source: branches/samba-3.3.x/docs-xml/Samba3-ByExample/SBE-Appendix2.xml

Last change on this file was 217, checked in by Herwig Bauernfeind, 16 years ago

Import Samba 3.3 branch at 3.3.0 level docs-xml (psmedley's port)
File size: 49.9 KB
RevLine 
[217]1<?xml version="1.0" encoding="iso-8859-1"?>
2<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
3<chapter id="primer">
4 <title>Networking Primer</title>
5
6 <para>
7 You are about to use the equivalent of a microscope to look at the information
8 that runs through the veins of a Windows network. We do more to observe the information than
9 to interrogate it. When you are done with this primer, you should have a good understanding
10 of the types of information that flow over the network. Do not worry, this is not
11 a biology lesson. We won't lose you in unnecessary detail. Think to yourself, <quote>This
12 is easy,</quote> then tackle each exercise without fear.
13 </para>
14
15 <para>
16 Samba can be configured with a minimum of complexity. Simplicity should be mastered
17 before you get too deeply into complexities. Let's get moving: we have work to do.
18 </para>
19
20<sect1>
21 <title>Requirements and Notes</title>
22 <para>
23 Successful completion of this primer requires two Microsoft Windows 9x/Me Workstations
24 as well as two Microsoft Windows XP Professional Workstations, each equipped with an Ethernet
25 card connected using a hub. Also required is one additional server (either Windows
26 NT4 Server, Windows 2000 Server, or a Samba-3 on UNIX/Linux server) running a network
27 sniffer and analysis application (Wireshark is a good choice). All work should be undertaken
28 on a quiet network where there is no other traffic. It is best to use a dedicated hub
29 with only the machines under test connected at the time of the exercises.
30 </para>
31
32 <para><indexterm>
33 <primary>Wireshark</primary>
34 </indexterm>
35 Wireshark (formerly Ethereal) has become the network protocol analyzer of choice for many network administrators.
36 You may find more information regarding this tool from the
37 <ulink url="http://www.wireshark.org">Wireshark</ulink> Web site. Wireshark installation
38 files for Windows may be obtained from the Wireshark Web site. Wireshark is provided with
39 SUSE and Red Hat Linux distributions, as well as with many other Linux distributions. It may
40 not be installed on your system by default. If it is not installed, you may also need
41 to install the <command>libpcap</command> software before you can install or use Wireshark.
42 Please refer to the instructions for your operating system or to the Wireshark Web site
43 for information regarding the installation and operation of Wireshark.
44 </para>
45
46 <para>
47 To obtain <command>Wireshark</command> for your system, please visit the Wireshark
48 <ulink url="http://www.wireshark.org/download.html">download site</ulink>.
49 </para>
50
51 <note><para>
52 The successful completion of this chapter requires that you capture network traffic
53 using <command>Wireshark</command>. It is recommended that you use a hub, not an
54 Ethernet switch. It is necessary for the device used to act as a repeater, not as a
55 filter. Ethernet switches may filter out traffic that is not directed at the machine
56 that is used to monitor traffic; this would not allow you to complete the projects.
57 </para></note>
58
59 <para>
60 <indexterm><primary>network</primary><secondary>captures</secondary></indexterm>
61 Do not worry too much if you do not have access to all this equipment; network captures
62 from the exercises are provided on the enclosed CD-ROM. This makes it possible to dive directly
63 into the analytical part of the exercises if you so desire.
64 </para>
65
66 <para><indexterm>
67 <primary>network</primary>
68 <secondary>sniffer</secondary>
69 </indexterm><indexterm>
70 <primary>protocol analysis</primary>
71 </indexterm>
72 Please do not be alarmed at the use of a high-powered analysis tool (Wireshark) in this
73 primer. We expose you only to a minimum of detail necessary to complete
74 the exercises. If you choose to use any other network sniffer and protocol
75 analysis tool, be advised that it may not allow you to examine the contents of
76 recently added security protocols used by Windows 200x/XP.
77 </para>
78
79 <para>
80 You could just skim through the exercises and try to absorb the key points made.
81 The exercises provide all the information necessary to convince the die-hard network
82 engineer. You possibly do not require so much convincing and may just want to move on,
83 in which case you should at least read <link linkend="chap01conc"/>.
84 </para>
85
86 <para>
87 <link linkend="chap01qa"/> also provides useful information
88 that may help you to avoid significantly time-consuming networking problems.
89 </para>
90</sect1>
91
92<sect1>
93 <title>Introduction</title>
94
95 <para>
96 The purpose of this chapter is to create familiarity with key aspects of Microsoft Windows
97 network computing. If you want a solid technical grounding, do not gloss over these exercises.
98 The points covered are recurrent issues on the Samba mailing lists.
99 </para>
100
101 <para><indexterm>
102 <primary>network</primary>
103 <secondary>broadcast</secondary>
104 </indexterm>
105 You can see from these exercises that Windows networking involves quite a lot of network
106 broadcast traffic. You can look into the contents of some packets, but only to see
107 some particular information that the Windows client sends to a server in the course of
108 establishing a network connection.
109 </para>
110
111 <para>
112 To many people, browsing is everything that happens when one uses Microsoft Internet Explorer.
113 It is only when you start looking at network traffic and noting the protocols
114 and types of information that are used that you can begin to appreciate the complexities of
115 Windows networking and, more importantly, what needs to be configured so that it can work.
116 Detailed information regarding browsing is provided in the recommended
117 preparatory reading.
118 </para>
119
120 <para>
121 Recommended preparatory reading: <emphasis>The Official Samba-3 HOWTO and Reference Guide, Second
122 Edition</emphasis> (TOSHARG2) Chapter 9, <quote>Network Browsing,</quote> and Chapter 3,
123 <quote>Server Types and Security Modes.</quote>
124 </para>
125
126 <sect2>
127 <title>Assignment Tasks</title>
128
129 <para><indexterm>
130 <primary>browsing</primary>
131 </indexterm>
132 You are about to witness how Microsoft Windows computer networking functions. The
133 exercises step through identification of how a client machine establishes a
134 connection to a remote Windows server. You observe how Windows machines find
135 each other (i.e., how browsing works) and how the two key types of user identification
136 (share mode security and user mode security) are affected.
