Windows Networking (A Brief History)
Microsoft LAN networking started with DOS LAN Manager (LANMAN), originally 3COM LAN Manager. It provided the ability to “share” printers and hardrives from a standalone PC over the network. The “share” names were of the format \\servername\sharename. LAN Manager Drivers were installed as extensions of the BIOS over the network, hence the term NETBIOS. Because Local Area Networks were in its infancy, Microsoft created its own Ethernet frame type for NETBIOS, called the NETBIOS Extended User Interface – NETBEUI, or sometimes the Netbios Frame Type (NBF) – a non-routable LAN protocol that relied on network broadcasts to make server names known.
NETBIOS interfaced with Windows as a DOS add-on and was integrated into Windows version - Windows for Workgroups (WFW) 3.11, a server flavor of the ubiquitous Windows 3.1 workstation. Password, and later user ID and password security for network shares were added later. The server and associated user workstations were called a Workgroup and shared a common WorkGroup name. Windows 95 and 98 also included this type of security where user ID and Passwords were stored in separate .pwl files.
In the server follow-on to WFW 3.11 - Windows NT 3.1, this security was moved from separate userid files to an integrated database called the Security Account Management (SAM) data base; part of the Windows Registry This security was called NT Lan Manager or NTLM. Microsoft later extended this security from a standalone server workgroup to a group of servers called a Domain. The servers containing the shared SAM database were called Domain Controllers. Two types of Domain Controllers are – Primary (PDC) with a Read/Write copy of the SAM and Backup (BDC) with a Read/Only copy of the SAM. The domain construct remained thru Windows NT 4.0.
TCP/IP protocol stacks were 3 party add-ons to DOS and Windows; but were later integrated into WFW 3.11, Windows 95, Windows NT 4 Server and Workstation; with NETBIOS running over IP using TCP/UDP ports 135, 137 and 139. Because TCP/IP is a routable network protocol, a system was needed to make server names known among multiple networks using the Windows Internet Naming Service – WINS – which was integrated into DNS.
Windows 2000 introduced an add’l layer on top of the NETBIOS / Domain construct called Active Directory. Active Directory is an LDAP compliant network directory structure that utilizes Dynamic DNS for name resolution instead of NETBIOS broadcasts or WINS integrated with DNS. Domains are grouped under Active Directory “trees” within AD “forests”. Though Domain Controllers exist under AD, they all contain R/W copies of their Domain information and synchronize among themselves. Security no longer relies on NTLM, but instead uses a certificate based security called Kerberos. Active Directory supports NETBIOS Domains and Workgroups in backwards format called “mixed” mode, which is the default. Legacy NETBIOS support goes away when the AD tree is converted to “native” mode.
LDAP is a directory interface protocol derived from the old (and obsolete) CCITT X.400 and X.500 E-Mail interface standards. LDAP uses a naming structure of the form: CN=Donna_James,OU=Sales,DC=MYCOMPANY,DC=COM. CN means Common Name, OU means Organization Unit, DC means Domain Component. LDAP names map to DNS names of the form ; to AD form of user (Common Name_ Donna_James in NETBIOS domain Sales (Organizational UNIT_ with the tree name of mycompany.com (Domain Component). The Common Name (CN) is usually used to represent the NETBIOS name of a user, server or workstation in a “mixed” mode AD tree.
TCP/IP became the default protocol for Windows 2000 with Active Directory using TCP/UDP ports 445, LDAP using port 389 and Kerberos on port 88. Native Windows file and print sharing over IP without NETBIOS is referrred to as SMB (Server Message Block – the native server language) over IP or as the Common Internet File Service or CIFS; both use port 445. Because TCP/IP is now native for support of AD under Windows, Windows machines using DHCP, but can’t find a DHCP server, will automatically assign themselves IP addresses in the 169.254.0.0 range for Automatically Provideed Internet Protocol Addressing (APIPA).
SAMBA
Samba is a suite of utilities that allows a Linux system to participate in a Windows Network to share resources such as files or printers as a Windows server or client..
RPM packages are:
samba
samba-common
samba-client
samba-swat
You can install samba with “rpm –i *samba*” or “yum install samba*”.
This document describes how you can make your Linux box into a Windows Primary Domain Controller (PDC) or a server for a Windows Workgroup. By default, Samba mimics a Windows PDC in almost every way needed for simple file sharing. Linux functionality doesn't disappear when you do this. Samba Domains and Linux share the same usernames so you can log into the Samba based Windows domain using your Linux password and immediately gain access to files in your Linux user's home directory. For added security you can make your Samba and Linux passwords different.
Samba LINUX servers that act as part of another Domain are usually setup as file servers only and defer to other Domain Controllers for security. This is especially true of Active Directory networks where SAMBA support of AD ectivites is limited.
Either configuration will allow everyone at home to have:
· their own logins on all the home windows boxes while having their files on the Linux box appear to be located on a new Windows drive
· shared access to printers on the Linux box
· shared files accessible only to members of their Linux user group.
What's the difference between a PDC and Windows Workgroup member? A detailed description is beyond the scope of this chapter, but this simple explanation should be enough:
· A PDC stores the login information in a central database on its hard drive. This allows each user to have a universal username and password when logging in from all PCs on the network.
· In a Windows Workgroup, each PC stores the usernames and passwords locally so that they are unique for each PC.
When it starts up, and with every client request, the Samba daemon reads the configuration file /etc/samba/smb.conf to determine its various modes of operation. You can create your own smb.conf using a text editor or the Web-based SWAT utility which is easier. Keep in mind, however, that if you create /etc/samba/smb.conf with a text editor then subsequently use SWAT to edit the file, you will lose all the comments you inserted with the text editor. I'll explain how to use both SWAT and a text editor to configure Samba later in this chapter.
