Context Navigation

← Previous Revision
Next Revision →
Blame
Revision Log

source: vendor/3.5.0/docs/htmldocs/Samba3-ByExample/primer.html

Visit:

Last change on this file was 414, checked in by Herwig Bauernfeind, 15 years ago
Samba 3.5.0: Initial import
File size: 56.1 KB

Line
1	<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 16. Networking Primer</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="Samba-3 by Example"><link rel="up" href="RefSection.html" title="Part III. Reference Section"><link rel="prev" href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits"><link rel="next" href="apa.html" title="Appendix A. GNU General Public License version 3"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 16. Networking Primer</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="appendix.html">Prev</a> </td><th width="60%" align="center">Part III. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="apa.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="primer"></a>Chapter 16. Networking Primer</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="primer.html#id2625280">Requirements and Notes</a></span></dt><dt><span class="sect1"><a href="primer.html#id2625441">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="primer.html#id2625502">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="primer.html#id2625618">Exercises</a></span></dt><dd><dl><dt><span class="sect2"><a href="primer.html#id2625744">Single-Machine Broadcast Activity</a></span></dt><dt><span class="sect2"><a href="primer.html#secondmachine">Second Machine Startup Broadcast Interaction</a></span></dt><dt><span class="sect2"><a href="primer.html#id2626892">Simple Windows Client Connection Characteristics</a></span></dt><dt><span class="sect2"><a href="primer.html#id2627394">Windows 200x/XP Client Interaction with Samba-3</a></span></dt><dt><span class="sect2"><a href="primer.html#id2627962">Conclusions to Exercises</a></span></dt></dl></dd><dt><span class="sect1"><a href="primer.html#chap01conc">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="primer.html#id2628077">Technical Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="primer.html#chap01qa">Questions and Answers</a></span></dt></dl></div><p>
2	You are about to use the equivalent of a microscope to look at the information
3	that runs through the veins of a Windows network. We do more to observe the information than
4	to interrogate it. When you are done with this primer, you should have a good understanding
5	of the types of information that flow over the network. Do not worry, this is not
6	a biology lesson. We won't lose you in unnecessary detail. Think to yourself, “<span class="quote">This
7	is easy,</span>” then tackle each exercise without fear.
8	</p><p>
9	Samba can be configured with a minimum of complexity. Simplicity should be mastered
10	before you get too deeply into complexities. Let's get moving: we have work to do.
11	</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2625280"></a>Requirements and Notes</h2></div></div></div><p>
12	Successful completion of this primer requires two Microsoft Windows 9x/Me Workstations
13	as well as two Microsoft Windows XP Professional Workstations, each equipped with an Ethernet
14	card connected using a hub. Also required is one additional server (either Windows
15	NT4 Server, Windows 2000 Server, or a Samba-3 on UNIX/Linux server) running a network
16	sniffer and analysis application (Wireshark is a good choice). All work should be undertaken
17	on a quiet network where there is no other traffic. It is best to use a dedicated hub
18	with only the machines under test connected at the time of the exercises.
19	</p><p><a class="indexterm" name="id2625300"></a>
20	Wireshark (formerly Ethereal) has become the network protocol analyzer of choice for many network administrators.
21	You may find more information regarding this tool from the
22	<a class="ulink" href="http://www.wireshark.org" target="_top">Wireshark</a> Web site. Wireshark installation
23	files for Windows may be obtained from the Wireshark Web site. Wireshark is provided with
24	SUSE and Red Hat Linux distributions, as well as with many other Linux distributions. It may
25	not be installed on your system by default. If it is not installed, you may also need
26	to install the <code class="literal">libpcap</code> software before you can install or use Wireshark.
27	Please refer to the instructions for your operating system or to the Wireshark Web site
28	for information regarding the installation and operation of Wireshark.
29	</p><p>
30	To obtain <code class="literal">Wireshark</code> for your system, please visit the Wireshark
31	<a class="ulink" href="http://www.wireshark.org/download.html" target="_top">download site</a>.
32	</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
33	The successful completion of this chapter requires that you capture network traffic
34	using <code class="literal">Wireshark</code>. It is recommended that you use a hub, not an
35	Ethernet switch. It is necessary for the device used to act as a repeater, not as a
36	filter. Ethernet switches may filter out traffic that is not directed at the machine
37	that is used to monitor traffic; this would not allow you to complete the projects.
38	</p></div><p>
39	<a class="indexterm" name="id2625370"></a>
40	Do not worry too much if you do not have access to all this equipment; network captures
41	from the exercises are provided on the enclosed CD-ROM. This makes it possible to dive directly
42	into the analytical part of the exercises if you so desire.
43	</p><p><a class="indexterm" name="id2625386"></a><a class="indexterm" name="id2625397"></a>
44	Please do not be alarmed at the use of a high-powered analysis tool (Wireshark) in this
45	primer. We expose you only to a minimum of detail necessary to complete
46	the exercises. If you choose to use any other network sniffer and protocol
47	analysis tool, be advised that it may not allow you to examine the contents of
48	recently added security protocols used by Windows 200x/XP.
49	</p><p>
50	You could just skim through the exercises and try to absorb the key points made.
51	The exercises provide all the information necessary to convince the die-hard network
52	engineer. You possibly do not require so much convincing and may just want to move on,
53	in which case you should at least read <a class="link" href="primer.html#chap01conc" title="Dissection and Discussion">“Dissection and Discussion”</a>.
54	</p><p>
55	<a class="link" href="primer.html#chap01qa" title="Questions and Answers">“Questions and Answers”</a> also provides useful information
56	that may help you to avoid significantly time-consuming networking problems.
57	</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2625441"></a>Introduction</h2></div></div></div><p>
58	The purpose of this chapter is to create familiarity with key aspects of Microsoft Windows
59	network computing. If you want a solid technical grounding, do not gloss over these exercises.
60	The points covered are recurrent issues on the Samba mailing lists.
61	</p><p><a class="indexterm" name="id2625456"></a>
62	You can see from these exercises that Windows networking involves quite a lot of network
63	broadcast traffic. You can look into the contents of some packets, but only to see
64	some particular information that the Windows client sends to a server in the course of
65	establishing a network connection.
