection</h3> - -<p><a name="INDEX-111"/>The client and server must complete -three steps to establish a connection to a resource:</p> - -<ol><li> -<p>Establish a NetBIOS session.</p> -</li><li> -<p>Negotiate the protocol variant.</p> -</li><li> -<p>Set session parameters, and make a tree connection to a resource.</p> -</li></ol> -<p>We will examine each step through the eyes of a useful tool that we -mentioned earlier: the modified -<em class="filename">tcpdump</em><a name="INDEX-112"/> that is -available from the Samba web site.</p> - -<a name="samba2-CHP-1-NOTE-85"/><blockquote class="note"><h4 class="objtitle">TIP</h4> -<p>You can download the tcpdump program at <a href="http://www.samba.org">http://www.samba.org</a> in the -<em class="filename">samba/ftp/tcpdump-smb</em> directory; the latest -version as of this writing is 3.4-10. Use this program as you would -use the standard <em class="filename">tcpdump</em> application, but add -the <tt class="literal">-s 1500</tt> switch to ensure that you get the -whole packet and not just the first few bytes.</p> -</blockquote> - - -</div> - - -<div class="sect2"><a name="samba2-CHP-1-SECT-4.4"/> - -<h3 class="head2">Establishing a NetBIOS Session</h3> - -<p><a name="INDEX-113"/>When a user first makes a request -to access a network disk or send a print job to a remote printer, -NetBIOS takes care of making a connection at the session layer. The -result is a bidirectional channel between the client and server. The -client and server need only two messages to establish this -connection. This is shown in the following example session request -and response, as captured by <em class="filename">tcpdump</em> .</p> - -<p>First, the client sends a request to open a session, and -<em class="filename">tcpdump </em><a name="INDEX-114"/>reports:</p> - -<blockquote><pre class="code">>>> NBT Packet -NBT Session Request -Flags=0x81000044 -Destination=TOLTEC NameType=0x20 (Server) -Source=MAYA NameType=0x00 (Workstation)</pre></blockquote> - -<p>Then the server responds, granting a session to the client:</p> - -<blockquote><pre class="code">>>> NBT Packet -NBT Session Granted -Flags=0x82000000</pre></blockquote> - -<p>At this point, there is an open channel between the client and server.</p> - - -</div> - - -<div class="sect2"><a name="samba2-CHP-1-SECT-4.5"/> - -<h3 class="head2">Negotiating the Protocol Variant</h3> - -<p>Next, the client sends a message to the server to negotiate an -<a name="INDEX-115"/>SMB protocol. As mentioned -earlier, the client sets its <a name="INDEX-116"/>tree identifier (TID) field to -zero, because it does not yet know what TID to use. A <em class="emphasis">tree -identifier</em> is a number that represents a connection to a -share on a server.</p> - -<p>The command in the message is <tt class="literal">SMBnegprot</tt>, a -request to negotiate a protocol variant that will be used for the -entire session. Note that the client sends to the server a list of -all the variants that it can speak, not vice versa:</p> - -<blockquote><pre class="code">>>> NBT Packet -NBT Session Packet -Flags=0x0 -Length=154 - -SMB PACKET: SMBnegprot (REQUEST) -SMB Command = 0x72 -Error class = 0x0 -Error code = 0 -Flags1 = 0x0 -Flags2 = 0x0 -Tree ID = 0 -Proc ID = 5315 -UID = 0 -MID = 257 -Word Count = 0 -Dialect=PC NETWORK PROGRAM 1.0 -Dialect=MICROSOFT NETWORKS 3.0 -Dialect=DOS LM1.2X002 -Dialect=DOS LANMAN2.1 -Dialect=Windows for Workgroups 3.1a -Dialect=NT LM 0.12</pre></blockquote> - -<p>The server responds to the -<tt class="literal">SMBnegprot</tt><a name="INDEX-117"/> request with an index (with counting -starting at 0) into the list of variants that the client offered, or -with the value 0xFF if none of the protocol variants is acceptable:</p> - -<blockquote><pre class="code">>>> NBT Packet -NBT Session Packet -Flags=0x0 -Length=84 - -SMB PACKET: SMBnegprot (REPLY) -SMB Command = 0x72 -Error class = 0x0 -Error code = 0 -Flags1 = 0x80 -Flags2 = 0x1 -Tree ID = 0 -Proc ID = 5315 -UID = 0 -MID = 257 -Word Count = 17 -NT1 Protocol -DialectIndex=5 -[...]</pre></blockquote> - -<p>In this example, the server responds with the value 5, which -indicates that the <tt class="literal">NT</tt> <tt class="literal">LM</tt> -<tt class="literal">0.12</tt> dialect will be used for the remainder of the -session.</p> - - -</div> - - -<div class="sect2"><a name="samba2-CHP-1-SECT-4.6"/> - -<h3 class="head2">Set Session and Login Parameters</h3> - -<p><a name="INDEX-118"/><a name="INDEX-119"/>The next step is to transmit session and -login parameters for the session, which you do using the -<a name="INDEX-120"/><tt class="literal">SMBSesssetupX</tt> -command. The parameters include the following:</p> - -<ul><li> -<p>The account name and password (if there is one)</p> -</li><li> -<p>The workgroup name</p> -</li><li> -<p>The maximum size of data that can be transferred</p> -</li><li> -<p>The number of pending requests that can be in the queue at a time</p> -</li></ul> -<p>The resulting output from <em class="filename">tcpdump </em>is:</p> - -<blockquote><pre class="code">>>> NBT Packet -NBT Session Packet -Flags=0x0 -Length=150 - -SMB PACKET: SMBsesssetupX (REQUEST) -SMB Command = 0x73 -Error class = 0x0 -Error code = 0 -Flags1 = 0x10 -Flags2 = 0x0 -Tree ID = 0 -Proc ID = 5315 -UID = 1 -MID = 257 -Word Count = 13 -Com2=0x75 -Res1=0x0 -Off2=120 -MaxBuffer=2920 -MaxMpx=50 -VcNumber=0 -SessionKey=0x1380 -CaseInsensitivePasswordLength=24 -CaseSensitivePasswordLength=0 -Res=0x0 -Capabilities=0x1 -Pass1&Pass2&Account&Domain&OS&LanMan= - JAY METRAN Windows 4.0 Windows 4.0 - -SMB PACKET: SMBtconX (REQUEST) (CHAINED) -smbvwv[]= -Com2=0xFF -Off2=0 -Flags=0x2 -PassLen=1 -Passwd&Path&Device= -smb_bcc=23 -smb_buf[]=\\TOLTEC\SPIRIT</pre></blockquote> - -<p>In this example, the <tt class="literal">SMBsesssetupX</tt> Session Setup -command allows for an additional SMB command to be piggybacked onto -it (indicated by the letter X at the end of the command name). The -hexadecimal code of the second command is given in the -<tt class="literal">Com2</tt> field. In this case the command is -<tt class="literal">0x75</tt>, which is the <tt class="literal">SMBtconX</tt> -<tt class="literal">(</tt>Tree Connect and X) command. The -<tt class="literal">SMBtconX</tt><a name="INDEX-121"/> message looks for the name of the -resource in the <em class="emphasis">smb_buf</em> buffer. In this example, -<em class="emphasis">smb_buf</em> contains the string -<tt class="literal">\\TOLTEC\SPIRIT</tt>, which is the full pathname to a -shared directory on <tt class="literal">toltec</tt>. Using the -"and X" commands like this speeds -up each transaction because the server doesn't have -to wait on the client to make a second request.