137 </para>
138
139 <para><indexterm>
140 <primary>network</primary>
141 <secondary>analyzer</secondary>
142 </indexterm>
143 The networking protocols used by MS Windows networking when working with Samba
144 use TCP/IP as the transport protocol. The protocols that are specific to Windows
145 networking are encapsulated in TCP/IP. The network analyzer we use (Wireshark)
146 is able to show you the contents of the TCP/IP packets (or messages).
147 </para>
148
149 <procedure id="chap01tasks">
150 <title>Diagnostic Tasks</title>
151
152 <step><para><indexterm>
153 <primary>network</primary>
154 <secondary>trace</secondary>
155 </indexterm><indexterm>
156 <primary>host announcement</primary>
157 </indexterm><indexterm>
158 <primary>name resolution</primary>
159 </indexterm>
160 Examine network traces to witness SMB broadcasts, host announcements,
161 and name resolution processes.
162 </para></step>
163
164 <step><para>
165 Examine network traces to witness how share mode security functions.
166 </para></step>
167
168 <step><para>
169 Examine network traces to witness the use of user mode security.
170 </para></step>
171
172 <step><para>
173 Review traces of network logons for a Windows 9x/Me client as well as
174 a domain logon for a Windows XP Professional client.
175 </para></step>
176 </procedure>
177
178 </sect2>
179</sect1>
180
181<sect1>
182 <title>Exercises</title>
183
184 <para>
185 <indexterm><primary>wireshark</primary></indexterm>
186 You are embarking on a course of discovery. The first part of the exercise requires
187 two MS Windows 9x/Me systems. We called one machine <constant>WINEPRESSME</constant> and the
188 other <constant>MILGATE98</constant>. Each needs an IP address; we used <literal>10.1.1.10</literal>
189 and <literal>10.1.1.11</literal>. The test machines need to be networked via a <emphasis>hub</emphasis>. A UNIX/Linux
190 machine is required to run <command>Wireshark</command> to enable the network activity to be captured.
191 It is important that the machine from which network activity is captured must not interfere with
192 the operation of the Windows workstations. It is helpful for this machine to be passive (does not
193 send broadcast information) to the network.
194 </para>
195
196 <para>
197 For these exercises, our test environment consisted of a SUSE 9.2 Professional Linux Workstation running
198 VMWare 4.5. The following VMWare images were prepared:
199 </para>
200
201 <itemizedlist>
202 <listitem><para>Windows 98 &smbmdash; name: MILGATE98</para></listitem>
203 <listitem><para>Windows Me &smbmdash; name: WINEPRESSME</para></listitem>
204 <listitem><para>Windows XP Professional &smbmdash; name: LightrayXP</para></listitem>
205 <listitem><para>Samba-3.0.20 running on a SUSE Enterprise Linux 9</para></listitem>
206 </itemizedlist>
207
208 <para>
209 Choose a workgroup name (MIDEARTH) for each exercise.
210 </para>
211
212 <para>
213 <indexterm><primary>ethereal</primary></indexterm>
214 The network captures provided on the CD-ROM included with this book were captured using <constant>Ethereal</constant>
215 version <literal>0.10.6</literal>. A later version suffices without problems (i.e. you should be using Wireshark), but an earlier version may not
216 expose all the information needed. Each capture file has been decoded and listed as a trace file. A summary of all
217 packets has also been included. This makes it possible for you to do all the studying you like without the need to
218 perform the time-consuming equipment configuration and test work. This is a good time to point out that the value
219 that can be derived from this book really does warrant your taking sufficient time to practice each exercise with
220 care and attention to detail.
221 </para>
222
223 <sect2>
224 <title>Single-Machine Broadcast Activity</title>
225
226 <para>
227 In this section, we start a single Windows 9x/Me machine, then monitor network activity for 30 minutes.
228 </para>
229
230 <procedure>
231 <title>Monitoring Windows 9x Steps</title>
232
233 <step><para>
234 Start the machine from which network activity will be monitored (using <command>Wireshark</command>).
235 Launch <command>Wireshark</command>, click
236 <menuchoice>
237 <guimenu>Capture</guimenu>
238 <guimenuitem>Start</guimenuitem>
239 </menuchoice>.
240 </para>
241
242 <para>
243 Click the following:
244 <orderedlist>
245 <listitem><para>Update list of packets in real time</para></listitem>
246 <listitem><para>Automatic scrolling in live capture</para></listitem>
247 <listitem><para>Enable MAC name resolution</para></listitem>
248 <listitem><para>Enable network name resolution</para></listitem>
249 <listitem><para>Enable transport name resolution</para></listitem>
250 </orderedlist>
251 Click <guibutton>OK</guibutton>.
252 </para></step>
253
254 <step><para>
255 Start the Windows 9x/Me machine to be monitored. Let it run for a full 30 minutes. While monitoring,
256 do not press any keyboard keys, do not click any on-screen icons or menus, and do not answer any dialog boxes.
257 </para></step>
258
259 <step><para>
260 At the conclusion of 30 minutes, stop the capture. Save the capture to a file so you can go back to it later.
261 Leave this machine running in preparation for the task in <link linkend="secondmachine"/>.
262 </para></step>
263
264 <step><para>
265 Analyze the capture. Identify each discrete message type that was captured. Note what transport protocol
266 was used. Identify the timing between messages of identical types.
267 </para></step>
268
269 </procedure>
270
271 <sect3>
272 <title>Findings</title>
273
274 <para>
275 The summary of the first 10 minutes of the packet capture should look like <link linkend="pktcap01"/>.
276 A screenshot of a later stage of the same capture is shown in <link linkend="pktcap02"/>.
277 </para>
278
279 <figure id="pktcap01">
280 <title>Windows Me &smbmdash; Broadcasts &smbmdash; The First 10 Minutes</title>
281 <imagefile scale="40">WINREPRESSME-Capture</imagefile>
282 </figure>
283
284 <figure id="pktcap02">
285 <title>Windows Me &smbmdash; Later Broadcast Sample</title>
286 <imagefile scale="42">WINREPRESSME-Capture2</imagefile>
287 </figure>
288
289 <para><indexterm>
290 <primary>Local Master Browser</primary>
291 <see>LMB</see>
292 </indexterm><indexterm>
293 <primary>LMB</primary>
294 </indexterm>
295 Broadcast messages observed are shown in <link linkend="capsstats01"/>.
296 Actual observations vary a little, but not by much.
297 Early in the startup process, the Windows Me machine broadcasts its name for two reasons:
298 first to ensure that its name would not result in a name clash, and second to establish its
299 presence with the Local Master Browser (LMB).