66	</p><p>
67	To many people, browsing is everything that happens when one uses Microsoft Internet Explorer.
68	It is only when you start looking at network traffic and noting the protocols
69	and types of information that are used that you can begin to appreciate the complexities of
70	Windows networking and, more importantly, what needs to be configured so that it can work.
71	Detailed information regarding browsing is provided in the recommended
72	preparatory reading.
73	</p><p>
74	Recommended preparatory reading: <span class="emphasis"><em>The Official Samba-3 HOWTO and Reference Guide, Second
75	Edition</em></span> (TOSHARG2) Chapter 9, “<span class="quote">Network Browsing,</span>” and Chapter 3,
76	“<span class="quote">Server Types and Security Modes.</span>”
77	</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2625502"></a>Assignment Tasks</h3></div></div></div><p><a class="indexterm" name="id2625508"></a>
78	You are about to witness how Microsoft Windows computer networking functions. The
79	exercises step through identification of how a client machine establishes a
80	connection to a remote Windows server. You observe how Windows machines find
81	each other (i.e., how browsing works) and how the two key types of user identification
82	(share mode security and user mode security) are affected.
83	</p><p><a class="indexterm" name="id2625526"></a>
84	The networking protocols used by MS Windows networking when working with Samba
85	use TCP/IP as the transport protocol. The protocols that are specific to Windows
86	networking are encapsulated in TCP/IP. The network analyzer we use (Wireshark)
87	is able to show you the contents of the TCP/IP packets (or messages).
88	</p><div class="procedure"><a name="chap01tasks"></a><p class="title"><b>Procedure 16.1. Diagnostic Tasks</b></p><ol type="1"><li><p><a class="indexterm" name="id2625559"></a><a class="indexterm" name="id2625570"></a><a class="indexterm" name="id2625578"></a>
89	Examine network traces to witness SMB broadcasts, host announcements,
90	and name resolution processes.
91	</p></li><li><p>
92	Examine network traces to witness how share mode security functions.
93	</p></li><li><p>
94	Examine network traces to witness the use of user mode security.
95	</p></li><li><p>
96	Review traces of network logons for a Windows 9x/Me client as well as
97	a domain logon for a Windows XP Professional client.
98	</p></li></ol></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2625618"></a>Exercises</h2></div></div></div><p>
99	<a class="indexterm" name="id2625626"></a>
100	You are embarking on a course of discovery. The first part of the exercise requires
101	two MS Windows 9x/Me systems. We called one machine <code class="constant">WINEPRESSME</code> and the
102	other <code class="constant">MILGATE98</code>. Each needs an IP address; we used <code class="literal">10.1.1.10</code>
103	and <code class="literal">10.1.1.11</code>. The test machines need to be networked via a <span class="emphasis"><em>hub</em></span>. A UNIX/Linux
104	machine is required to run <code class="literal">Wireshark</code> to enable the network activity to be captured.
105	It is important that the machine from which network activity is captured must not interfere with
106	the operation of the Windows workstations. It is helpful for this machine to be passive (does not
107	send broadcast information) to the network.
108	</p><p>
109	For these exercises, our test environment consisted of a SUSE 9.2 Professional Linux Workstation running
110	VMWare 4.5. The following VMWare images were prepared:
111	</p><div class="itemizedlist"><ul type="disc"><li><p>Windows 98 name: MILGATE98</p></li><li><p>Windows Me name: WINEPRESSME</p></li><li><p>Windows XP Professional name: LightrayXP</p></li><li><p>Samba-3.0.20 running on a SUSE Enterprise Linux 9</p></li></ul></div><p>
112	Choose a workgroup name (MIDEARTH) for each exercise.
113	</p><p>
114	<a class="indexterm" name="id2625715"></a>
115	The network captures provided on the CD-ROM included with this book were captured using <code class="constant">Ethereal</code>
116	version <code class="literal">0.10.6</code>. A later version suffices without problems (i.e. you should be using Wireshark), but an earlier version may not
117	expose all the information needed. Each capture file has been decoded and listed as a trace file. A summary of all
118	packets has also been included. This makes it possible for you to do all the studying you like without the need to
119	perform the time-consuming equipment configuration and test work. This is a good time to point out that the value
120	that can be derived from this book really does warrant your taking sufficient time to practice each exercise with
121	care and attention to detail.
122	</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2625744"></a>Single-Machine Broadcast Activity</h3></div></div></div><p>
123	In this section, we start a single Windows 9x/Me machine, then monitor network activity for 30 minutes.
124	</p><div class="procedure"><a name="id2625755"></a><p class="title"><b>Procedure 16.2. Monitoring Windows 9x Steps</b></p><ol type="1"><li><p>
125	Start the machine from which network activity will be monitored (using <code class="literal">Wireshark</code>).
126	Launch <code class="literal">Wireshark</code>, click
127	<span class="guimenu">Capture</span> → <span class="guimenuitem">Start</span>.
128	</p><p>
129	Click the following:
130	</p><div class="orderedlist"><ol type="1"><li><p>Update list of packets in real time</p></li><li><p>Automatic scrolling in live capture</p></li><li><p>Enable MAC name resolution</p></li><li><p>Enable network name resolution</p></li><li><p>Enable transport name resolution</p></li></ol></div><p>
131	Click <span class="guibutton">OK</span>.
132	</p></li><li><p>
133	Start the Windows 9x/Me machine to be monitored. Let it run for a full 30 minutes. While monitoring,
134	do not press any keyboard keys, do not click any on-screen icons or menus, and do not answer any dialog boxes.
135	</p></li><li><p>
136	At the conclusion of 30 minutes, stop the capture. Save the capture to a file so you can go back to it later.
137	Leave this machine running in preparation for the task in <a class="link" href="primer.html#secondmachine" title="Second Machine Startup Broadcast Interaction">“Second Machine Startup Broadcast Interaction”</a>.
138	</p></li><li><p>
139	Analyze the capture. Identify each discrete message type that was captured. Note what transport protocol
140	was used. Identify the timing between messages of identical types.