You can configure Samba to start at boot time using the chkconfig command: chkconfig smb on
You can start/stop/restart Samba after boot time using the smb initialization script as below:
service smb start
service smb stop
service smb restart
You can check samba status with the commands: smbstatus and nmbstatus
The Samba Configuration File
When it starts up, and with every client request, the Samba daemon reads the configuration file /etc/samba/smb.conf to determine its various modes of operation. You can create your own smb.conf using a text editor or the Web-based SWAT utility which is easier. Keep in mind, however, that if you create /etc/samba/smb.conf with a text editor then subsequently use SWAT to edit the file, you will lose all the comments you inserted with the text editor.
The /etc/samba/smb.conf file is the main configuration file you'll need to edit. It is split into five major sections:
The /etc/samba/smb.conf file is the main configuration file you'll need to edit. It is split into five major sections:
File Format - /etc/samba/smb.conf
Section / Description[global] / General Samba configuration parameters
[printers] / Used for configuring printers
[homes] / Defines treatment of user logins
[netlogon] / A share for storing logon scripts.
(Not created by default.)
[profile] / A share for storing domain logon information such as "favorites" and desktop icons.
(Not created by default.)
You can edit this file by hand, or more simply through Samba's SWAT web interface.
Samba Web Administration Tool (SWAT)
SWAT, Samba's web based configuration tool enables you configure your smb.conf file without you needing to remember all the formatting. Each SWAT screen is actually a form that covers a separate section of the smb.conf file into which you fill in the desired parameters. For ease of use, each parameter box has its own online help. SWAT edits the smb.conf file but also strips out any comments you may have manually entered into it
Samba SWAT Main Menu
Basic SWAT Setup
The enabling and disabling, starting and stopping of SWAT is controlled by xinetd. Here is a sample:
service swat
{
port = 901
socket_type = stream
protocol = tcp
wait = no
user = root
server = /usr/sbin/swat
log_on_failure += USERID
disable = no
only_from = localhost
}
To activate SWAT use: chkconfig swat on
You can make SWAT accessible from other servers by adding IP address entries to the only_from parameter of the SWAT configuration file.
only_from = localhost 192.168.1.3.
If localhost is IP address 192.168.1.100, point your browser to http://192.168.1.100:901/.
SAMBA Starter Configuration
This section illustrates how to configure a Samba server to be the PDC for a small network is by using SWAT. You'll need to edit the various sections of the smb.conf file.
The [Global] Section
The [global] section governs the general Samba settings. This table explains the parameters you need to set in order to create a PDC.
smb.conf Minimum Settings, "Global" Section
Parameter / Value / Descriptiondomain logons / Yes / Tells Samba to become the PDC
preferred master / Yes / Makes the PDC act as the central store for the names of all windows clients, servers and printers on the network. Very helpful when you need to "browse" your local network for resources. Also known as a local master browser.
domain master / Yes / Tells Samba to become the master browser across multiple networks all over the domain. The local master browsers register themselves with the domain master to learn about resources on other networks.
os level / 65 / Sets the priority the Samba server should use when negotiating to become the PDC with other Windows servers. A value of 65 will usually make the Samba server win.
wins support / Yes / Allows the Samba server to provide name services for the network. In other words keeps track of the IP addresses of all the domain's servers and clients.
time server / Yes / Lets the samba server provide time updates for the domain's clients.
workgroup / "homenet" / The name of the Windows domain we'll create. The name you select is your choice. I've decided to use "homenet".
security / user / Make domain logins query the Samba password database located on the samba server itself.
Here's how to set the values using SWAT.
· Log into SWAT and click on the [global] section.
· Click the Advanced button to see all the options.
·Make your changes and click on the Commit Changes button when finished.
·Your smb.conf file should resemble the example below when you're finished. You can view the contents of the configuration file by logging in to the samba server via a command prompt and using the cat /etc/samba/smb.conf to verify your changes as you do them.
[global]
workgroup = HOMENET
time server = Yes
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
Note: security = user and WINS support = yes are default settings for Samba and they may not show up in your smb.conf file, even though you may see them in SWAT.
The SWAT utility has a Wizard button that can be used to configure your server as a PDC quickly. However the defaults may not be to your liking, for example, the default domain is MYGROUP and some of the [global] parameters mentioned previously will be set to auto.
The [homes] Section
Part of the process of adding a user to a Samba domain requires you to create a Linux user on the Samba PDC itself. When you log into the Samba PDC, you'll see a new drive, usually named Z:, added to your PC. This is actually a virtual drive that maps to the corresponding Linux users' login directories on the Linux PDC.
Samba considers all directories to be shares that can be configured with varying degrees of security. The [homes] section governs how Samba handles default login directories.
This table explains the minimum settings you need to create a functional [Homes] section.
smb.conf Minimum Settings, "Home" Section
Parameter / Value / Descriptionbrowseable / No / Doesn't allow others to browse the contents of the directory
read only / No / Allows the samba user to also write to their Samba Linux directory
create mask / 0664 / Makes new files created by the user to have "644" permissions. You want to change this to "0600" so that only the login user has access to files.
directory mask / 0775 / Makes new sub-directories created by the user to have "775" permissions. You want to change this to "0700" so that only the login user has access to directories.
Here's how to set the values using SWAT:
· Click on the SWAT shares button to proceed to where shared directories are configured.
· Click the Advanced button to see all the options.