300 </para>
301
302 <table id="capsstats01">
303 <title>Windows Me &smbmdash; Startup Broadcast Capture Statistics</title>
304 <tgroup cols="4">
305 <colspec align="left" colwidth="3*"/>
306 <colspec align="center"/>
307 <colspec align="center"/>
308 <colspec align="left" colwidth="3*"/>
309 <thead>
310 <row>
311 <entry>Message</entry>
312 <entry>Type</entry>
313 <entry>Num</entry>
314 <entry>Notes</entry>
315 </row>
316 </thead>
317 <tbody>
318 <row>
319 <entry>WINEPRESSME&lt;00&gt;</entry>
320 <entry>Reg</entry>
321 <entry>8</entry>
322 <entry>4 lots of 2, 0.6 sec apart</entry>
323 </row>
324 <row>
325 <entry>WINEPRESSME&lt;03&gt;</entry>
326 <entry>Reg</entry>
327 <entry>8</entry>
328 <entry>4 lots of 2, 0.6 sec apart</entry>
329 </row>
330 <row>
331 <entry>WINEPRESSME&lt;20&gt;</entry>
332 <entry>Reg</entry>
333 <entry>8</entry>
334 <entry>4 lots of 2, 0.75 sec apart</entry>
335 </row>
336 <row>
337 <entry>MIDEARTH&lt;00&gt;</entry>
338 <entry>Reg</entry>
339 <entry>8</entry>
340 <entry>4 lots of 2, 0.75 sec apart</entry>
341 </row>
342 <row>
343 <entry>MIDEARTH&lt;1d&gt;</entry>
344 <entry>Reg</entry>
345 <entry>8</entry>
346 <entry>4 lots of 2, 0.75 sec apart</entry>
347 </row>
348 <row>
349 <entry>MIDEARTH&lt;1e&gt;</entry>
350 <entry>Reg</entry>
351 <entry>8</entry>
352 <entry>4 lots of 2, 0.75 sec apart</entry>
353 </row>
354 <row>
355 <entry>MIDEARTH&lt;1b&gt;</entry>
356 <entry>Qry</entry>
357 <entry>84</entry>
358 <entry>300 sec apart at stable operation</entry>
359 </row>
360 <row>
361 <entry>__MSBROWSE__</entry>
362 <entry>Reg</entry>
363 <entry>8</entry>
364 <entry>Registered after winning election to Browse Master</entry>
365 </row>
366 <row>
367 <entry>JHT&lt;03&gt;</entry>
368 <entry>Reg</entry>
369 <entry>8</entry>
370 <entry>4 x 2. This is the name of the user that logged onto Windows</entry>
371 </row>
372 <row>
373 <entry>Host Announcement WINEPRESSME</entry>
374 <entry>Ann</entry>
375 <entry>2</entry>
376 <entry>Observed at 10 sec</entry>
377 </row>
378 <row>
379 <entry>Domain/Workgroup Announcement MIDEARTH</entry>
380 <entry>Ann</entry>
381 <entry>18</entry>
382 <entry>300 sec apart at stable operation</entry>
383 </row>
384 <row>
385 <entry>Local Master Announcement WINEPRESSME</entry>
386 <entry>Ann</entry>
387 <entry>18</entry>
388 <entry>300 sec apart at stable operation</entry>
389 </row>
390 <row>
391 <entry>Get Backup List Request</entry>
392 <entry>Qry</entry>
393 <entry>12</entry>
394 <entry>6 x 2 early in startup, 0.5 sec apart</entry>
395 </row>
396 <row>
397 <entry>Browser Election Request</entry>
398 <entry>Ann</entry>
399 <entry>10</entry>
400 <entry>5 x 2 early in startup</entry>
401 </row>
402 <row>
403 <entry>Request Announcement WINEPRESSME</entry>
404 <entry>Ann</entry>
405 <entry>4</entry>
406 <entry>Early in startup</entry>
407 </row>
408 </tbody>
409 </tgroup>
410 </table>
411
412 <para><indexterm>
413 <primary>election</primary>
414 </indexterm><indexterm>
415 <primary>browse master</primary>
416 </indexterm>
417 From the packet trace, it should be noted that no messages were propagated over TCP/IP;
418 all messages employed UDP/IP. When steady-state operation has been achieved, there is a cycle
419 of various announcements, re-election of a browse master, and name queries. These create
420 the symphony of announcements by which network browsing is made possible.
421 </para>
422
423 <para><indexterm>
424 <primary>CIFS</primary>
425 </indexterm>
426 For detailed information regarding the precise behavior of the CIFS/SMB protocols,
427 refer to the book <quote>Implementing CIFS: The Common Internet File System,</quote>
428 by Christopher Hertel, (Prentice Hall PTR, ISBN: 013047116X).
429 </para>
430
431 </sect3>
432
433 </sect2>
434
435 <sect2 id="secondmachine">
436 <title>Second Machine Startup Broadcast Interaction</title>
437
438 <para>
439 At this time, the machine you used to capture the single-system startup trace should still be running.
440 The objective of this task is to identify the interaction of two machines in respect to broadcast activity.
441 </para>
442
443 <procedure>
444 <title>Monitoring of Second Machine Activity</title>
445
446 <step><para>
447 On the machine from which network activity will be monitored (using <command>Wireshark</command>),
448 launch <command>Wireshark</command> and click
449 <menuchoice>
450 <guimenu>Capture</guimenu>
451 <guimenuitem>Start</guimenuitem>
452 </menuchoice>.
453 </para>
454
455 <para>
456 Click:
457 <orderedlist>
458 <listitem><para>Update list of packets in real time</para></listitem>
459 <listitem><para>Automatic scrolling in live capture</para></listitem>
460 <listitem><para>Enable MAC name resolution</para></listitem>
461 <listitem><para>Enable network name resolution</para></listitem>
462 <listitem><para>Enable transport name resolution</para></listitem>
463 </orderedlist>
464 Click <guibutton>OK</guibutton>.
465 </para></step>
466
467 <step><para>
468 Start the second Windows 9x/Me machine. Let it run for 15 to 20 minutes. While monitoring, do not press
469 any keyboard keys, do not click any on-screen icons or menus, and do not answer any dialog boxes.