141	</p></li></ol></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2625878"></a>Findings</h4></div></div></div><p>
142	The summary of the first 10 minutes of the packet capture should look like <a class="link" href="primer.html#pktcap01" title="Figure 16.1. Windows Me Broadcasts The First 10 Minutes">“Windows Me Broadcasts The First 10 Minutes”</a>.
143	A screenshot of a later stage of the same capture is shown in <a class="link" href="primer.html#pktcap02" title="Figure 16.2. Windows Me Later Broadcast Sample">“Windows Me Later Broadcast Sample”</a>.
144	</p><div class="figure"><a name="pktcap01"></a><p class="title"><b>Figure 16.1. Windows Me Broadcasts The First 10 Minutes</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WINREPRESSME-Capture.png" width="216" alt="Windows Me Broadcasts The First 10 Minutes"></div></div></div><br class="figure-break"><div class="figure"><a name="pktcap02"></a><p class="title"><b>Figure 16.2. Windows Me Later Broadcast Sample</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WINREPRESSME-Capture2.png" width="226.8" alt="Windows Me Later Broadcast Sample"></div></div></div><br class="figure-break"><p><a class="indexterm" name="id2625995"></a><a class="indexterm" name="id2626006"></a>
145	Broadcast messages observed are shown in <a class="link" href="primer.html#capsstats01" title="Table 16.1. Windows Me Startup Broadcast Capture Statistics">“Windows Me Startup Broadcast Capture Statistics”</a>.
146	Actual observations vary a little, but not by much.
147	Early in the startup process, the Windows Me machine broadcasts its name for two reasons:
148	first to ensure that its name would not result in a name clash, and second to establish its
149	presence with the Local Master Browser (LMB).
150	</p><div class="table"><a name="capsstats01"></a><p class="title"><b>Table 16.1. Windows Me Startup Broadcast Capture Statistics</b></p><div class="table-contents"><table summary="Windows Me Startup Broadcast Capture Statistics" border="1"><colgroup><col align="left"><col align="center"><col align="center"><col align="left"></colgroup><thead><tr><th align="left">Message</th><th align="center">Type</th><th align="center">Num</th><th align="left">Notes</th></tr></thead><tbody><tr><td align="left">WINEPRESSME<00></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.6 sec apart</td></tr><tr><td align="left">WINEPRESSME<03></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.6 sec apart</td></tr><tr><td align="left">WINEPRESSME<20></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.75 sec apart</td></tr><tr><td align="left">MIDEARTH<00></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.75 sec apart</td></tr><tr><td align="left">MIDEARTH<1d></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.75 sec apart</td></tr><tr><td align="left">MIDEARTH<1e></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.75 sec apart</td></tr><tr><td align="left">MIDEARTH<1b></td><td align="center">Qry</td><td align="center">84</td><td align="left">300 sec apart at stable operation</td></tr><tr><td align="left">__MSBROWSE__</td><td align="center">Reg</td><td align="center">8</td><td align="left">Registered after winning election to Browse Master</td></tr><tr><td align="left">JHT<03></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 x 2. This is the name of the user that logged onto Windows</td></tr><tr><td align="left">Host Announcement WINEPRESSME</td><td align="center">Ann</td><td align="center">2</td><td align="left">Observed at 10 sec</td></tr><tr><td align="left">Domain/Workgroup Announcement MIDEARTH</td><td align="center">Ann</td><td align="center">18</td><td align="left">300 sec apart at stable operation</td></tr><tr><td align="left">Local Master Announcement WINEPRESSME</td><td align="center">Ann</td><td align="center">18</td><td align="left">300 sec apart at stable operation</td></tr><tr><td align="left">Get Backup List Request</td><td align="center">Qry</td><td align="center">12</td><td align="left">6 x 2 early in startup, 0.5 sec apart</td></tr><tr><td align="left">Browser Election Request</td><td align="center">Ann</td><td align="center">10</td><td align="left">5 x 2 early in startup</td></tr><tr><td align="left">Request Announcement WINEPRESSME</td><td align="center">Ann</td><td align="center">4</td><td align="left">Early in startup</td></tr></tbody></table></div></div><br class="table-break"><p><a class="indexterm" name="id2626353"></a><a class="indexterm" name="id2626361"></a>
151	From the packet trace, it should be noted that no messages were propagated over TCP/IP;
152	all messages employed UDP/IP. When steady-state operation has been achieved, there is a cycle
153	of various announcements, re-election of a browse master, and name queries. These create
154	the symphony of announcements by which network browsing is made possible.
155	</p><p><a class="indexterm" name="id2626379"></a>
156	For detailed information regarding the precise behavior of the CIFS/SMB protocols,
157	refer to the book “<span class="quote">Implementing CIFS: The Common Internet File System,</span>”
158	by Christopher Hertel, (Prentice Hall PTR, ISBN: 013047116X).
159	</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="secondmachine"></a>Second Machine Startup Broadcast Interaction</h3></div></div></div><p>
160	At this time, the machine you used to capture the single-system startup trace should still be running.
161	The objective of this task is to identify the interaction of two machines in respect to broadcast activity.
162	</p><div class="procedure"><a name="id2626415"></a><p class="title"><b>Procedure 16.3. Monitoring of Second Machine Activity</b></p><ol type="1"><li><p>
163	On the machine from which network activity will be monitored (using <code class="literal">Wireshark</code>),
164	launch <code class="literal">Wireshark</code> and click
165	<span class="guimenu">Capture</span> → <span class="guimenuitem">Start</span>.
166	</p><p>
167	Click:
168	</p><div class="orderedlist"><ol type="1"><li><p>Update list of packets in real time</p></li><li><p>Automatic scrolling in live capture</p></li><li><p>Enable MAC name resolution</p></li><li><p>Enable network name resolution</p></li><li><p>Enable transport name resolution</p></li></ol></div><p>
169	Click <span class="guibutton">OK</span>.
170	</p></li><li><p>
171	Start the second Windows 9x/Me machine. Let it run for 15 to 20 minutes. While monitoring, do not press
172	any keyboard keys, do not click any on-screen icons or menus, and do not answer any dialog boxes.