</p> - -<p>Note that the TID is still zero. Finally, the server returns a TID to -the client, indicating that the user has been authorized access and -that the resource is ready to be used:</p> - -<blockquote><pre class="code">>>> NBT Packet -NBT Session Packet -Flags=0x0 -Length=85 - -SMB PACKET: SMBsesssetupX (REPLY) -SMB Command = 0x73 -Error class = 0x0 -Error code = 0 -Flags1 = 0x80 -Flags2 = 0x1 -Tree ID = 1 -Proc ID = 5315 -UID = 100 -MID = 257 -Word Count = 3 -Com2=0x75 -Off2=68 -Action=0x1 -[000] Unix Samba 2.2.6 -[010] METRAN - -SMB PACKET: SMBtconX (REPLY) (CHAINED) -smbvwv[]= -Com2=0xFF -Off2=0 -smbbuf[]= -ServiceType=A:</pre></blockquote> - -<p>The <em class="emphasis">ServiceType</em> field is set to -"A" to indicate that this is a file -service. Available service types are:</p> - -<ul><li> -<p>"A" for a disk or file</p> -</li><li> -<p>"LPT1" for a spooled output</p> -</li><li> -<p>"COMM" for a direct-connect printer -or modem</p> -</li><li> -<p>"IPC" for a named pipe</p> -</li></ul> -<p>Now that a TID has been assigned, the client can use it as a handle -to perform any operation that it would use on a local disk drive. It -can open files, read and write to them, delete them, create new -files, search for filenames, and so on. <a name="INDEX-122"/></p> - - -</div> - - -</div> - - - -<div class="sect1"><a name="samba2-CHP-1-SECT-5"/> - -<h2 class="head1">Windows Workgroups and Domains</h2> - -<p>Up to now, we've covered basic SMB technology, which -is all you would need if you had nothing more advanced than MS-DOS -clients on your network. We do assume you want to support Windows -clients, especially the more recent versions, so next -we'll describe the enhancements Microsoft has added -to SMB networking—namely, Windows for Workgroups and Windows -domains.</p> - - -<div class="sect2"><a name="samba2-CHP-1-SECT-5.1"/> - -<h3 class="head2">Windows Workgroups</h3> - -<p><a name="INDEX-123"/><a name="INDEX-124"/>Windows -Workgroups are very similar to the SMB groups already described. You -need to know just a few additional things.</p> - - -<div class="sect3"><a name="samba2-CHP-1-SECT-5.1.1"/> - -<h3 class="head3">Browsing</h3> - -<p><a name="INDEX-125"/>Browsing -is the process of finding the other computers and shared resources in -the Windows network. Note that there is no connection with a World -Wide Web browser, apart from the general idea of -"discovering what's -there." On the other hand, browsing the Windows -network is like the Web in that what's out there can -change without warning.</p> - -<p>Before browsing existed, users had to know the name of the computer -they wanted to connect to on the network and then manually enter a -UNC such as the following into an application or file manager to -access resources:</p> - -<blockquote><pre class="code">\\toltec\spirit\</pre></blockquote> - -<p>Browsing is much more convenient, making it possible to examine the -contents of a network by using the point-and-click GUI interface of -the Network Neighborhood (or My Network Places<a name="FNPTR-5"/><a href="#FOOTNOTE-5">[5]</a>) on a Windows client.</p> - -<p>You will encounter two types of browsing in an SMB network:</p> - -<ul><li> -<p><a name="INDEX-129"/>Browsing a list -of computers and shared resources</p> -</li><li> -<p><a name="INDEX-130"/>Browsing the shared resource -of a specific computer</p> -</li></ul> -<p>Let's look at the first one. On each LAN (or subnet) -with a Windows workgroup or domain, one computer has the -responsibility of maintaining a list of the computers that are -currently accessible through the network. This computer is called the -<em class="firstterm">local master -browser</em><a name="INDEX-131"/><a name="INDEX-132"/>, and the list that it maintains is -called the <em class="firstterm">browse -list</em><a name="INDEX-133"/>. Computers on a subnet use the browse -list to cut down on the amount of network traffic generated while -browsing. Instead of each computer dynamically polling to determine a -list of the currently available computers, the computer can simply -query the local master browser to obtain a complete, up-to-date list.</p> - -<p>To browse the resources on a computer, a user must connect to the -specific computer; this information cannot be obtained from the -browse list. Browsing the list of resources on a computer can be done -by double-clicking the computer's icon when it is -presented in the Network Neighborhood. As you saw at the opening of -the chapter, the computer will respond with a list of shared -resources that can be accessed after the user is successfully -authenticated.</p> - -<p>Each server on a Windows workgroup is required to announce its -presence to the local master browser after it has registered a -NetBIOS name, and (theoretically) announce that it is leaving the -workgroup when it is shut down. It is the local master -browser's responsibility to record what the servers -have announced.</p> -<a name="samba2-CHP-1-NOTE-86"/><blockquote class="note"><h4 class="objtitle">WARNING</h4> -<p>The Windows <a name="INDEX-134"/>Network Neighborhood can behave -oddly: until you select a particular computer to browse, the Network -Neighborhood window might contain data that is not up-to-date. That -means the Network Neighborhood window can be showing computers that -have crashed or can be missing computers that -haven't been noticed yet. Put succinctly, once -you've selected a server and connected to it, you -can be a lot more confident that the shares and printers really exist -on the network.</p> -</blockquote> - -<p>Unlike the roles you've seen earlier, almost any -Windows system (including Windows for Workgroups and Windows 95/98/Me -or NT/2000/XP) can act as a local master browser. The local master -browser can have one or more -<em class="firstterm"/><a name="INDEX-135"/><a name="INDEX-136"/>backup -browsers</em> on the local subnet -that will take over in the event that the local master browser fails -or becomes inaccessible. To ensure fluid operation, the local backup -browsers will frequently synchronize their browse list with the local -master browser.</p> - -<p>Here is how to calculate the minimum number of backup browsers that -will be allocated on a workgroup:</p> - -<ul><li> -<p>If up to 32 Windows NT/2000/XP workstations are on the network, or up -to 16 Windows 95/98/Me computers are on the network, the local master -browser allocates one backup browser in addition to the local master -browser.</p> -</li><li> -<p>If the number of Windows NT/2000/XP workstations falls between 33 and -64, or the number of Windows 95/98/Me workstations falls between 17 -and 32, the local master browser allocates two backup browsers.</p> -</li><li> -<p>For each group of 32 NT/2000/XP workstations or 16 Windows 95/98/Me -computers beyond this, the local master browser allocates another -backup browser.</p> -</li></ul> -<p>There is currently no upper limit on the number of backup browsers -that can be allocated by the local master browser.