470 </para></step>
471
472 <step><para>
473 At the conclusion of the capture time, stop the capture. Be sure to save the captured data so you
474 can examine the network data capture again at a later date should that be necessary.
475 </para></step>
476
477 <step><para>
478 Analyze the capture trace, taking note of the transport protocols used, the types of messages observed,
479 and what interaction took place between the two machines. Leave both machines running for the next task.
480 </para></step>
481 </procedure>
482
483 <sect3>
484 <title>Findings</title>
485
486 <para>
487 <link linkend="capsstats02"/> summarizes capture statistics observed. As in the previous case,
488 all announcements used UDP/IP broadcasts. Also, as was observed with the last example, the second
489 Windows 9x/Me machine broadcasts its name on startup to ensure that there exists no name clash
490 (i.e., the name is already registered by another machine) on the network segment. Those wishing
491 to explore the inner details of the precise mechanism of how this functions should refer to
492 <quote>Implementing CIFS: The Common Internet File System.</quote>
493 </para>
494
495 <table id="capsstats02">
496 <title>Second Machine (Windows 98) &smbmdash; Capture Statistics</title>
497 <tgroup cols="4">
498 <colspec align="left" colwidth="3*"/>
499 <colspec align="center"/>
500 <colspec align="center"/>
501 <colspec align="left" colwidth="3*"/>
502 <thead>
503 <row>
504 <entry>Message</entry>
505 <entry>Type</entry>
506 <entry>Num</entry>
507 <entry>Notes</entry>
508 </row>
509 </thead>
510 <tbody>
511 <row>
512 <entry>MILGATE98&lt;00&gt;</entry>
513 <entry>Reg</entry>
514 <entry>8</entry>
515 <entry>4 lots of 2, 0.6 sec apart</entry>
516 </row>
517 <row>
518 <entry>MILGATE98&lt;03&gt;</entry>
519 <entry>Reg</entry>
520 <entry>8</entry>
521 <entry>4 lots of 2, 0.6 sec apart</entry>
522 </row>
523 <row>
524 <entry>MILGATE98&lt;20&gt;</entry>
525 <entry>Reg</entry>
526 <entry>8</entry>
527 <entry>4 lots of 2, 0.75 sec apart</entry>
528 </row>
529 <row>
530 <entry>MIDEARTH&lt;00&gt;</entry>
531 <entry>Reg</entry>
532 <entry>8</entry>
533 <entry>4 lots of 2, 0.75 sec apart</entry>
534 </row>
535 <row>
536 <entry>MIDEARTH&lt;1d&gt;</entry>
537 <entry>Reg</entry>
538 <entry>8</entry>
539 <entry>4 lots of 2, 0.75 sec apart</entry>
540 </row>
541 <row>
542 <entry>MIDEARTH&lt;1e&gt;</entry>
543 <entry>Reg</entry>
544 <entry>8</entry>
545 <entry>4 lots of 2, 0.75 sec apart</entry>
546 </row>
547 <row>
548 <entry>MIDEARTH&lt;1b&gt;</entry>
549 <entry>Qry</entry>
550 <entry>18</entry>
551 <entry>900 sec apart at stable operation</entry>
552 </row>
553 <row>
554 <entry>JHT&lt;03&gt;</entry>
555 <entry>Reg</entry>
556 <entry>2</entry>
557 <entry>This is the name of the user that logged onto Windows</entry>
558 </row>
559 <row>
560 <entry>Host Announcement MILGATE98</entry>
561 <entry>Ann</entry>
562 <entry>14</entry>
563 <entry>Every 120 sec</entry>
564 </row>
565 <row>
566 <entry>Domain/Workgroup Announcement MIDEARTH</entry>
567 <entry>Ann</entry>
568 <entry>6</entry>
569 <entry>900 sec apart at stable operation</entry>
570 </row>
571 <row>
572 <entry>Local Master Announcement WINEPRESSME</entry>
573 <entry>Ann</entry>
574 <entry>6</entry>
575 <entry>Insufficient detail to determine frequency</entry>
576 </row>
577 </tbody>
578 </tgroup>
579 </table>
580
581 <para>
582 <indexterm><primary>host announcement</primary></indexterm>
583 <indexterm><primary>Local Master Announcement</primary></indexterm>
584 <indexterm><primary>Workgroup Announcement</primary></indexterm>
585 Observation of the contents of Host Announcements, Domain/Workgroup Announcements,
586 and Local Master Announcements is instructive. These messages convey a significant
587 level of detail regarding the nature of each machine that is on the network. An example
588 dissection of a Host Announcement is given in <link linkend="hostannounce"/>.
589 </para>
590
591
592 <figure id="hostannounce">
593 <title>Typical Windows 9x/Me Host Announcement</title>
594 <imagefile scale="41">HostAnnouncment</imagefile>
595 </figure>
596 </sect3>
597
598 </sect2>
599
600 <sect2>
601 <title>Simple Windows Client Connection Characteristics</title>
602
603 <para>
604 The purpose of this exercise is to discover how Microsoft Windows clients create (establish)
605 connections with remote servers. The methodology involves analysis of a key aspect of how
606 Windows clients access remote servers: the session setup protocol.
607 </para>
608
609 <procedure>
610 <title>Client Connection Exploration Steps</title>
611
612 <step><para>
613 Configure a Windows 9x/Me machine (MILGATE98) with a share called <constant>Stuff</constant>.
614 Create a <parameter>Full Access</parameter> control password on this share.
615 </para></step>
616
617 <step><para>
618 Configure another Windows 9x/Me machine (WINEPRESSME) as a client. Make sure that it exports
619 no shared resources.
620 </para></step>
621
622 <step><para>
623 Start both Windows 9x/Me machines and allow them to stabilize for 10 minutes. Log on to both
624 machines using a user name (JHT) of your choice. Wait approximately 2 minutes before proceeding.
625 </para></step>
626
627 <step><para>
628 Start Wireshark (or the network sniffer of your choice).
629 </para></step>
630
631 <step><para>
632 From the WINEPRESSME machine, right-click <guimenu>Network Neighborhood</guimenu>, select
633 <guimenuitem>Explore</guimenuitem>, select
634 <menuchoice>
635 <guimenuitem>My Network Places</guimenuitem>
636 <guimenuitem>Entire Network</guimenuitem>
637 <guimenuitem>MIDEARTH</guimenuitem>
638 <guimenuitem>MILGATE98</guimenuitem>
639 <guimenuitem>Stuff</guimenuitem>
640 </menuchoice>.