173	</p></li><li><p>
174	At the conclusion of the capture time, stop the capture. Be sure to save the captured data so you
175	can examine the network data capture again at a later date should that be necessary.
176	</p></li><li><p>
177	Analyze the capture trace, taking note of the transport protocols used, the types of messages observed,
178	and what interaction took place between the two machines. Leave both machines running for the next task.
179	</p></li></ol></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2626531"></a>Findings</h4></div></div></div><p>
180	<a class="link" href="primer.html#capsstats02" title="Table 16.2. Second Machine (Windows 98) Capture Statistics">“Second Machine (Windows 98) Capture Statistics”</a> summarizes capture statistics observed. As in the previous case,
181	all announcements used UDP/IP broadcasts. Also, as was observed with the last example, the second
182	Windows 9x/Me machine broadcasts its name on startup to ensure that there exists no name clash
183	(i.e., the name is already registered by another machine) on the network segment. Those wishing
184	to explore the inner details of the precise mechanism of how this functions should refer to
185	“<span class="quote">Implementing CIFS: The Common Internet File System.</span>”
186	</p><div class="table"><a name="capsstats02"></a><p class="title"><b>Table 16.2. Second Machine (Windows 98) Capture Statistics</b></p><div class="table-contents"><table summary="Second Machine (Windows 98) Capture Statistics" border="1"><colgroup><col align="left"><col align="center"><col align="center"><col align="left"></colgroup><thead><tr><th align="left">Message</th><th align="center">Type</th><th align="center">Num</th><th align="left">Notes</th></tr></thead><tbody><tr><td align="left">MILGATE98<00></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.6 sec apart</td></tr><tr><td align="left">MILGATE98<03></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.6 sec apart</td></tr><tr><td align="left">MILGATE98<20></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.75 sec apart</td></tr><tr><td align="left">MIDEARTH<00></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.75 sec apart</td></tr><tr><td align="left">MIDEARTH<1d></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.75 sec apart</td></tr><tr><td align="left">MIDEARTH<1e></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.75 sec apart</td></tr><tr><td align="left">MIDEARTH<1b></td><td align="center">Qry</td><td align="center">18</td><td align="left">900 sec apart at stable operation</td></tr><tr><td align="left">JHT<03></td><td align="center">Reg</td><td align="center">2</td><td align="left">This is the name of the user that logged onto Windows</td></tr><tr><td align="left">Host Announcement MILGATE98</td><td align="center">Ann</td><td align="center">14</td><td align="left">Every 120 sec</td></tr><tr><td align="left">Domain/Workgroup Announcement MIDEARTH</td><td align="center">Ann</td><td align="center">6</td><td align="left">900 sec apart at stable operation</td></tr><tr><td align="left">Local Master Announcement WINEPRESSME</td><td align="center">Ann</td><td align="center">6</td><td align="left">Insufficient detail to determine frequency</td></tr></tbody></table></div></div><br class="table-break"><p>
187	<a class="indexterm" name="id2626813"></a>
188	<a class="indexterm" name="id2626820"></a>
189	<a class="indexterm" name="id2626827"></a>
190	Observation of the contents of Host Announcements, Domain/Workgroup Announcements,
191	and Local Master Announcements is instructive. These messages convey a significant
192	level of detail regarding the nature of each machine that is on the network. An example
193	dissection of a Host Announcement is given in <a class="link" href="primer.html#hostannounce" title="Figure 16.3. Typical Windows 9x/Me Host Announcement">“Typical Windows 9x/Me Host Announcement”</a>.
194	</p><div class="figure"><a name="hostannounce"></a><p class="title"><b>Figure 16.3. Typical Windows 9x/Me Host Announcement</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/HostAnnouncment.png" width="221.4" alt="Typical Windows 9x/Me Host Announcement"></div></div></div><br class="figure-break"></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2626892"></a>Simple Windows Client Connection Characteristics</h3></div></div></div><p>
195	The purpose of this exercise is to discover how Microsoft Windows clients create (establish)
196	connections with remote servers. The methodology involves analysis of a key aspect of how
197	Windows clients access remote servers: the session setup protocol.
198	</p><div class="procedure"><a name="id2626906"></a><p class="title"><b>Procedure 16.4. Client Connection Exploration Steps</b></p><ol type="1"><li><p>
199	Configure a Windows 9x/Me machine (MILGATE98) with a share called <code class="constant">Stuff</code>.
200	Create a <em class="parameter"><code>Full Access</code></em> control password on this share.
201	</p></li><li><p>
202	Configure another Windows 9x/Me machine (WINEPRESSME) as a client. Make sure that it exports
203	no shared resources.
204	</p></li><li><p>
205	Start both Windows 9x/Me machines and allow them to stabilize for 10 minutes. Log on to both
206	machines using a user name (JHT) of your choice. Wait approximately 2 minutes before proceeding.
207	</p></li><li><p>
208	Start Wireshark (or the network sniffer of your choice).
209	</p></li><li><p>
210	From the WINEPRESSME machine, right-click <span class="guimenu">Network Neighborhood</span>, select
211	<span class="guimenuitem">Explore</span>, select
212	<span class="guimenuitem">My Network Places</span> → <span class="guimenuitem">Entire Network</span> → <span class="guimenuitem">MIDEARTH</span> → <span class="guimenuitem">MILGATE98</span> → <span class="guimenuitem">Stuff</span>.
213	Enter the password you set for the <code class="constant">Full Control</code> mode for the
214	<code class="constant">Stuff</code> share.
215	</p></li><li><p>
216	When the share called <code class="constant">Stuff</code> is being displayed, stop the capture.
217	Save the captured data in case it is needed for later analysis.
218	</p></li><li><p>
219	<a class="indexterm" name="id2627037"></a>
220	From the top of the packets captured, scan down to locate the first packet that has
221	interpreted as <code class="constant">Session Setup AndX, User: anonymous; Tree Connect AndX,
222	Path: \\MILGATE98\IPC$</code>.
223	</p></li><li><p><a class="indexterm" name="id2627056"></a><a class="indexterm" name="id2627064"></a>
224	In the dissection (analysis) panel, expand the <code class="constant">SMB, Session Setup AndX Request,
225	and Tree Connect AndX Request</code>. Examine both operations. Identify the name of
226	the user Account and what password was used. The Account name should be empty.