</p> - - -</div> - - - -<div class="sect3"><a name="samba2-CHP-1-SECT-5.1.2"/> - -<h3 class="head3">Browsing elections</h3> - -<p><a name="INDEX-137"/>Browsing -is a critical aspect of any Windows workgroup. However, not -everything runs perfectly on any network. For example, -let's say that a computer running Windows on the -desk of a small company's CEO is the local master -browser—that is, until he switches it off while plugging in his -massage chair. At this point the Windows NT Workstation in the spare -parts department might agree to take over the job. However, that -computer is currently running a large, poorly written program that -has brought its processor to its knees. The moral: browsing has to be -very tolerant of servers coming and going. Because nearly every -Windows system can serve as a browser, there has to be a way of -deciding at any time who will take on the job. This decision-making -process is called an <em class="firstterm">election</em>.</p> - -<p>An election algorithm is built into nearly all Windows operating -systems such that they can each agree who is going to be a local -master browser and who will be local backup browsers. An election can -be forced at any time. For example, let's assume -that the CEO has finished his massage and reboots his server. As the -server comes online, it will announce its presence, and an election -will take place to see if the PC in the spare parts department should -still be the master browser.</p> - -<p>When an election is performed, each computer broadcasts information -about itself via datagrams. This information includes the following:</p> - -<ul><li> -<p>The version of the election protocol used</p> -</li><li> -<p>The operating system on the computer</p> -</li><li> -<p>The amount of time the client has been on the network</p> -</li><li> -<p>The hostname of the client</p> -</li></ul> -<p>These values determine which operating system has seniority and will -fulfill the role of the local master browser. (<a href="ch07.html">Chapter 7</a> describes the election process in more -detail.) The architecture developed to achieve this is not elegant -and has built-in security problems. While a browsing domain can be -integrated with domain security, the election algorithm does not take -into consideration which computers become browsers. Thus it is -possible for any computer running a browser service to register -itself as participating in the browsing election and (after winning) -being able to change the browse list. Nevertheless, browsing is a key -feature of Windows networking, and backward-compatibility -requirements will ensure that it is in use for years to come. -<a name="INDEX-138"/></p> - - -</div> - - - -<div class="sect3"><a name="samba2-CHP-1-SECT-5.1.3"/> - -<h3 class="head3">Windows 95/98/Me authentication</h3> - -<p>Three types of passwords arise when -<a name="INDEX-139"/><a name="INDEX-140"/>Windows -95/98/Me is operating in a Windows workgroup:</p> - -<ul><li> -<p>A Windows password</p> -</li><li> -<p>A Windows Networking password</p> -</li><li> -<p>A password for each shared resource that has been assigned password -protection</p> -</li></ul> -<p>The Windows <a name="INDEX-141"/>password functions in a manner -that might be a source of confusion for Unix system administrators. -It is not there to prevent unauthorized users from using the -computer. (If you don't believe that, try clicking -the Cancel button on the password dialog box and see what happens!) -Instead, the Windows password is used to gain access to a file that -contains the Windows Networking and network resource passwords. There -is one such file per registered user of the system, and they can be -found in the <em class="filename">C:\Windows</em> directory with a name -composed of the user's account name, followed by a -<em class="filename">.pwl</em><a name="INDEX-142"/><a name="INDEX-143"/><a name="INDEX-144"/> extension. For example, if the -user's account name is -"sarah," the file will be -<em class="filename">C:\Windows\sarah.pwl</em>. This file is encrypted -using the Windows password as the encryption key.</p> - -<a name="samba2-CHP-1-NOTE-87"/><blockquote class="note"><h4 class="objtitle">TIP</h4> -<p>As a security measure, you might want to check for junk -<em class="filename">.pwl</em> files on Windows 95/98/Me clients, which -might have been created by mistakes users made while attempting to -log on. A <em class="filename">.pwl</em> file is easily cracked and can -contain valid passwords for Samba accounts and network shares.</p> -</blockquote> - -<p>The first time the network is accessed, Windows attempts to use the -Windows password as the Windows Networking password. If this is -successful, the user will not be prompted for two separate passwords, -and subsequent logins to the Windows system will automatically result -in logging on to the Windows network as well, making things much -simpler for the user.</p> - -<p>Shared network resources in the workgroup can also have passwords -assigned to them to limit their accessibility. The first time a user -attempts to access the resource, she is asked for its password, and a -checkbox in the password dialog box gives the user the option to add -the password to her password list. This is the default; if it is -accepted, Windows will store the password in the -user's <em class="filename">.pwl</em> file, and all -further authentication to the resource will be handled automatically -by Windows.</p> - -<p>Samba's approach to workgroup authentication is a -little different, which is a result of blending the Windows workgroup -model with that of the Unix host upon which Samba runs. This will be -discussed further in <a href="ch09.html">Chapter 9</a>. <a name="INDEX-145"/></p> - - -</div> - - -</div> - - -<div class="sect2"><a name="samba2-CHP-1-SECT-5.2"/> - -<h3 class="head2">Windows NT Domains</h3> - -<p><a name="INDEX-146"/>The -peer-to-peer networking model of -<a name="INDEX-147"/>workgroups functions fairly well as long as -the number of computers on the network is small and there is a -close-knit community of users. However, in larger networks the -simplicity of workgroups becomes a limiting factor. Workgroups offer -only the most basic level of security, and because each resource can -have its own password, it is inconvenient (to say the least) for -users to remember the password for each resource in a large network. -Even if that were not a problem, many people find it frustrating to -have to interrupt their creative workflow to enter a shared password -into a dialog box every time another network resource is accessed.</p> - -<p>To support the needs of larger networks, such as those found in -departmental computing environments, Microsoft introduced domains -with Windows NT 3.51. A <em class="firstterm">Windows NT domain</em> is -essentially a workgroup of SMB computers that has one addition: a -server acting as a <em class="firstterm">domain -controller</em><a name="INDEX-148"/> (see <a href="ch01.html#samba2-CHP-1-FIG-12">Figure 1-12</a>).