641 Enter the password you set for the <constant>Full Control</constant> mode for the
642 <constant>Stuff</constant> share.
643 </para></step>
644
645 <step><para>
646 When the share called <constant>Stuff</constant> is being displayed, stop the capture.
647 Save the captured data in case it is needed for later analysis.
648 </para></step>
649
650 <step><para>
651 <indexterm><primary>session setup</primary></indexterm>
652 From the top of the packets captured, scan down to locate the first packet that has
653 interpreted as <constant>Session Setup AndX, User: anonymous; Tree Connect AndX,
654 Path: \\MILGATE98\IPC$</constant>.
655 </para></step>
656
657 <step><para><indexterm>
658 <primary>Session Setup</primary>
659 </indexterm><indexterm>
660 <primary>Tree Connect</primary>
661 </indexterm>
662 In the dissection (analysis) panel, expand the <constant>SMB, Session Setup AndX Request,
663 and Tree Connect AndX Request</constant>. Examine both operations. Identify the name of
664 the user Account and what password was used. The Account name should be empty.
665 This is a <constant>NULL</constant> session setup packet.
666 </para></step>
667
668 <step><para>
669 Return to the packet capture sequence. There will be a number of packets that have been
670 decoded of the type <constant>Session Setup AndX</constant>. Locate the last such packet
671 that was targeted at the <constant>\\MILGATE98\IPC$</constant> service.
672 </para></step>
673
674 <step><para>
675 <indexterm><primary>password length</primary></indexterm>
676 <indexterm><primary>User Mode</primary></indexterm>
677 Dissect this packet as per the previous one. This packet should have a password length
678 of 24 (characters) and should have a password field, the contents of which is a
679 long hexadecimal number. Observe the name in the Account field. This is a User Mode
680 session setup packet.
681 </para></step>
682 </procedure>
683
684 <sect3>
685 <title>Findings and Comments</title>
686
687 <para>
688 <indexterm><primary>IPC$</primary></indexterm>
689 The <constant>IPC$</constant> share serves a vital purpose<footnote><para>TOSHARG2, Sect 4.5.1</para></footnote>
690 in SMB/CIFS-based networking. A Windows client connects to this resource to obtain the list of
691 resources that are available on the server. The server responds with the shares and print queues that
692 are available. In most but not all cases, the connection is made with a <constant>NULL</constant>
693 username and a <constant>NULL</constant> password.
694 </para>
695
696 <para>
697 <indexterm><primary>account credentials</primary></indexterm>
698 The two packets examined are material evidence of how Windows clients may
699 interoperate with Samba. Samba requires every connection setup to be authenticated using
700 valid UNIX account credentials (UID/GID). This means that even a <constant>NULL</constant>
701 session setup can be established only by automatically mapping it to a valid UNIX
702 account.
703 </para>
704
705 <para>
706 <indexterm><primary>NULL session</primary></indexterm><indexterm>
707 <primary>guest account</primary>
708 </indexterm>
709 <indexterm><primary>nobody</primary></indexterm>
710 Samba has a special name for the <constant>NULL</constant>, or empty, user account:
711 it calls it the <smbconfoption name="guest account"/>. The
712 default value of this parameter is <constant>nobody</constant>; however, this can be
713 changed to map the function of the guest account to any other UNIX identity. Some
714 UNIX administrators prefer to map this account to the system default anonymous
715 FTP account. A sample NULL Session Setup AndX packet dissection is shown in
716 <link linkend="nullconnect"/>.
717 </para>
718
719 <figure id="nullconnect">
720 <title>Typical Windows 9x/Me NULL SessionSetUp AndX Request</title>
721
722 <imagefile scale="41">NullConnect</imagefile>
723 </figure>
724
725 <para>
726 <indexterm><primary>nobody</primary></indexterm>
727 <indexterm><primary>/etc/passwd</primary></indexterm>
728 <indexterm><primary>guest account</primary></indexterm>
729 When a UNIX/Linux system does not have a <constant>nobody</constant> user account
730 (<filename>/etc/passwd</filename>), the operation of the <constant>NULL</constant>
731 account cannot validate and thus connections that utilize the guest account
732 fail. This breaks all ability to browse the Samba server and is a common
733 problem reported on the Samba mailing list. A sample User Mode session setup AndX
734 is shown in <link linkend="userconnect"/>.
735 </para>
736
737 <figure id="userconnect">
738 <title>Typical Windows 9x/Me User SessionSetUp AndX Request</title>
739 <imagefile scale="41">UserConnect</imagefile>
740 </figure>
741
742 <para>
743 <indexterm><primary>encrypted</primary></indexterm>
744 The User Mode connection packet contains the account name and the domain name.
745 The password is provided in Microsoft encrypted form, and its length is shown
746 as 24 characters. This is the length of Microsoft encrypted passwords.
747 </para>
748
749 </sect3>
750
751 </sect2>
752
753 <sect2>
754 <title>Windows 200x/XP Client Interaction with Samba-3</title>
755
756 <para>
757 By now you may be asking, <quote>Why did you choose to work with Windows 9x/Me?</quote>
758 </para>
759
760 <para>
761 First, we want to demonstrate the simple case. This book is not intended to be a detailed treatise
762 on the Windows networking protocols, but rather to provide prescriptive guidance for deployment of Samba.
763 Second, by starting out with the simple protocol, it can be demonstrated that the more complex case mostly
764 follows the same principles.
765 </para>
766
767 <para>
768 The following exercise demonstrates the case that even MS Windows XP Professional with up-to-date service
769 updates also uses the <constant>NULL</constant> account, as well as user accounts. Simply follow the procedure
770 to complete this exercise.
771 </para>
772
773 <para>
774 To complete this exercise, you need a Windows XP Professional client that has been configured as
775 a domain member of either a Samba-controlled domain or a Windows NT4 or 200x Active Directory domain.
776 Here we do not provide details for how to configure this, as full coverage is provided earlier in this book.
777 </para>
778
779 <procedure>
780 <title>Steps to Explore Windows XP Pro Connection Set-up</title>
781
782 <step><para>
783 Start your domain controller. Also, start the Wireshark monitoring machine, launch Wireshark,
784 and then wait for the next step to complete.