227	This is a <code class="constant">NULL</code> session setup packet.
228	</p></li><li><p>
229	Return to the packet capture sequence. There will be a number of packets that have been
230	decoded of the type <code class="constant">Session Setup AndX</code>. Locate the last such packet
231	that was targeted at the <code class="constant">\\MILGATE98\IPC$</code> service.
232	</p></li><li><p>
233	<a class="indexterm" name="id2627108"></a>
234	<a class="indexterm" name="id2627115"></a>
235	Dissect this packet as per the previous one. This packet should have a password length
236	of 24 (characters) and should have a password field, the contents of which is a
237	long hexadecimal number. Observe the name in the Account field. This is a User Mode
238	session setup packet.
239	</p></li></ol></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2627129"></a>Findings and Comments</h4></div></div></div><p>
240	<a class="indexterm" name="id2627138"></a>
241	The <code class="constant">IPC$</code> share serves a vital purpose<sup>[<a name="id2627149" href="#ftn.id2627149" class="footnote">15</a>]</sup>
242	in SMB/CIFS-based networking. A Windows client connects to this resource to obtain the list of
243	resources that are available on the server. The server responds with the shares and print queues that
244	are available. In most but not all cases, the connection is made with a <code class="constant">NULL</code>
245	username and a <code class="constant">NULL</code> password.
246	</p><p>
247	<a class="indexterm" name="id2627169"></a>
248	The two packets examined are material evidence of how Windows clients may
249	interoperate with Samba. Samba requires every connection setup to be authenticated using
250	valid UNIX account credentials (UID/GID). This means that even a <code class="constant">NULL</code>
251	session setup can be established only by automatically mapping it to a valid UNIX
252	account.
253	</p><p>
254	<a class="indexterm" name="id2627189"></a><a class="indexterm" name="id2627195"></a>
255	<a class="indexterm" name="id2627204"></a>
256	Samba has a special name for the <code class="constant">NULL</code>, or empty, user account:
257	it calls it the <a class="link" href="smb.conf.5.html#GUESTACCOUNT" target="_top">guest account</a>. The
258	default value of this parameter is <code class="constant">nobody</code>; however, this can be
259	changed to map the function of the guest account to any other UNIX identity. Some
260	UNIX administrators prefer to map this account to the system default anonymous
261	FTP account. A sample NULL Session Setup AndX packet dissection is shown in
262	<a class="link" href="primer.html#nullconnect" title="Figure 16.4. Typical Windows 9x/Me NULL SessionSetUp AndX Request">“Typical Windows 9x/Me NULL SessionSetUp AndX Request”</a>.
263	</p><div class="figure"><a name="nullconnect"></a><p class="title"><b>Figure 16.4. Typical Windows 9x/Me NULL SessionSetUp AndX Request</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/NullConnect.png" width="221.4" alt="Typical Windows 9x/Me NULL SessionSetUp AndX Request"></div></div></div><br class="figure-break"><p>
264	<a class="indexterm" name="id2627289"></a>
265	<a class="indexterm" name="id2627296"></a>
266	<a class="indexterm" name="id2627303"></a>
267	When a UNIX/Linux system does not have a <code class="constant">nobody</code> user account
268	(<code class="filename">/etc/passwd</code>), the operation of the <code class="constant">NULL</code>
269	account cannot validate and thus connections that utilize the guest account
270	fail. This breaks all ability to browse the Samba server and is a common
271	problem reported on the Samba mailing list. A sample User Mode session setup AndX
272	is shown in <a class="link" href="primer.html#userconnect" title="Figure 16.5. Typical Windows 9x/Me User SessionSetUp AndX Request">“Typical Windows 9x/Me User SessionSetUp AndX Request”</a>.
273	</p><div class="figure"><a name="userconnect"></a><p class="title"><b>Figure 16.5. Typical Windows 9x/Me User SessionSetUp AndX Request</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/UserConnect.png" width="221.4" alt="Typical Windows 9x/Me User SessionSetUp AndX Request"></div></div></div><br class="figure-break"><p>
274	<a class="indexterm" name="id2627380"></a>
275	The User Mode connection packet contains the account name and the domain name.
276	The password is provided in Microsoft encrypted form, and its length is shown
277	as 24 characters. This is the length of Microsoft encrypted passwords.
278	</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2627394"></a>Windows 200x/XP Client Interaction with Samba-3</h3></div></div></div><p>
279	By now you may be asking, “<span class="quote">Why did you choose to work with Windows 9x/Me?</span>”
280	</p><p>
281	First, we want to demonstrate the simple case. This book is not intended to be a detailed treatise
282	on the Windows networking protocols, but rather to provide prescriptive guidance for deployment of Samba.
283	Second, by starting out with the simple protocol, it can be demonstrated that the more complex case mostly
284	follows the same principles.
285	</p><p>
286	The following exercise demonstrates the case that even MS Windows XP Professional with up-to-date service
287	updates also uses the <code class="constant">NULL</code> account, as well as user accounts. Simply follow the procedure
288	to complete this exercise.
289	</p><p>
290	To complete this exercise, you need a Windows XP Professional client that has been configured as
291	a domain member of either a Samba-controlled domain or a Windows NT4 or 200x Active Directory domain.
292	Here we do not provide details for how to configure this, as full coverage is provided earlier in this book.
293	</p><div class="procedure"><a name="id2627437"></a><p class="title"><b>Procedure 16.5. Steps to Explore Windows XP Pro Connection Set-up</b></p><ol type="1"><li><p>
294	Start your domain controller. Also, start the Wireshark monitoring machine, launch Wireshark,
295	and then wait for the next step to complete.
296	</p></li><li><p>
297	Start the Windows XP Client and wait 5 minutes before proceeding.
298	</p></li><li><p>
299	On the machine from which network activity will be monitored (using <code class="literal">Wireshark</code>),
300	launch <code class="literal">Wireshark</code> and click
301	<span class="guimenu">Capture</span> → <span class="guimenuitem">Start</span>.