</p> - -<div class="figure"><a name="samba2-CHP-1-FIG-12"/><img src="figs/sam2_0112.gif"/></div><h4 class="head4">Figure 1-12. A simple Windows domain</h4> - - -<div class="sect3"><a name="samba2-CHP-1-SECT-5.2.1"/> - -<h3 class="head3">Domain controllers</h3> - -<p>A domain controller in a Windows NT domain functions much like a -<a name="INDEX-149"/><a name="INDEX-150"/>Network -Information Service (NIS) server in a Unix network, maintaining a -domain-wide database of user and group information, as well as -performing related services. The responsibilities of a domain -controller are mainly centered around security, including -<em class="firstterm">authentication</em><a name="INDEX-151"/>, -the process of granting or denying a user access to the resources of -the domain. This is typically done through the use of a username and -password. The service that maintains the database on the domain -controllers is called the <a name="INDEX-152"/><a name="INDEX-153"/>Security Account Manager (SAM).</p> - -<p>The <a name="INDEX-154"/>Windows NT security model revolves -around <em class="firstterm">security -identifiers</em><a name="INDEX-155"/><a name="INDEX-156"/> (SIDs) and <em class="firstterm">access -control lists</em><a name="INDEX-157"/><a name="INDEX-158"/> -(ACLs). Security identifiers are used to represent objects in the -domain, which include (but are not limited to) users, groups, -computers, and processes. SIDs are commonly written in ASCII form as -hyphen-separated fields, like this:</p> - -<blockquote><pre class="code">S-1-5-21-1638239387-7675610646-9254035128-545</pre></blockquote> - -<p>The part of the SID starting with the -"S" and leading up to the rightmost -hyphen identifies a domain. The number after the rightmost hyphen is -called a <a name="INDEX-159"/>relative identifier (RID) and is a unique -number within the domain that identifies the user, group, computer, -or other object. The RID is the analog of a <a name="INDEX-160"/>user ID (UID) or -<a name="INDEX-161"/>group ID -(GID) on a Unix system or within an NIS domain.</p> - -<p>ACLs supply the same function as -"rwx" -<a name="INDEX-162"/><a name="INDEX-163"/><a name="INDEX-164"/><a name="INDEX-165"/><a name="INDEX-166"/>file permissions that are common in Unix -systems. However, ACLs are more versatile. Unix file permissions only -set permissions for the owner and group to which the file belongs, -and "other," meaning everyone else. -Windows NT/2000/XP ACLs allow permissions to be set individually for -any number of arbitrary users and/or groups. ACLs are made up of one -or more <em class="firstterm">access control -entries</em><a name="INDEX-167"/> (ACEs), each of which contains an SID -and the access rights associated with it.</p> - -<p>ACL support has been added as a standard feature for some Unix -variants and is available as an add-on for others. Samba supports -mappings between Windows and Unix ACLs, and this will be covered in -<a href="ch08.html">Chapter 8</a>.</p> - - -</div> - - - -<div class="sect3"><a name="samba2-CHP-1-SECT-5.2.2"/> - -<h3 class="head3">Primary and backup domain controllers</h3> - -<p>You've already read about master and backup -browsers. Domain controllers are similar in that a domain has a -<em class="firstterm">primary domain -controller</em><a name="INDEX-168"/><a name="INDEX-169"/><a name="INDEX-170"/> (PDC) and can have -one or more <em class="firstterm">backup domain -controllers</em><a name="INDEX-171"/> (BDCs) as well. If the PDC fails or -becomes inaccessible, its duties are automatically taken over by one -of the BDCs. BDCs frequently synchronize their SAM data with the PDC -so if the need arises, any one of them can immediately begin -performing domain-controller services without impacting the clients. -However, note that BDCs have read-only copies of the SAM database; -they can update their data only by synchronizing with a PDC. A server -in a Windows domain can use the SAM of any PDC or BDC to authenticate -a user who attempts to access its resources and log on to the domain.</p> - -<p>All recent versions of Windows can log on to a domain as clients to -access the resources of the domain servers. The systems that are -considered members of the domain are a more exclusive class, composed -of the PDC and BDCs, as well as domain member servers, which are -systems that have joined a domain as members, and are known to the -domain controllers by having a computer account in the SAM database.</p> - - -</div> - - - -<div class="sect3"><a name="samba2-CHP-1-SECT-5.2.3"/> - -<h3 class="head3">Authentication</h3> - -<p><a name="INDEX-172"/>When -a user logs on to a Windows domain by typing in a username and -password, a secure challenge and response protocol is invoked between -the client computer and a domain controller to verify that the -username and password are valid. Then the domain controller sends a -SID back to the client, which uses it to create a -<a name="INDEX-173"/>Security Access Token (SAT) that is valid -only for that system, to be used for further authentication. This -access token has information about the user coded into it, including -the username, the group, and the rights the user has within the -domain. At this point, the user is logged on to the domain.</p> - -<p>Subsequently, when the client attempts to access a shared resource -within the domain, the client system enters into a secure challenge -and response exchange with the server of the resource. The server -then enters into another secure challenge and response conversation -with a domain controller to check that the client is valid. (What -actually happens is that the server uses information it gets from the -client to pretend to be the client and authenticate itself with the -domain controller. If the domain controller validates the -credentials, it sends an SID back to the server, which uses the SID -to create its own SAT for the client to enable access to its local -resources on the client's behalf.) At this point, -the client is authenticated for resources on the server and is -allowed to access them. The server then uses the SID in the access -token to determine what permissions the client has to use and modify -the requested resource by comparing them to entries in the ACL of the -resource.</p> - -<p>Although this method of authentication might seem overly complicated, -it allows clients to authenticate without having plain-text passwords -travel through the network, and it is much more difficult to crack -than the relatively weak workgroup security we described earlier.</p> - - -</div> - - - -<div class="sect3"><a name="samba2-CHP-1-SECT-5.2.4"/> - -<h3 class="head3">Name service with WINS and DNS</h3> - -<p>The <a name="INDEX-174"/><a name="INDEX-175"/>Windows -Internet Name Service (WINS) is Microsoft's -implementation of a NetBIOS name server (NBNS). As such, WINS -inherits much of NetBIOS's characteristics. First, -WINS is flat; you can have only simple machine names such as -<tt class="literal">inca</tt>, <tt class="literal">mixtec</tt>, or -<tt class="literal">navaho</tt>, and workgroups such as PERU, MEXICO, or -USA. In addition, WINS is dynamic: when a client first comes online, -it is required to report its hostname, its address, and its workgroup -to the local WINS server. This WINS server will retain the -information so long as the client periodically refreshes its WINS -registration, which indicates that it's still -connected to the network. Note that WINS servers are not workgroup- -or domain-specific; they can contain information for multiple domains -and/or workgroups, which might exist on more than one subnet.