785 </para></step>
786
787 <step><para>
788 Start the Windows XP Client and wait 5 minutes before proceeding.
789 </para></step>
790
791 <step><para>
792 On the machine from which network activity will be monitored (using <command>Wireshark</command>),
793 launch <command>Wireshark</command> and click
794 <menuchoice>
795 <guimenu>Capture</guimenu>
796 <guimenuitem>Start</guimenuitem>
797 </menuchoice>.
798 </para>
799
800 <para>
801 Click:
802 <orderedlist>
803 <listitem><para>Update list of packets in real time</para></listitem>
804 <listitem><para>Automatic scrolling in live capture</para></listitem>
805 <listitem><para>Enable MAC name resolution</para></listitem>
806 <listitem><para>Enable network name resolution</para></listitem>
807 <listitem><para>Enable transport name resolution</para></listitem>
808 </orderedlist>
809 Click <guibutton>OK</guibutton>.
810 </para></step>
811
812 <step><para>
813 On the Windows XP Professional client, press <guimenu>Ctrl-Alt-Delete</guimenu> to bring
814 up the domain logon screen. Log in using valid credentials for a domain user account.
815 </para></step>
816
817 <step><para>
818 Now proceed to connect to the domain controller as follows:
819 <menuchoice>
820 <guimenu>Start</guimenu>
821 <guimenuitem>(right-click) My Network Places</guimenuitem>
822 <guimenuitem>Explore</guimenuitem>
823 <guimenuitem>{Left Panel} [+] Entire Network</guimenuitem>
824 <guimenuitem>{Left Panel} [+] Microsoft Windows Network</guimenuitem>
825 <guimenuitem>{Left Panel} [+] Midearth</guimenuitem>
826 <guimenuitem>{Left Panel} [+] Frodo</guimenuitem>
827 <guimenuitem>{Left Panel} [+] data</guimenuitem>
828 </menuchoice>. Close the explorer window.
829 </para>
830
831 <para>
832 In this step, our domain name is <constant>Midearth</constant>, the domain controller is called
833 <constant>Frodo</constant>, and we have connected to a share called <constant>data</constant>.
834 </para></step>
835
836 <step><para>
837 Stop the capture on the <command>Wireshark</command> monitoring machine. Be sure to save the captured data
838 to a file so that you can refer to it again later.
839 </para></step>
840
841 <step><para>
842 If desired, the Windows XP Professional client and the domain controller are no longer needed for exercises
843 in this chapter.
844 </para></step>
845
846 <step><para>
847 <indexterm><primary>NTLMSSP_AUTH</primary></indexterm>
848 <indexterm><primary>session setup</primary></indexterm>
849 From the top of the packets captured, scan down to locate the first packet that has
850 interpreted as <constant>Session Setup AndX Request, NTLMSSP_AUTH</constant>.
851 </para></step>
852
853 <step><para>
854 <indexterm><primary>GSS-API</primary></indexterm>
855 <indexterm><primary>SPNEGO</primary></indexterm>
856 <indexterm><primary>NTLMSSP</primary></indexterm>
857 In the dissection (analysis) panel, expand the <constant>SMB, Session Setup AndX Request</constant>.
858 Expand the packet decode information, beginning at the <constant>Security Blob:</constant>
859 entry. Expand the <constant>GSS-API -> SPNEGO -> netTokenTarg -> responseToken -> NTLMSSP</constant>
860 keys. This should reveal that this is a <constant>NULL</constant> session setup packet.
861 The <constant>User name: NULL</constant> so indicates. An example decode is shown in
862 <link linkend="XPCap01"/>.
863 </para></step>
864
865 <step><para>
866 Return to the packet capture sequence. There will be a number of packets that have been
867 decoded of the type <constant>Session Setup AndX Request</constant>. Click the last such packet that
868 has been decoded as <constant>Session Setup AndX Request, NTLMSSP_AUTH</constant>.
869 </para></step>
870
871 <step><para>
872 <indexterm><primary>encrypted password</primary></indexterm>
873 In the dissection (analysis) panel, expand the <constant>SMB, Session Setup AndX Request</constant>.
874 Expand the packet decode information, beginning at the <constant>Security Blob:</constant>
875 entry. Expand the <constant>GSS-API -> SPNEGO -> netTokenTarg -> responseToken -> NTLMSSP</constant>
876 keys. This should reveal that this is a <constant>User Mode</constant> session setup packet.
877 The <constant>User name: jht</constant> so indicates. An example decode is shown in
878 <link linkend="XPCap02"/>. In this case the user name was <constant>jht</constant>. This packet
879 decode includes the <constant>Lan Manager Response:</constant> and the <constant>NTLM Response:</constant>.
880 The values of these two parameters are the Microsoft encrypted password hashes: respectively, the LanMan
881 password and then the NT (case-preserving) password hash.
882 </para></step>
883
884 <step><para>
885 <indexterm><primary>password length</primary></indexterm>
886 <indexterm><primary>User Mode</primary></indexterm>
887 The passwords are 24-character hexadecimal numbers. This packet confirms that this is a User Mode
888 session setup packet.
889 </para></step>
890
891 </procedure>
892
893 <figure id="XPCap01">
894 <title>Typical Windows XP NULL Session Setup AndX Request</title>
895 <imagefile scale="50">WindowsXP-NullConnection</imagefile>
896 </figure>
897
898 <figure id="XPCap02">
899 <title>Typical Windows XP User Session Setup AndX Request</title>
900 <imagefile scale="50">WindowsXP-UserConnection</imagefile>
901 </figure>
902
903 <sect3>
904 <title>Discussion</title>
905
906 <para><indexterm>
907 <primary>NULL-Session</primary>
908 </indexterm>
909 This exercise demonstrates that, while the specific protocol for the Session Setup AndX is handled
910 in a more sophisticated manner by recent MS Windows clients, the underlying rules or principles
911 remain the same. Thus it is demonstrated that MS Windows XP Professional clients still use a
912 <constant>NULL-Session</constant> connection to query and locate resources on an advanced network
913 technology server (one using Windows NT4/200x or Samba). It also demonstrates that an authenticated
914 connection must be made before resources can be used.
915 </para>
916
917 </sect3>
918
919 </sect2>
920
921 <sect2>
922 <title>Conclusions to Exercises</title>
923
924 <para>
925 In summary, the following points have been established in this chapter:
926 </para>
927
928 <itemizedlist>
929 <listitem><para>
930 When NetBIOS over TCP/IP protocols are enabled, MS Windows networking employs broadcast-oriented messaging protocols to provide knowledge of network services.