302	</p><p>
303	Click:
304	</p><div class="orderedlist"><ol type="1"><li><p>Update list of packets in real time</p></li><li><p>Automatic scrolling in live capture</p></li><li><p>Enable MAC name resolution</p></li><li><p>Enable network name resolution</p></li><li><p>Enable transport name resolution</p></li></ol></div><p>
305	Click <span class="guibutton">OK</span>.
306	</p></li><li><p>
307	On the Windows XP Professional client, press <span class="guimenu">Ctrl-Alt-Delete</span> to bring
308	up the domain logon screen. Log in using valid credentials for a domain user account.
309	</p></li><li><p>
310	Now proceed to connect to the domain controller as follows:
311	<span class="guimenu">Start</span> → <span class="guimenuitem">(right-click) My Network Places</span> → <span class="guimenuitem">Explore</span> → <span class="guimenuitem">{Left Panel} [+] Entire Network</span> → <span class="guimenuitem">{Left Panel} [+] Microsoft Windows Network</span> → <span class="guimenuitem">{Left Panel} [+] Midearth</span> → <span class="guimenuitem">{Left Panel} [+] Frodo</span> → <span class="guimenuitem">{Left Panel} [+] data</span>. Close the explorer window.
312	</p><p>
313	In this step, our domain name is <code class="constant">Midearth</code>, the domain controller is called
314	<code class="constant">Frodo</code>, and we have connected to a share called <code class="constant">data</code>.
315	</p></li><li><p>
316	Stop the capture on the <code class="literal">Wireshark</code> monitoring machine. Be sure to save the captured data
317	to a file so that you can refer to it again later.
318	</p></li><li><p>
319	If desired, the Windows XP Professional client and the domain controller are no longer needed for exercises
320	in this chapter.
321	</p></li><li><p>
322	<a class="indexterm" name="id2627663"></a>
323	<a class="indexterm" name="id2627670"></a>
324	From the top of the packets captured, scan down to locate the first packet that has
325	interpreted as <code class="constant">Session Setup AndX Request, NTLMSSP_AUTH</code>.
326	</p></li><li><p>
327	<a class="indexterm" name="id2627690"></a>
328	<a class="indexterm" name="id2627697"></a>
329	<a class="indexterm" name="id2627704"></a>
330	In the dissection (analysis) panel, expand the <code class="constant">SMB, Session Setup AndX Request</code>.
331	Expand the packet decode information, beginning at the <code class="constant">Security Blob:</code>
332	entry. Expand the <code class="constant">GSS-API -> SPNEGO -> netTokenTarg -> responseToken -> NTLMSSP</code>
333	keys. This should reveal that this is a <code class="constant">NULL</code> session setup packet.
334	The <code class="constant">User name: NULL</code> so indicates. An example decode is shown in
335	<a class="link" href="primer.html#XPCap01" title="Figure 16.6. Typical Windows XP NULL Session Setup AndX Request">“Typical Windows XP NULL Session Setup AndX Request”</a>.
336	</p></li><li><p>
337	Return to the packet capture sequence. There will be a number of packets that have been
338	decoded of the type <code class="constant">Session Setup AndX Request</code>. Click the last such packet that
339	has been decoded as <code class="constant">Session Setup AndX Request, NTLMSSP_AUTH</code>.
340	</p></li><li><p>
341	<a class="indexterm" name="id2627766"></a>
342	In the dissection (analysis) panel, expand the <code class="constant">SMB, Session Setup AndX Request</code>.
343	Expand the packet decode information, beginning at the <code class="constant">Security Blob:</code>
344	entry. Expand the <code class="constant">GSS-API -> SPNEGO -> netTokenTarg -> responseToken -> NTLMSSP</code>
345	keys. This should reveal that this is a <code class="constant">User Mode</code> session setup packet.
346	The <code class="constant">User name: jht</code> so indicates. An example decode is shown in
347	<a class="link" href="primer.html#XPCap02" title="Figure 16.7. Typical Windows XP User Session Setup AndX Request">“Typical Windows XP User Session Setup AndX Request”</a>. In this case the user name was <code class="constant">jht</code>. This packet
348	decode includes the <code class="constant">Lan Manager Response:</code> and the <code class="constant">NTLM Response:</code>.
349	The values of these two parameters are the Microsoft encrypted password hashes: respectively, the LanMan
350	password and then the NT (case-preserving) password hash.
351	</p></li><li><p>
352	<a class="indexterm" name="id2627828"></a>
353	<a class="indexterm" name="id2627835"></a>
354	The passwords are 24-character hexadecimal numbers. This packet confirms that this is a User Mode
355	session setup packet.
356	</p></li></ol></div><div class="figure"><a name="XPCap01"></a><p class="title"><b>Figure 16.6. Typical Windows XP NULL Session Setup AndX Request</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WindowsXP-NullConnection.png" width="270" alt="Typical Windows XP NULL Session Setup AndX Request"></div></div></div><br class="figure-break"><div class="figure"><a name="XPCap02"></a><p class="title"><b>Figure 16.7. Typical Windows XP User Session Setup AndX Request</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/WindowsXP-UserConnection.png" width="270" alt="Typical Windows XP User Session Setup AndX Request"></div></div></div><br class="figure-break"><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2627931"></a>Discussion</h4></div></div></div><p><a class="indexterm" name="id2627938"></a>
357	This exercise demonstrates that, while the specific protocol for the Session Setup AndX is handled
358	in a more sophisticated manner by recent MS Windows clients, the underlying rules or principles
359	remain the same. Thus it is demonstrated that MS Windows XP Professional clients still use a
360	<code class="constant">NULL-Session</code> connection to query and locate resources on an advanced network
361	technology server (one using Windows NT4/200x or Samba). It also demonstrates that an authenticated
362	connection must be made before resources can be used.
363	</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2627962"></a>Conclusions to Exercises</h3></div></div></div><p>
364	In summary, the following points have been established in this chapter:
365	</p><div class="itemizedlist"><ul type="disc"><li><p>
366	When NetBIOS over TCP/IP protocols are enabled, MS Windows networking employs broadcast-oriented messaging protocols to provide knowledge of network services.