</p> - -<p>Multiple <a name="INDEX-176"/>WINS -servers can be set to synchronize with each other. This allows -entries for computers that come online and go offline in the network -to propagate from one WINS server to another. While in theory this -seems efficient, it can quickly become cumbersome if several WINS -servers are covering a network. Because WINS services can cross -multiple subnets (you'll either hardcode the address -of a WINS server in each of your clients or obtain it via DHCP), it -is often more efficient to have each Windows client, regardless of -the number of Windows domains, point themselves to the same WINS -server. That way, only one authoritative WINS server will have the -correct information, instead of several WINS servers continually -struggling to synchronize themselves with the most recent changes.</p> - -<p>The currently active WINS server is known as the <em class="firstterm">primary -WINS server</em><a name="INDEX-177"/><a name="INDEX-178"/>. You can also install a secondary WINS -server, which will take over if the primary WINS server fails or -becomes inaccessible. Both the primary and any other WINS servers -will synchronize their address databases on a periodic basis.</p> - -<p>In the Windows family of operating systems, only a server edition of -Windows NT/2000 can act as a WINS server. Samba 2.2 can function as a -primary WINS server, but cannot <a name="INDEX-179"/><a name="INDEX-180"/>synchronize -its database with other WINS servers. It therefore cannot act as a -secondary WINS server or as a primary WINS server for a Windows -secondary WINS server.</p> - -<p>WINS handles name service by default, although Microsoft added DNS -starting with Windows NT 4 Server. It is compatible with DNS that is -standard on virtually every Unix system, and a Unix server (such as -the Samba host) can also be used for DNS.</p> - - -</div> - - - -<div class="sect3"><a name="samba2-CHP-1-SECT-5.2.5"/> - -<h3 class="head3">Trust relationships</h3> - -<p>One additional aspect of Windows NT domains not yet supported in -Samba 2.2 is that it is possible to set up a <em class="emphasis">trust -relationship</em><a name="INDEX-181"/><a name="INDEX-182"/><a name="INDEX-183"/> between domains, allowing clients -within one domain to access the resources within another without the -user having to go through additional authentication. The protocol -that is followed is called <em class="emphasis">pass-through authentication</em>, -<a name="INDEX-184"/><a name="INDEX-185"/>in which the -user's credentials are passed from the client system -in the first domain to the server in the second domain, which -consults a domain controller in the first (trusted) domain to check -that the user is valid before granting access to the resource.</p> - -<p>Note that in many aspects, the behaviors of a Windows workgroup and a -Windows NT domain overlap. For example, the master and backup -browsers in a domain are always the PDC and BDC, respectively. -Let's update our Windows domain diagram to include -both a local master and local backup browser. The result is shown in -<a href="ch01.html#samba2-CHP-1-FIG-13">Figure 1-13</a>.</p> - -<div class="figure"><a name="samba2-CHP-1-FIG-13"/><a name="INDEX-186"/><img src="figs/sam2_0113.gif"/></div><h4 class="head4">Figure 1-13. A Windows domain with a local master and local backup browser</h4> - -<p>The similarity between workgroups and NT domains is not accidental -because the concept of Windows domains did not evolve until Windows -NT 3.5 was introduced, and Windows domains were forced to remain -backward-compatible with the workgroups present in Windows for -Workgroups.</p> - -<p>Samba can function as a primary domain controller for Windows -95/98/Me and Windows NT/2000/XP clients with the limitation that it -can act as a PDC only, and not as a BDC.</p> - -<p>Samba can also function as a <em class="firstterm">domain member -server</em><a name="INDEX-187"/><a name="INDEX-188"/>, meaning that it has a computer account -in the PDC's account database and is therefore -recognized as being part of the domain. A domain member server does -not authenticate users logging on to the domain, but still handles -security functions (such as file permissions) for domain users -accessing its resources.</p> - - -</div> - - -</div> - - -<div class="sect2"><a name="samba2-CHP-1-SECT-5.3"/> - -<h3 class="head2">Active Directory Domains</h3> - -<p>Starting with Windows 2000, Microsoft has introduced -<a name="INDEX-189"/><a name="INDEX-190"/>Active -Directory, the next step beyond Windows NT domains. We -won't go into much detail concerning Active -Directory because it is a huge topic. <a name="INDEX-191"/>Samba 2.2 doesn't -support Active Directory at all, and support in Samba 3.0 is limited -to acting as a client. For now, be aware that with Active Directory, -the authentication model is centered around -<a name="INDEX-192"/>Lightweight Directory -Access Protocol (LDAP), and name service is provided by DNS instead -of WINS. Domains in Active Directory can be organized in a -hierarchical tree structure, in which each domain controller operates -as a peer, with no distinction between primary and backup controllers -as in Windows NT domains.</p> - -<p>Windows 2000/XP systems can be set up as simple workgroup or Windows -NT domain clients (which will function with Samba). The server -editions of Windows 2000 can be set up to run Active Directory and -support Windows NT domains for backward compatibility -(<em class="firstterm">mixed mode</em>). In this case, Samba 2.2 works -with Windows 2000 servers in the same way it works with Windows NT -4.0 servers. When set up to operate in <em class="firstterm">native mode, -</em><a name="INDEX-193"/>Windows 2000 servers support only -Active Directory. Even so, <a name="INDEX-194"/>Samba 2.2 can operate as a server -in a domain hosted by a native-mode Windows 2000 server, using the -<a name="INDEX-195"/>Windows 2000 server's -<em class="firstterm">PDC emulation mode</em>. However, it is not -possible for Samba 2.2 or 3.0 to operate as a domain controller in a -Windows 2000 Active Directory domain.</p> - -<p>If you want to know more about Active Directory, we encourage you to -obtain a copy of the O'Reilly book, -<em class="emphasis">Windows 2000 Active Directory</em>. <a name="INDEX-196"/></p> - - -</div> - - -<div class="sect2"><a name="samba2-CHP-1-SECT-5.4"/> - -<h3 class="head2">Can a Windows Workgroup Span Multiple Subnets?