931 </para></listitem>
932
933 <listitem><para>
934 Network browsing protocols query information stored on browse masters that manage
935 information provided by NetBIOS Name Registrations and by way of ongoing host
936 announcements and workgroup announcements.
937 </para></listitem>
938
939 <listitem><para>
940 All Samba servers must be configured with a mechanism for mapping the <constant>NULL-Session</constant>
941 to a valid but nonprivileged UNIX system account.
942 </para></listitem>
943
944 <listitem><para>
945 The use of Microsoft encrypted passwords is built right into the fabric of Windows
946 networking operations. Such passwords cannot be provided from the UNIX <filename>/etc/passwd</filename>
947 database and thus must be stored elsewhere on the UNIX system in a manner that Samba can
948 use. Samba-2.x permitted such encrypted passwords to be stored in the <constant>smbpasswd</constant>
949 file or in an LDAP database. Samba-3 permits use of multiple <parameter>passdb backend</parameter>
950 databases in concurrent deployment. Refer to <emphasis>TOSHARG2</emphasis>, Chapter 10, <quote>Account Information Databases.</quote>
951 </para></listitem>
952 </itemizedlist>
953
954 </sect2>
955
956</sect1>
957
958<sect1 id="chap01conc">
959 <title>Dissection and Discussion</title>
960
961 <para>
962 <indexterm><primary>guest account</primary></indexterm>
963 The exercises demonstrate the use of the <constant>guest</constant> account, the way that
964 MS Windows clients and servers resolve computer names to a TCP/IP address, and how connections
965 between a client and a server are established.
966 </para>
967
968 <para>
969 Those wishing background information regarding NetBIOS name types should refer to
970 the Microsoft knowledgebase article
971 <ulink url="http://support.microsoft.com/support/kb/articles/Q102/78/8.asp">Q102878.</ulink>
972 </para>
973
974 <sect2>
975 <title>Technical Issues</title>
976
977 <para>
978 <indexterm><primary>guest account</primary></indexterm>
979 Network browsing involves SMB broadcast announcements, SMB enumeration requests,
980 connections to the <constant>IPC$</constant> share, share enumerations, and SMB connection
981 setup processes. The use of anonymous connections to a Samba server involve the use of
982 the <parameter>guest account</parameter> that must map to a valid UNIX UID.
983 </para>
984
985 </sect2>
986
987</sect1>
988
989<sect1 id="chap01qa">
990 <title>Questions and Answers</title>
991
992 <para>
993 The questions and answers given in this section are designed to highlight important aspects of Microsoft
994 Windows networking.
995 </para>
996
997 <qandaset defaultlabel="chap01qa" type="number">
998 <qandaentry>
999 <question>
1000
1001 <para>
1002 What is the significance of the MIDEARTH&lt;1b&gt; type query?
1003 </para>
1004
1005 </question>
1006 <answer>
1007
1008 <para>
1009 <indexterm><primary>Domain Master Browser</primary><see>DMB</see></indexterm>
1010 <indexterm><primary>DMB</primary></indexterm>
1011 This is a broadcast announcement by which the Windows machine is attempting to
1012 locate a Domain Master Browser (DMB) in the event that it might exist on the network.
1013 Refer to <emphasis>TOSHARG2,</emphasis> Chapter 9, Section 9.7, <quote>Technical Overview of Browsing,</quote>
1014 for details regarding the function of the DMB and its role in network browsing.
1015 </para>
1016
1017 </answer>
1018 </qandaentry>
1019
1020 <qandaentry>
1021 <question>
1022
1023 <para>
1024 What is the significance of the MIDEARTH&lt;1d&gt; type name registration?
1025 </para>
1026
1027 </question>
1028 <answer>
1029
1030 <para>
1031 <indexterm><primary>Local Master Browser</primary><see>LMB</see></indexterm>
1032 <indexterm><primary>LMB</primary></indexterm>
1033 This name registration records the machine IP addresses of the LMBs.
1034 Network clients can query this name type to obtain a list of browser servers from the
1035 master browser.
1036 </para>
1037
1038 <para>
1039 The LMB is responsible for monitoring all host announcements on the local network and for
1040 collating the information contained within them. Using this information, it can provide answers to other Windows
1041 network clients that request information such as:
1042 </para>
1043
1044 <itemizedlist>
1045 <listitem><para>
1046 The list of machines known to the LMB (i.e., the browse list)
1047 </para></listitem>
1048
1049 <listitem><para>
1050 The IP addresses of all domain controllers known for the domain
1051 </para></listitem>
1052
1053 <listitem><para>
1054 The IP addresses of LMBs
1055 </para></listitem>
1056
1057 <listitem><para>
1058 The IP address of the DMB (if one exists)
1059 </para></listitem>
1060
1061 <listitem><para>
1062 The IP address of the LMB on the local segment
1063 </para></listitem>
1064 </itemizedlist>
1065
1066 </answer>
1067 </qandaentry>
1068
1069 <qandaentry>
1070 <question>
1071
1072 <para>
1073 What is the role and significance of the &lt;01&gt;&lt;02&gt;__MSBROWSE__&lt;02&gt;&lt;01&gt;
1074 name registration?
1075 </para>
1076
1077 </question>
1078 <answer>
1079
1080 <para>
1081 <indexterm><primary>Browse Master</primary></indexterm>
1082 This name is registered by the browse master to broadcast and receive domain announcements.
1083 Its scope is limited to the local network segment, or subnet. By querying this name type,
1084 master browsers on networks that have multiple domains can find the names of master browsers
1085 for each domain.
1086 </para>
1087
1088 </answer>
1089 </qandaentry>
1090
1091 <qandaentry>
1092 <question>
1093
1094 <para>
1095 What is the significance of the MIDEARTH&lt;1e&gt; type name registration?
1096 </para>
1097
1098 </question>
1099 <answer>
1100
1101 <para>
1102 <indexterm><primary>Browser Election Service</primary></indexterm>
1103 This name is registered by all browse masters in a domain or workgroup. The registration
1104 name type is known as the Browser Election Service. Master browsers register themselves
1105 with this name type so that DMBs can locate them to perform cross-subnet
1106 browse list updates. This name type is also used to initiate elections for Master Browsers.
1107 </para>
1108
1109 </answer>
1110 </qandaentry>
1111
1112 <qandaentry>
1113 <question>
1114
1115 <para>
1116 <indexterm><primary>guest account</primary></indexterm>
1117 What is the significance of the <parameter>guest account</parameter> in smb.conf?
1118 </para>
1119
1120 </question>
1121 <answer>
1122
1123 <para>
1124 This parameter specifies the default UNIX account to which MS Windows networking
1125 NULL session connections are mapped. The default name for the UNIX account used for
1126 this mapping is called <constant>nobody</constant>. If the UNIX/Linux system that
1127 is hosting Samba does not have a <constant>nobody</constant> account and an alternate
1128 mapping has not been specified, network browsing will not work at all.
1129 </para>
1130
1131 <para>
1132 It should be noted that the <parameter>guest account</parameter> is essential to
1133 Samba operation. Either the operating system must have an account called <constant>nobody</constant>
1134 or there must be an entry in the &smb.conf; file with a valid UNIX account, such as
1135 <smbconfoption name="guest account">ftp</smbconfoption>.
1136 </para>
1137
1138 </answer>
1139 </qandaentry>
1140
1141 <qandaentry>
1142 <question>
1143
1144 <para>
1145 Is it possible to reduce network broadcast activity with Samba-3?
1146 </para>
1147
1148 </question>
1149 <answer>
1150
1151 <para>
1152 <indexterm><primary>WINS</primary></indexterm>
1153 <indexterm><primary>NetBIOS</primary></indexterm>
1154 Yes, there are two ways to do this. The first involves use of WINS (See <emphasis>TOSHARG2</emphasis>, Chapter 9,
1155 Section 9.5, <quote>WINS &smbmdash; The Windows Inter-networking Name Server</quote>); the
1156 alternate method involves disabling the use of NetBIOS over TCP/IP. This second method requires
1157 a correctly configured DNS server (see <emphasis>TOSHARG2</emphasis>, Chapter 9, Section 9.3, <quote>Discussion</quote>).
1158 </para>
1159
1160 <para>
1161 <indexterm><primary>broadcast</primary></indexterm>
1162 <indexterm><primary>NetBIOS</primary><secondary>Node Type</secondary></indexterm>
1163 <indexterm><primary>Hybrid</primary></indexterm>
1164 The use of WINS reduces network broadcast traffic. The reduction is greatest when all network
1165 clients are configured to operate in <parameter>Hybrid Mode</parameter>. This can be effected through
1166 use of DHCP to set the NetBIOS node type to type 8 for all network clients. Additionally, it is
1167 beneficial to configure Samba to use <smbconfoption name="name resolve order">wins host cast</smbconfoption>.
1168 </para>
1169
1170 <note><para>
1171 Use of SMB without NetBIOS is possible only on Windows 200x/XP Professional clients and servers, as
1172 well as with Samba-3.
1173 </para></note>
1174
1175 </answer>
1176 </qandaentry>
1177
1178 <qandaentry>
1179 <question>
1180
1181 <para>
1182 Can I just use plain-text passwords with Samba?
1183 </para>
1184
1185 </question>
1186 <answer>
1187
1188 <para>
1189 Yes, you can configure Samba to use plain-text passwords, though this does create a few problems.
1190 </para>
1191
1192 <para>
1193 First, the use of <filename>/etc/passwd</filename>-based plain-text passwords requires that registry
1194 modifications be made on all MS Windows client machines to enable plain-text passwords support. This
1195 significantly diminishes the security of MS Windows client operation. Many network administrators
1196 are bitterly opposed to doing this.
1197 </para>
1198
1199 <para>
1200 Second, Microsoft has not maintained plain-text password support since the default setting was made
1201 disabling this. When network connections are dropped by the client, it is not possible to re-establish
1202 the connection automatically. Users need to log off and then log on again. Plain-text password support
1203 may interfere with recent enhancements that are part of the Microsoft move toward a more secure computing
1204 environment.
1205 </para>
1206
1207 <para>
1208 Samba-3 supports Microsoft encrypted passwords. Be advised not to reintroduce plain-text password handling.
1209 Just create user accounts by running <command>smbpasswd -a 'username'</command>
1210 </para>
1211
1212 <para>
1213 It is not possible to add a user to the <parameter>passdb backend</parameter> database unless there is
1214 a UNIX system account for that user. On systems that run <command>winbindd</command> to access the Samba
1215 PDC/BDC to provide Windows user and group accounts, the <parameter>idmap uid, idmap gid</parameter> ranges
1216 set in the &smb.conf; file provide the local UID/GIDs needed for local identity management purposes.
1217 </para>
1218
1219 </answer>
1220 </qandaentry>
1221
1222 <qandaentry>
1223 <question>
1224
1225 <para>
1226 What parameter in the &smb.conf; file is used to enable the use of encrypted passwords?
1227 </para>
1228
1229 </question>
1230 <answer>
1231
1232 <para>
1233 The parameter in the &smb.conf; file that controls this behavior is known as <parameter>encrypt
1234 passwords</parameter>. The default setting for this in Samba-3 is <constant>Yes (Enabled)</constant>.
1235 </para>
1236
1237 </answer>
1238 </qandaentry>
1239
1240 <qandaentry>
1241 <question>
1242
1243 <para>
1244 Is it necessary to specify <smbconfoption name="encrypt passwords">Yes</smbconfoption>
1245 when Samba-3 is configured as a domain member?
1246 </para>
1247
1248 </question>
1249 <answer>
1250
1251 <para>
1252 No. This is the default behavior.
1253 </para>
1254
1255 </answer>
1256 </qandaentry>
1257
1258 <qandaentry>
1259 <question>
1260
1261 <para>
1262 Is it necessary to specify a <parameter>guest account</parameter> when Samba-3 is configured
1263 as a domain member server?
1264 </para>
1265
1266 </question>
1267 <answer>
1268
1269 <para>
1270 Yes. This is a local function on the server. The default setting is to use the UNIX account
1271 <constant>nobody</constant>. If this account does not exist on the UNIX server, then it is
1272 necessary to provide a <smbconfoption name="guest account">an_account</smbconfoption>,
1273 where <constant>an_account</constant> is a valid local UNIX user account.
1274 </para>
1275
1276 </answer>
1277 </qandaentry>
1278 </qandaset>
1279
1280</sect1>
1281
1282</chapter>
1283
Note: See TracBrowser for help on using the repository browser.