367	</p></li><li><p>
368	Network browsing protocols query information stored on browse masters that manage
369	information provided by NetBIOS Name Registrations and by way of ongoing host
370	announcements and workgroup announcements.
371	</p></li><li><p>
372	All Samba servers must be configured with a mechanism for mapping the <code class="constant">NULL-Session</code>
373	to a valid but nonprivileged UNIX system account.
374	</p></li><li><p>
375	The use of Microsoft encrypted passwords is built right into the fabric of Windows
376	networking operations. Such passwords cannot be provided from the UNIX <code class="filename">/etc/passwd</code>
377	database and thus must be stored elsewhere on the UNIX system in a manner that Samba can
378	use. Samba-2.x permitted such encrypted passwords to be stored in the <code class="constant">smbpasswd</code>
379	file or in an LDAP database. Samba-3 permits use of multiple <em class="parameter"><code>passdb backend</code></em>
380	databases in concurrent deployment. Refer to <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 10, “<span class="quote">Account Information Databases.</span>”
381	</p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="chap01conc"></a>Dissection and Discussion</h2></div></div></div><p>
382	<a class="indexterm" name="id2628050"></a>
383	The exercises demonstrate the use of the <code class="constant">guest</code> account, the way that
384	MS Windows clients and servers resolve computer names to a TCP/IP address, and how connections
385	between a client and a server are established.
386	</p><p>
387	Those wishing background information regarding NetBIOS name types should refer to
388	the Microsoft knowledgebase article
389	<a class="ulink" href="http://support.microsoft.com/support/kb/articles/Q102/78/8.asp" target="_top">Q102878.</a>
390	</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2628077"></a>Technical Issues</h3></div></div></div><p>
391	<a class="indexterm" name="id2628085"></a>
392	Network browsing involves SMB broadcast announcements, SMB enumeration requests,
393	connections to the <code class="constant">IPC$</code> share, share enumerations, and SMB connection
394	setup processes. The use of anonymous connections to a Samba server involve the use of
395	the <em class="parameter"><code>guest account</code></em> that must map to a valid UNIX UID.
396	</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="chap01qa"></a>Questions and Answers</h2></div></div></div><p>
397	The questions and answers given in this section are designed to highlight important aspects of Microsoft
398	Windows networking.
399	</p><div class="qandaset"><dl><dt> <a href="primer.html#id2628131">
400	What is the significance of the MIDEARTH<1b> type query?
401	</a></dt><dt> <a href="primer.html#id2628177">
402	What is the significance of the MIDEARTH<1d> type name registration?
403	</a></dt><dt> <a href="primer.html#id2628251">
404	What is the role and significance of the <01><02>__MSBROWSE__<02><01>
405	name registration?
406	</a></dt><dt> <a href="primer.html#id2628284">
407	What is the significance of the MIDEARTH<1e> type name registration?
408	</a></dt><dt> <a href="primer.html#id2628315">
409
410	What is the significance of the guest account in smb.conf?
411	</a></dt><dt> <a href="primer.html#id2628393">
412	Is it possible to reduce network broadcast activity with Samba-3?
413	</a></dt><dt> <a href="primer.html#id2628502">
414	Can I just use plain-text passwords with Samba?
415	</a></dt><dt> <a href="primer.html#id2628589">
416	What parameter in the smb.conf file is used to enable the use of encrypted passwords?
417	</a></dt><dt> <a href="primer.html#id2628630">
418	Is it necessary to specify encrypt passwords = Yes
419	when Samba-3 is configured as a domain member?
420	</a></dt><dt> <a href="primer.html#id2628662">
421	Is it necessary to specify a guest account when Samba-3 is configured
422	as a domain member server?
423	</a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id2628131"></a><a name="id2628133"></a></td><td align="left" valign="top"><p>
424	What is the significance of the MIDEARTH<1b> type query?
425	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
426	<a class="indexterm" name="id2628145"></a>
427	<a class="indexterm" name="id2628155"></a>
428	This is a broadcast announcement by which the Windows machine is attempting to
429	locate a Domain Master Browser (DMB) in the event that it might exist on the network.
430	Refer to <span class="emphasis"><em>TOSHARG2,</em></span> Chapter 9, Section 9.7, “<span class="quote">Technical Overview of Browsing,</span>”
431	for details regarding the function of the DMB and its role in network browsing.
432	</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2628177"></a><a name="id2628179"></a></td><td align="left" valign="top"><p>
433	What is the significance of the MIDEARTH<1d> type name registration?
434	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
435	<a class="indexterm" name="id2628192"></a>
436	<a class="indexterm" name="id2628201"></a>
437	This name registration records the machine IP addresses of the LMBs.
438	Network clients can query this name type to obtain a list of browser servers from the
439	master browser.
440	</p><p>
441	The LMB is responsible for monitoring all host announcements on the local network and for
442	collating the information contained within them. Using this information, it can provide answers to other Windows
443	network clients that request information such as:
444	</p><div class="itemizedlist"><ul type="disc"><li><p>
445	The list of machines known to the LMB (i.e., the browse list)
446	</p></li><li><p>
447	The IP addresses of all domain controllers known for the domain
448	</p></li><li><p>
449	The IP addresses of LMBs
450	</p></li><li><p>
451	The IP address of the DMB (if one exists)
452	</p></li><li><p>
453	The IP address of the LMB on the local segment
454	</p></li></ul></div></td></tr><tr class="question"><td align="left" valign="top"><a name="id2628251"></a><a name="id2628254"></a></td><td align="left" valign="top"><p>
455	What is the role and significance of the <01><02>__MSBROWSE__<02><01>
456	name registration?
457	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
458	<a class="indexterm" name="id2628269"></a>
459	This name is registered by the browse master to broadcast and receive domain announcements.
460	Its scope is limited to the local network segment, or subnet. By querying this name type,
461	master browsers on networks that have multiple domains can find the names of master browsers
462	for each domain.