</h3> - -<p><a name="INDEX-197"/><a name="INDEX-198"/>Yes, but most people who have -done it have had their share of headaches. Spanning multiple subnets -was not part of the initial design of Windows NT 3.5 or Windows for -Workgroups. As a result, a Windows domain that spans two or more -subnets is, in reality, the -"gluing" together of two or more -workgroups that share an identical name. The good news is that you -can still use a PDC to control authentication across each subnet. The -bad news is that things are not as simple with browsing.</p> - -<p>As mentioned previously, each subnet must have its own local master -browser. When a Windows domain spans multiple subnets, a system -administrator will have to assign one of the computers as the -<em class="firstterm">domain master -browser</em><a name="INDEX-199"/><a name="INDEX-200"/>. The domain master browser will keep a -browse list for the entire Windows domain. This browse list is -created by periodically synchronizing the browse lists of each local -master browser with the browse list of the domain master browser. -After the synchronization, the local master browser and the domain -master browser should contain identical entries. See <a href="ch01.html#samba2-CHP-1-FIG-14">Figure 1-14</a> for an illustration.</p> - -<div class="figure"><a name="samba2-CHP-1-FIG-14"/><img src="figs/sam2_0114.gif"/></div><h4 class="head4">Figure 1-14. A workgroup that spans more than one subnet</h4> - -<p>Sound good? <a name="INDEX-201"/>Well, it's not quite -nirvana for the following reasons:</p> - -<ul><li> -<p>If it exists, a PDC always plays the role of the domain master -browser. By Microsoft design, the two always share the NetBIOS -resource type <tt class="literal"><1B></tt> and (unfortunately) -cannot be separated.</p> -</li><li> -<p>Windows 95/98/Me computers cannot become <em class="emphasis">or</em> -<em class="emphasis">even contact</em> a domain master browser. This means -that it is necessary to have at least one Windows NT/2000/XP system -(or Samba server) on each subnet of a multisubnet workgroup.</p> -</li></ul> -<p>Each subnet's local master browser continues to -maintain the browse list for its subnet, for which it becomes -authoritative. So if a computer wants to see a list of servers within -its own subnet, the local master browser of that subnet will be -queried. If a computer wants to see a list of servers outside the -subnet, it can still go only as far as the local master browser. This -works because at appointed intervals, the authoritative browse list -of a subnet's local master browser is synchronized -with the domain master browser, which is synchronized with the local -master browser of the other subnets in the domain. This is called -<em class="firstterm">browse list propagation</em>.</p> - -<p>Samba can act as a domain master browser in a Windows NT domain, or -it can act as a local master browser for a subnet, synchronizing its -browse list with the domain master browser.</p> - - -</div> - - -</div> - - - -<div class="sect1"><a name="samba2-CHP-1-SECT-6"/> - -<h2 class="head1">What's New in Samba 2.2?</h2> - -<p><a name="INDEX-202"/><a name="INDEX-203"/>In -Version 2.2, Samba has more advanced support for Windows networking, -including the ability to perform the more important tasks necessary -for acting in a Windows NT domain. In addition, Samba 2.2 has some -support for technologies that Microsoft introduced in Windows 2000, -although the Samba team has saved Active Directory support for -Version 3.0.</p> - - -<div class="sect2"><a name="samba2-CHP-1-SECT-6.1"/> - -<h3 class="head2">PDC Support for Windows 2000/XP Clients</h3> - -<p>Samba previously could act as a PDC to authenticate Windows 95/98/Me -and Windows NT 4 systems. This functionality has been extended in -Release 2.2 to include Windows 2000 and Windows XP. Thus, it is -possible to have a Samba server supporting domain logons for a -network of Windows clients, including the most recent releases from -Microsoft. This can result in a very stable, high-performance, and -more secure network, and gives you the added benefit of not having to -purchase per-seat Windows CALs from Microsoft.</p> - - -</div> - - -<div class="sect2"><a name="samba2-CHP-1-SECT-6.2"/> - -<h3 class="head2">Microsoft Dfs Support</h3> - -<p><a name="INDEX-204"/>Microsoft Dfs allows shared resources that -are dispersed among a number of servers in the network to be gathered -together and appear to users as if they all exist in a single -directory tree on one server. This method of organization makes life -much simpler for users. Instead of having to browse around the -network on a treasure hunt to locate the resource they want to use, -they can go directly to the Dfs server and grab what they want. Samba -2.2 offers support for serving Dfs, so a Windows server is no longer -needed for this purpose.</p> - - -</div> - - -<div class="sect2"><a name="samba2-CHP-1-SECT-6.3"/> - -<h3 class="head2">Windows NT/2000/XP Printing Support</h3> - -<p>Windows NT/2000/XP has a different Remote Procedure Call (RPC)-based -printer interface than Windows 95/98/Me does. In Samba 2.2, the -Windows NT/2000/XP interface is supported. Along with this, the Samba -team has been adding support for automatically downloading the -printer driver from the Samba server while adding a new printer to a -Windows client.</p> - - -</div> - - -<div class="sect2"><a name="samba2-CHP-1-SECT-6.4"/> - -<h3 class="head2">ACLs</h3> - -<p>Samba now supports -<a name="INDEX-205"/>ACLs on its Unix host for Unix variants -that support them. The list includes Solaris 2.6, 7, and 8, Irix, -AIX, Linux (with either the ACL patch for the -<a name="INDEX-206"/>ext2/ext3 filesystem from <a href="http://acl.bestbits.at">http://acl.bestbits.at</a> or when using the -<a name="INDEX-207"/>XFS -filesystem), and FreeBSD (Version 5.0 and later). When using ACL -support, Samba translates between Unix ACLs and Windows NT/2000/XP -ACLs, making the Samba host look and act more like a Windows -NT/2000/XP server from the point of view of Windows clients.</p> - - -</div> - - -<div class="sect2"><a name="samba2-CHP-1-SECT-6.5"/> - -<h3 class="head2">Support for Windows Client Administration Tools</h3> - -<p>Windows comes with tools that can be used from a client to manage -shared resources remotely on a Windows server. Samba 2.2 allows these -tools to operate on shares on the Samba server as well.</p> - - -</div> - - -<div class="sect2"><a name="samba2-CHP-1-SECT-6.6"/> - -<h3 class="head2">Integration with Winbind</h3> - -<p><a name="INDEX-208"/>Winbind is a -facility that allows users whose account information is stored in a -Windows domain database to authenticate on a Unix system. The result -is a unified logon environment, in which a user account can be kept -on either the Unix system or a Windows NT/2000 domain controller. -This greatly facilitates account management because administrators no -longer need to keep the two systems synchronized, and it is possible -for users whose accounts are held in a Windows domain to authenticate -when accessing Samba shares.</p> - - -</div> - - -<div class="sect2"><a name="samba2-CHP-1-SECT-6.7"/> - -<h3 class="head2">Unix CIFS Extensions</h3> - -<p>The <a name="INDEX-209"/><a name="INDEX-210"/>Unix CIFS extensions were developed -at Hewlett-Packard and introduced in Samba 2.2.4. They allow Samba -servers to support Unix filesystem attributes, such as links and -permissions, when sharing files with other Unix systems. This allows -Samba to be used as an alternative to network file sharing (NFS) for -Unix-to-Unix file sharing. An advantage of using Samba is that it -authenticates individual users, whereas NFS authenticates only -clients (based on their IP addresses, which is a poor security -model). This gives Samba an edge in the area of security, along with -its much greater configurability. See <a href="ch05.html">Chapter 5</a> -for information on how to operate Unix systems as Samba clients.</p> - - -</div> - - -<div class="sect2"><a name="samba2-CHP-1-SECT-6.8"/> - -<h3 class="head2">And More...</h3> - -<p>As usual, the code has numerous improvements that do not show up at -the administrative level in an immediate or obvious way. Samba now -functions better on systems that employ <a name="INDEX-211"/>PAM -(Pluggable Authentication Modules), and there is new support for -profiling. Samba's support for oplocks has been -strengthened, offering better integration with NFS server-terminated -leases (currently on Irix and Linux only) and in the local filesystem -with SMB locks mapped to POSIX locks (which is dependent on each Unix -variant's implementation of POSIX locks). And of -course there have been the usual bug fixes.</p> - - -</div> - - -</div> - - - -<div class="sect1"><a name="samba2-CHP-1-SECT-7"/> - -<h2 class="head1">What's New in Samba 3.0?</h2> - -<p>The main distinguishing feature of <a name="INDEX-212"/><a name="INDEX-213"/>Samba 3.0 -is that it includes support for <a name="INDEX-214"/>Kerberos 5 authentication and -<a name="INDEX-215"/>LDAP, which are -required to act as clients in an Active Directory domain. Another -feature that appeared in Samba 3.0 is support for Unicode, which -greatly simplifies supporting international languages.</p> - -<p>In later Version 3 releases, the Samba team plans to develop support -for -<a name="INDEX-216"/>WINS -replication, allowing Samba to act as a secondary WINS server or as a -primary WINS server with Windows or Samba secondary WINS servers. -Also planned are support for acting as a Windows NT BDC and support -for Windows NT domain trust relationships.</p> - - -</div> - - - -<div class="sect1"><a name="samba2-CHP-1-SECT-8"/> - -<h2 class="head1">What Can Samba Do?</h2> - -<p>Now let's wrap up by showing where Samba can help -out and where it is limited. <a href="ch01.html#samba2-CHP-1-TABLE-9">Table 1-9</a> summarizes -which roles Samba can and cannot play in a Windows NT or Active -Directory domain or a Windows workgroup. Many of the Windows domain -protocols are proprietary and have not been documented by Microsoft -and therefore must be reverse-engineered by the Samba team before -Samba can support them. As of Version 3.0, Samba cannot act as a -backup in most roles and does not yet fully support Active Directory.</p> - -<a name="samba2-CHP-1-TABLE-9"/><h4 class="head4">Table 1-9. Samba roles (as of Version 3.0)</h4><table border="1"> - - - -<tr> -<th> -<p>Role</p> -</th> -<th> -<p>Can perform?</p> -</th> -</tr> - - -<tr> -<td> -<p><a name="INDEX-217"/>File server</p> -</td> -<td> -<p>Yes</p> -</td> -</tr> -<tr> -<td> -<p>Printer server</p> -</td> -<td> -<p>Yes</p> -</td> -</tr> -<tr> -<td> -<p>Microsoft Dfs server</p> -</td> -<td> -<p>Yes</p> -</td> -</tr> -<tr> -<td> -<p>Primary domain controller</p> -</td> -<td> -<p>Yes</p> -</td> -</tr> -<tr> -<td> -<p>Backup domain controller</p> -</td> -<td> -<p>No</p> -</td> -</tr> -<tr> -<td> -<p>Active Directory domain controller</p> -</td> -<td> -<p>No</p> -</td> -</tr> -<tr> -<td> -<p>Windows 95/98/Me authentication</p> -</td> -<td> -<p>Yes</p> -</td> -</tr> -<tr> -<td> -<p>Windows NT/2000/XP authentication</p> -</td> -<td> -<p>Yes</p> -</td> -</tr> -<tr> -<td> -<p>Local master browser</p> -</td> -<td> -<p>Yes</p> -</td> -</tr> -<tr> -<td> -<p>Local backup browser</p> -</td> -<td> -<p>Yes</p> -</td> -</tr> -<tr> -<td> -<p>Domain master browser</p> -</td> -<td> -<p>Yes</p> -</td> -</tr> -<tr> -<td> -<p>Primary WINS server</p> -</td> -<td> -<p>Yes</p> -</td> -</tr> -<tr> -<td> -<p>Secondary WINS server</p> -</td> -<td> -<p>No</p> -</td> -</tr> - -</table> - - -</div> - - - -<div class="sect1"><a name="samba2-CHP-1-SECT-9"/> - -<h2 class="head1">An Overview of the Samba Distribution</h2> - -<p><a name="INDEX-218"/>As mentioned earlier, Samba actually -contains several programs that serve different but related purposes. -These programs are documented more fully in <a href="appc.html">Appendix C</a>. For now, we will introduce each of them -briefly and describe how they work together.</p> - -<p>The majority of the programs that come with Samba center on its two -daemons. Let's take a refined look at the -responsibilities of each daemon:</p> - -<dl> -<dt><b><em class="emphasis">nmbd</em></b></dt> -<dd> -<p>The <em class="emphasis">nmbd</em><a name="INDEX-219"/> daemon is a simple name server that -supplies WINS functionality. This daemon listens for name-server -requests and provides the appropriate IP addresses when called upon. -It also provides browse lists for the Network Neighborhood and -participates in browsing elections.</p> -</dd> - - - -<dt><b><em class="emphasis">smbd</em></b></dt> -<dd> -<p>The <em class="emphasis">smbd</em><a name="INDEX-220"/> daemon manages the shared resources -between the Samba server and its clients. It provides file, print, -and browse services to <span class="acronym">SMB</span> clients across one or -more networks and handles all notifications between the Samba server -and the network clients. In addition, it is responsible for user -authentication, resource locking, and data sharing through the -<span class="acronym">SMB</span> protocol.</p> -</dd> - -</dl> - -<p>New with Version 2.2, there is an additional daemon:</p> - -<dl> -<dt><b><a name="INDEX-221"/><em class="emphasis">winbindd</em></b></dt> -<dd> -<p>This daemon is used along with the name service switch to get -information on users and groups from a Windows NT server and allows -Samba to authorize users through a Windows NT/2000 server.</p> -</dd> - -</dl> - -<p>The Samba distribution also comes with a small set of Unix -command-line tools:</p> - -<dl> -<dt><b><em class="emphasis">findsmb</em><a name="INDEX-222"/></b></dt> -<dd> -<p>A program that searches the local network for computers that respond -to SMB protocol and prints information on them.</p> -</dd> - - - -<dt><b><em class="emphasis">make_smbcodepage</em><a name="INDEX-223"/></b></dt> -<dd> -<p>A program used when working with Samba's -internationalization features for telling Samba how to convert -between upper- and lowercase in different character sets.</p> -</dd> - - - -<dt><b><em class="emphasis">make_unicodemap</em><a name="INDEX-224"/></b></dt> -<dd> -<p>Another internationalization program used with Samba for compiling -Unicode map files that Samba uses to translate DOS codepages or Unix -character sets into 16-bit unicode.</p> -</dd> - - - -<dt><b><a name="INDEX-225"/><em class="emphasis">net</em></b></dt> -<dd> -<p>A new program distributed with Samba 3.0 that can be used to perform -remote administration of servers.</p> -</dd> - - - -<dt><b><em class="emphasis">nmblookup</em><a name="INDEX-226"/></b></dt> -<dd> -<p>A program that provides NBT name lookups to find a -computer's IP address when given its machine name.</p> -</dd> - - - -<dt><b><a name="INDEX-227"/><em class="emphasis">pdbedit</em></b></dt> -<dd> -<p>A new program distributed with Samba 3.0 that is helpful for managing -user accounts held in SAM databases.</p> -</dd> - - - -<dt><b><em class="emphasis">rpcclient</em><a name="INDEX-228"/></b></dt> -<dd> -<p>A program that can be used to run MS-RPC functions on Windows clients.</p> -</dd> - - - -<dt><b><em class="emphasis">smbcacls</em><a name="INDEX-229"/></b></dt> -<dd> -<p>A program that is used to set or show ACLs on Windows NT filesystems.</p> -</dd> - - - -<dt><b><em class="emphasis">smbclient</em><a name="INDEX-230"/></b></dt> -<dd> -<p>An <em class="emphasis">ftp</em>-like Unix client that can be used to connect to -SMB shares and operate on them. The <em class="emphasis">smbclient</em> -command is discussed in detail in <a href="ch05.html">Chapter 5</a>.</p> -</dd> - - - -<dt><b><em class="emphasis">smbcontrol</em><a name="INDEX-231"/></b></dt> -<dd> -<p>A simple administrative utility that sends messages to <em class="emphasis">nmbd</em> -or <em class="emphasis">smbd</em>.</p> -</dd> - - - -<dt><b><a name="INDEX-232"/><em class="emphasis">smbgroupedit</em></b></dt> -<dd> -<p>A command that can be used to define mappings between Windows NT -groups and Unix groups. It is new in Samba 3.0.</p> -</dd> - - - -<dt><b><em class="emphasis">smbmnt</em><a name="INDEX-233"/></b></dt> -<dd> -<p>A helper utility used along with <em class="emphasis">smbmount.</em></p> -</dd> - - - -<dt><b><em class="emphasis">smbmount</em><a name="INDEX-234"/></b></dt> -<dd> -<p>A program that mounts an smbfs filesystem, allowing remote SMB shares -to be mounted in the filesystem of the Samba host.</p> -</dd> - - - -<dt><b><em class="emphasis">smbpasswd</em><a name="INDEX-235"/></b></dt> -<dd> -<p>A program that allows an administrator to change the passwords used -by Samba.</p> -</dd> - - - -<dt><b><em class="emphasis">smbsh</em><a name="INDEX-236"/></b></dt> -<dd> -<p>A tool that functions like a command shell to allow access to a -remote SMB filesystem and allow Unix utilities to operate on it. This -command is covered in <a href="ch05.html">Chapter 5</a>.</p> -</dd> - - - -<dt><b><em class="emphasis">smbspool</em><a name="INDEX-237"/></b></dt> -<dd> -<p>A print-spooling program used to send files to remote printers that -are shared on the SMB network.</p> -</dd> - - - -<dt><b><em class="emphasis">smbstatus</em><a name="INDEX-238"/></b></dt> -<dd> -<p>A program that reports the current network connections to the shares -on a Samba server.</p> -</dd> - - - -<dt><b><em class="emphasis">smbtar</em><a name="INDEX-239"/></b></dt> -<dd> -<p>A program similar to the Unix <em class="filename">tar</em> command, for -backing up data in SMB shares.</p> -</dd> - - - -<dt><b><em class="emphasis">smbumount</em><a name="INDEX-240"/></b></dt> -<dd> -<p>A program that works along with <em class="emphasis">smbmount</em> to unmount -smbfs filesystems.</p> -</dd> - - - -<dt><b><em class="emphasis">testparm</em><a name="INDEX-241"/></b></dt> -<dd> -<p>A simple program for checking the Samba configuration file.</p> -</dd> - - - -<dt><b><em class="emphasis">testprns</em><a name="INDEX-242"/></b></dt> -<dd> -<p>A program that tests whether printers on the Samba host are -recognized by the <em class="filename">smbd</em> daemon.</p> -</dd> - - - -<dt><b><em class="emphasis">wbinfo</em><a name="INDEX-243"/></b></dt> -<dd> -<p>A utility used to query the <em class="filename">winbindd -</em><a name="INDEX-244"/>daemon.</p> -</dd> - -</dl> - -<p>Each major release of Samba goes through an exposure test before -it's announced. In addition, it is quickly updated -afterward if problems or unwanted side effects are found. The latest -stable distribution as of this writing is Samba 2.2.6, and this book -focuses mainly on the functionality supported in Samba 2.2.6, as -opposed to older versions of Samba.</p> - - -</div> - - - -<div class="sect1"><a name="samba2-CHP-1-SECT-10"/> - -<h2 class="head1">How Can I Get Samba?</h2> - -<p><a name="INDEX-245"/><a name="INDEX-246"/>Source -and binary distributions of Samba are available from mirror sites -across the Internet. The primary web site for Samba is located at -<a href="http://www.samba.org/">http://www.samba.org/</a>. From there, you -can select a mirror site that is geographically near you.</p> - -<p>Most Linux and many Unix vendors provide binary packages. These can -be more convenient to install and maintain than the Samba -team's source or binary packages, due to the -vendor's efforts to supply a package that matches -its specific products. <a name="INDEX-247"/></p> - - -</div> - -<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/> <p><a href="#FNPTR-1">[1]</a> You -can also right-click the shared resource in the Network Neighborhood -and then select the Map Network Drive menu item.</p> <a name="FOOTNOTE-2"/> <p><a href="#FNPTR-2">[2]</a> Be -warned that many end-user license agreements forbid installing a -program on a network so that multiple clients can access it. Check -the legal agreements that accompany the product to be absolutely -sure.</p> <a name="FOOTNOTE-3"/> <p><a href="#FNPTR-3">[3]</a> You -might also see the abbreviation NetBT, which is common in Microsoft -literature.</p> <a name="FOOTNOTE-4"/> -<p><a href="#FNPTR-4">[4]</a> See -<a href="http://www.samba.org/cifs/docs/what-is-smb.html">http://www.samba.org/cifs/docs/what-is-smb.html</a> -for Richard's excellent summary of -<a name="INDEX-93"/>SMB.</p> <a name="FOOTNOTE-5"/> <p><a href="#FNPTR-5">[5]</a> This -was originally called <a name="INDEX-126"/><a name="INDEX-127"/><a name="INDEX-128"/>Network Neighborhood in Windows 95/98/NT, -but Microsoft has changed the name to My Network Places in the more -recent Windows Me/2000/XP. We will continue to call it Network -Neighborhood, and if you're using a new version of -Windows, be aware that My Network Places can act a little differently -in some ways.</p> </blockquote> - - -<hr/><h4 class="head4"><a href="toc.html">TOC</a></h4> -</body></html> |