463	</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2628284"></a><a name="id2628286"></a></td><td align="left" valign="top"><p>
464	What is the significance of the MIDEARTH<1e> type name registration?
465	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
466	<a class="indexterm" name="id2628298"></a>
467	This name is registered by all browse masters in a domain or workgroup. The registration
468	name type is known as the Browser Election Service. Master browsers register themselves
469	with this name type so that DMBs can locate them to perform cross-subnet
470	browse list updates. This name type is also used to initiate elections for Master Browsers.
471	</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2628315"></a><a name="id2628317"></a></td><td align="left" valign="top"><p>
472	<a class="indexterm" name="id2628321"></a>
473	What is the significance of the <em class="parameter"><code>guest account</code></em> in smb.conf?
474	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
475	This parameter specifies the default UNIX account to which MS Windows networking
476	NULL session connections are mapped. The default name for the UNIX account used for
477	this mapping is called <code class="constant">nobody</code>. If the UNIX/Linux system that
478	is hosting Samba does not have a <code class="constant">nobody</code> account and an alternate
479	mapping has not been specified, network browsing will not work at all.
480	</p><p>
481	It should be noted that the <em class="parameter"><code>guest account</code></em> is essential to
482	Samba operation. Either the operating system must have an account called <code class="constant">nobody</code>
483	or there must be an entry in the <code class="filename">smb.conf</code> file with a valid UNIX account, such as
484	<a class="link" href="smb.conf.5.html#GUESTACCOUNT" target="_top">guest account = ftp</a>.
485	</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2628393"></a><a name="id2628395"></a></td><td align="left" valign="top"><p>
486	Is it possible to reduce network broadcast activity with Samba-3?
487	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
488	<a class="indexterm" name="id2628407"></a>
489	<a class="indexterm" name="id2628413"></a>
490	Yes, there are two ways to do this. The first involves use of WINS (See <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 9,
491	Section 9.5, “<span class="quote">WINS The Windows Inter-networking Name Server</span>”); the
492	alternate method involves disabling the use of NetBIOS over TCP/IP. This second method requires
493	a correctly configured DNS server (see <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 9, Section 9.3, “<span class="quote">Discussion</span>”).
494	</p><p>
495	<a class="indexterm" name="id2628445"></a>
496	<a class="indexterm" name="id2628452"></a>
497	<a class="indexterm" name="id2628461"></a>
498	The use of WINS reduces network broadcast traffic. The reduction is greatest when all network
499	clients are configured to operate in <em class="parameter"><code>Hybrid Mode</code></em>. This can be effected through
500	use of DHCP to set the NetBIOS node type to type 8 for all network clients. Additionally, it is
501	beneficial to configure Samba to use <a class="link" href="smb.conf.5.html#NAMERESOLVEORDER" target="_top">name resolve order = wins host cast</a>.
502	</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
503	Use of SMB without NetBIOS is possible only on Windows 200x/XP Professional clients and servers, as
504	well as with Samba-3.
505	</p></div></td></tr><tr class="question"><td align="left" valign="top"><a name="id2628502"></a><a name="id2628504"></a></td><td align="left" valign="top"><p>
506	Can I just use plain-text passwords with Samba?
507	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
508	Yes, you can configure Samba to use plain-text passwords, though this does create a few problems.
509	</p><p>
510	First, the use of <code class="filename">/etc/passwd</code>-based plain-text passwords requires that registry
511	modifications be made on all MS Windows client machines to enable plain-text passwords support. This
512	significantly diminishes the security of MS Windows client operation. Many network administrators
513	are bitterly opposed to doing this.
514	</p><p>
515	Second, Microsoft has not maintained plain-text password support since the default setting was made
516	disabling this. When network connections are dropped by the client, it is not possible to re-establish
517	the connection automatically. Users need to log off and then log on again. Plain-text password support
518	may interfere with recent enhancements that are part of the Microsoft move toward a more secure computing
519	environment.
520	</p><p>
521	Samba-3 supports Microsoft encrypted passwords. Be advised not to reintroduce plain-text password handling.
522	Just create user accounts by running <code class="literal">smbpasswd -a 'username'</code>
523	</p><p>
524	It is not possible to add a user to the <em class="parameter"><code>passdb backend</code></em> database unless there is
525	a UNIX system account for that user. On systems that run <code class="literal">winbindd</code> to access the Samba
526	PDC/BDC to provide Windows user and group accounts, the <em class="parameter"><code>idmap uid, idmap gid</code></em> ranges
527	set in the <code class="filename">smb.conf</code> file provide the local UID/GIDs needed for local identity management purposes.
528	</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2628589"></a><a name="id2628591"></a></td><td align="left" valign="top"><p>
529	What parameter in the <code class="filename">smb.conf</code> file is used to enable the use of encrypted passwords?
530	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
531	The parameter in the <code class="filename">smb.conf</code> file that controls this behavior is known as <em class="parameter"><code>encrypt
532	passwords</code></em>. The default setting for this in Samba-3 is <code class="constant">Yes (Enabled)</code>.
533	</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2628630"></a><a name="id2628632"></a></td><td align="left" valign="top"><p>
534	Is it necessary to specify <a class="link" href="smb.conf.5.html#ENCRYPTPASSWORDS" target="_top">encrypt passwords = Yes</a>
535	when Samba-3 is configured as a domain member?
536	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
537	No. This is the default behavior.
538	</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2628662"></a><a name="id2628664"></a></td><td align="left" valign="top"><p>
539	Is it necessary to specify a <em class="parameter"><code>guest account</code></em> when Samba-3 is configured
540	as a domain member server?
541	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
542	Yes. This is a local function on the server. The default setting is to use the UNIX account
543	<code class="constant">nobody</code>. If this account does not exist on the UNIX server, then it is
544	necessary to provide a <a class="link" href="smb.conf.5.html#GUESTACCOUNT" target="_top">guest account = an_account</a>,
545	where <code class="constant">an_account</code> is a valid local UNIX user account.
546	</p></td></tr></tbody></table></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id2627149" href="#id2627149" class="para">15</a>] </sup>TOSHARG2, Sect 4.5.1</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="appendix.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="RefSection.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="apa.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 15. A Collection of Useful Tidbits </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Appendix A.
547	GNU General Public License version 3
548	</td></tr></table></div></body></html>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: