From 06aa63b6f19131071800985746b445dee42d91eb Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 10 Jun 2005 20:29:09 +0000 Subject: Large number of small fixes to the layout and the build system. (This used to be commit 73fac0653c774a8ed8654b064fd63d4e486f6b0f) --- docs/Samba3-ByExample/SBE-Appendix2.xml | 1283 +++++++++++++++++++++++++++++++ 1 file changed, 1283 insertions(+) create mode 100644 docs/Samba3-ByExample/SBE-Appendix2.xml (limited to 'docs/Samba3-ByExample/SBE-Appendix2.xml') diff --git a/docs/Samba3-ByExample/SBE-Appendix2.xml b/docs/Samba3-ByExample/SBE-Appendix2.xml new file mode 100644 index 0000000000..c2e8f29de0 --- /dev/null +++ b/docs/Samba3-ByExample/SBE-Appendix2.xml @@ -0,0 +1,1283 @@ + + + + Networking Primer + + + You are about to use the equivalent of a microscope to look at the information + that runs through the veins of a Windows network. We do more to observe the information than + to interrogate it. When you are done with this primer, you should have a good understanding + of the types of information that flow over the network. Do not worry, this is not + a biology lesson. We won't lose you in unnecessary detail. Think to yourself, This + is easy, then tackle each exercise without fear. + + + + Samba can be configured with a minimum of complexity. Simplicity should be mastered + before you get too deeply into complexities. Let's get moving: we have work to do. + + + + Requirements and Notes + + Successful completion of this primer requires two Microsoft Windows 9x/Me Workstations + as well as two Microsoft Windows XP Professional Workstations, each equipped with an Ethernet + card connected using a hub. Also required is one additional server (either Windows + NT4 Server, Windows 2000 Server, or a Samba-3 on UNIX/Linux server) running a network + sniffer and analysis application (ethereal is a good choice). All work should be undertaken + on a quiet network where there is no other traffic. It is best to use a dedicated hub + with only the machines under test connected at the time of the exercises. + + + + Ethereal + + Ethereal has become the network protocol analyzer of choice for many network administrators. + You may find more information regarding this tool from the + Ethereal Web site. Ethereal installation + files for Windows may be obtained from the Ethereal Web site. Ethereal is provided with + SUSE and Red Hat Linux distributions, as well as with many other Linux distributions. It may + not be installed on your system by default. If it is not installed, you may also need + to install the libpcap software before you can install or use Ethereal. + Please refer to the instructions for your operating system or to the Ethereal Web site + for information regarding the installation and operation of Ethereal. + + + + To obtain ethereal for your system, please visit the Ethereal + download site. + + + + The successful completion of this appendix requires that you capture network traffic + using Ethereal. It is recommended that you use a hub, not an + Ethernet switch. It is necessary for the device used to act as a repeater, not as a + filter. Ethernet switches may filter out traffic that is not directed at the machine + that is used to monitor traffic; this would not allow you to complete the projects. + + + + networkcaptures + Do not worry too much if you do not have access to all this equipment; network captures + from the exercises are provided on the enclosed CD-ROM. This makes it possible to dive directly + into the analytical part of the exercises if you so desire. + + + + network + sniffer + + protocol analysis + + Please do not be alarmed at the use of a high-powered analysis tool (Ethereal) in this + primer. We expose you only to a minimum of detail necessary to complete + the exercises. If you choose to use any other network sniffer and protocol + analysis tool, be advised that it may not allow you to examine the contents of + recently added security protocols used by Windows 200x/XP. + + + + You could just skim through the exercises and try to absorb the key points made. + The exercises provide all the information necessary to convince the die-hard network + engineer. You possibly do not require so much convincing and may just want to move on, + in which case you should at least read . + + + + also provides useful information + that may help you to avoid significantly time-consuming networking problems. + + + + + Introduction + + + The purpose of this appendix is to create familiarity with key aspects of Microsoft Windows + network computing. If you want a solid technical grounding, do not gloss over these exercises. + The points covered are recurrent issues on the Samba mailing lists. + + + + network + broadcast + + You can see from these exercises that Windows networking involves quite a lot of network + broadcast traffic. You can look into the contents of some packets, but only to see + some particular information that the Windows client sends to a server in the course of + establishing a network connection. + + + + To many people, browsing is everything that happens when one uses Microsoft Internet Explorer. + It is only when you start looking at network traffic and noting the protocols + and types of information that are used that you can begin to appreciate the complexities of + Windows networking and, more importantly, what needs to be configured so that it can work. + Detailed information regarding browsing is provided in the recommended + preparatory reading. + + + + Recommended preparatory reading: The Official Samba-3 HOWTO and Reference Guide (TOSHARG) + Chapter 9, Network Browsing, and Chapter 3, Server Types and + Security Modes. + + + + Assignment Tasks + + + browsing + + You are about to witness how Microsoft Windows computer networking functions. The + exercises step through identification of how a client machine establishes a + connection to a remote Windows server. You observe how Windows machines find + each other (i.e., how browsing works) and how the two key types of user identification + (share mode security and user mode security) are affected. + + + + network + analyzer + + The networking protocols used by MS Windows networking when working with Samba + use TCP/IP as the transport protocol. The protocols that are specific to Windows + networking are encapsulated in TCP/IP. The network analyzer we use (Ethereal) + is able to show you the contents of the TCP/IP packets (or messages). + + + + Diagnostic Tasks + + + network + trace + + host announcement + + name resolution + + Examine network traces to witness SMB broadcasts, host announcements, + and name resolution processes. + + + + Examine network traces to witness how share mode security functions. + + + + Examine network traces to witness the use of user mode security. + + + + Review traces of network logons for a Windows 9x/Me client as well as + a domain logon for a Windows XP Professional client. + + + + + + + + Exercises + + + ethereal + You are embarking on a course of discovery. The first part of the exercise requires + two MS Windows 9x/Me systems. We called one machine WINEPRESSME and the + other MILGATE98. Each needs an IP address; we used 10.1.1.10 + and 10.1.1.11. The test machines need to be networked via a hub. A UNIX/Linux + machine is required to run Ethereal to enable the network activity to be captured. + It is important that the machine from which network activity is captured must not interfere with + the operation of the Windows workstations. It is helpful for this machine to be passive (does not + send broadcast information) to the network. + + + + For these exercises, our test environment consisted of a SUSE 9.2 Professional Linux Workstation running + VMWare 4.5. The following VMWare images were prepared: + + + + Windows 98 &smbmdash; name: MILGATE98 + Windows Me &smbmdash; name: WINEPRESSME + Windows XP Professional &smbmdash; name: LightrayXP + Samba-3.0.20 running on a SUSE Enterprise Linux 9 + + + + Choose a workgroup name (MIDEARTH) for each exercise. + + + + ethereal + The network captures provided on the CD-ROM included with this book were captured using Ethereal + version 0.10.6. A later version suffices without problems, but an earlier version may not + expose all the information needed. Each capture file has been decoded and listed as a trace file. A summary of all + packets has also been included. This makes it possible for you to do all the studying you like without the need to + perform the time-consuming equipment configuration and test work. This is a good time to point out that the value + that can be derived from this book really does warrant your taking sufficient time to practice each exercise with + care and attention to detail. + + + + Single-Machine Broadcast Activity + + + In this section, we start a single Windows 9x/Me machine, then monitor network activity for 30 minutes. + + + + Monitoring Windows 9x Steps + + + Start the machine from which network activity will be monitored (using ethereal). + Launch ethereal, click + + Capture + Start + . + + + + Click the following: + + Update list of packets in real time + Automatic scrolling in live capture + Enable MAC name resolution + Enable network name resolution + Enable transport name resolution + + Click OK. + + + + Start the Windows 9x/Me machine to be monitored. Let it run for a full 30 minutes. While monitoring, + do not press any keyboard keys, do not click any on-screen icons or menus, and do not answer any dialog boxes. + + + + At the conclusion of 30 minutes, stop the capture. Save the capture to a file so you can go back to it later. + Leave this machine running in preparation for the task in . + + + + Analyze the capture. Identify each discrete message type that was captured. Note what transport protocol + was used. Identify the timing between messages of identical types. + + + + + + Findings + + + The summary of the first 10 minutes of the packet capture should look like . + A screenshot of a later stage of the same capture is shown in . + + + + Windows Me &smbmdash; Broadcasts &smbmdash; The First 10 Minutes + WINREPRESSME-Capture + + + + Windows Me &smbmdash; Later Broadcast Sample + WINREPRESSME-Capture2 + + + + Local Master Browser + LMB + + LMB + + Broadcast messages observed are shown in . + Actual observations vary a little, but not by much. + Early in the startup process, the Windows Me machine broadcasts its name for two reasons: + first to ensure that its name would not result in a name clash, and second to establish its + presence with the Local Master Browser (LMB). + + + + Windows Me &smbmdash; Startup Broadcast Capture Statistics + + + + + + + + Message + Type + Num + Notes + + + + + WINEPRESSME<00> + Reg + 8 + 4 lots of 2, 0.6 sec apart + + + WINEPRESSME<03> + Reg + 8 + 4 lots of 2, 0.6 sec apart + + + WINEPRESSME<20> + Reg + 8 + 4 lots of 2, 0.75 sec apart + + + MIDEARTH<00> + Reg + 8 + 4 lots of 2, 0.75 sec apart + + + MIDEARTH<1d> + Reg + 8 + 4 lots of 2, 0.75 sec apart + + + MIDEARTH<1e> + Reg + 8 + 4 lots of 2, 0.75 sec apart + + + MIDEARTH<1b> + Qry + 84 + 300 sec apart at stable operation + + + __MSBROWSE__ + Reg + 8 + Registered after winning election to Browse Master + + + JHT<03> + Reg + 8 + 4 x 2. This is the name of the user that logged onto Windows + + + Host Announcement WINEPRESSME + Ann + 2 + Observed at 10 sec + + + Domain/Workgroup Announcement MIDEARTH + Ann + 18 + 300 sec apart at stable operation + + + Local Master Announcement WINEPRESSME + Ann + 18 + 300 sec apart at stable operation + + + Get Backup List Request + Qry + 12 + 6 x 2 early in startup, 0.5 sec apart + + + Browser Election Request + Ann + 10 + 5 x 2 early in startup + + + Request Announcement WINEPRESSME + Ann + 4 + Early in startup + + + +
+ + + election + + browse master + + From the packet trace, it should be noted that no messages were propagated over TCP/IP; + all messages employed UDP/IP. When steady-state operation has been achieved, there is a cycle + of various announcements, re-election of a browse master, and name queries. These create + the symphony of announcements by which network browsing is made possible. + + + + CIFS + + For detailed information regarding the precise behavior of the CIFS/SMB protocols, + refer to the book Implementing CIFS: The Common Internet File System, + by Christopher Hertel, (Prentice Hall PTR, ISBN: 013047116X). + + + + + + + + Second Machine Startup Broadcast Interaction + + + At this time, the machine you used to capture the single-system startup trace should still be running. + The objective of this task is to identify the interaction of two machines in respect to broadcast activity. + + + + Monitoring of Second Machine Activity + + + On the machine from which network activity will be monitored (using ethereal), + launch ethereal and click + + Capture + Start + . + + + + Click: + + Update list of packets in real time + Automatic scrolling in live capture + Enable MAC name resolution + Enable network name resolution + Enable transport name resolution + + Click OK. + + + + Start the second Windows 9x/Me machine. Let it run for 15 to 20 minutes. While monitoring, do not press + any keyboard keys, do not click any on-screen icons or menus, and do not answer any dialog boxes. + + + + At the conclusion of the capture time, stop the capture. Be sure to save the captured data so you + can examine the network data capture again at a later date should that be necessary. + + + + Analyze the capture trace, taking note of the transport protocols used, the types of messages observed, + and what interaction took place between the two machines. Leave both machines running for the next task. + + + + + Findings + + + summarizes capture statistics observed. As in the previous case, + all announcements used UDP/IP broadcasts. Also, as was observed with the last example, the second + Windows 9x/Me machine broadcasts its name on startup to ensure that there exists no name clash + (i.e., the name is already registered by another machine) on the network segment. Those wishing + to explore the inner details of the precise mechanism of how this functions should refer to + Implementing CIFS: The Common Internet File System. + + + + Second Machine (Windows 98) &smbmdash; Capture Statistics + + + + + + + + Message + Type + Num + Notes + + + + + MILGATE98<00> + Reg + 8 + 4 lots of 2, 0.6 sec apart + + + MILGATE98<03> + Reg + 8 + 4 lots of 2, 0.6 sec apart + + + MILGATE98<20> + Reg + 8 + 4 lots of 2, 0.75 sec apart + + + MIDEARTH<00> + Reg + 8 + 4 lots of 2, 0.75 sec apart + + + MIDEARTH<1d> + Reg + 8 + 4 lots of 2, 0.75 sec apart + + + MIDEARTH<1e> + Reg + 8 + 4 lots of 2, 0.75 sec apart + + + MIDEARTH<1b> + Qry + 18 + 900 sec apart at stable operation + + + JHT<03> + Reg + 2 + This is the name of the user that logged onto Windows + + + Host Announcement MILGATE98 + Ann + 14 + Every 120 sec + + + Domain/Workgroup Announcement MIDEARTH + Ann + 6 + 900 sec apart at stable operation + + + Local Master Announcement WINEPRESSME + Ann + 6 + Insufficient detail to determine frequency + + + +
+ + + host announcement + Local Master Announcement + Workgroup Announcement + Observation of the contents of Host Announcements, Domain/Workgroup Announcements, + and Local Master Announcements is instructive. These messages convey a significant + level of detail regarding the nature of each machine that is on the network. An example + dissection of a Host Announcement is given in . + + + + + Typical Windows 9x/Me Host Announcement + HostAnnouncment + + + + + + + Simple Windows Client Connection Characteristics + + + The purpose of this exercise is to discover how Microsoft Windows clients create (establish) + connections with remote servers. The methodology involves analysis of a key aspect of how + Windows clients access remote servers: the session setup protocol. + + + + Client Connection Exploration Steps + + + Configure a Windows 9x/Me machine (MILGATE98) with a share called Stuff. + Create a Full Access control password on this share. + + + + Configure another Windows 9x/Me machine (WINEPRESSME) as a client. Make sure that it exports + no shared resources. + + + + Start both Windows 9x/Me machines and allow them to stabilize for 10 minutes. Log on to both + machines using a user name (JHT) of your choice. Wait approximately 2 minutes before proceeding. + + + + Start ethereal (or the network sniffer of your choice). + + + + From the WINEPRESSME machine, right-click Network Neighborhood, select + Explore, select + + My Network Places + Entire Network + MIDEARTH + MILGATE98 + Stuff + . + Enter the password you set for the Full Control mode for the + Stuff share. + + + + When the share called Stuff is being displayed, stop the capture. + Save the captured data in case it is needed for later analysis. + + + + session setup + From the top of the packets captured, scan down to locate the first packet that has + interpreted as Session Setup AndX, User: anonymous; Tree Connect AndX, + Path: \\MILGATE98\IPC$. + + + + Session Setup + + Tree Connect + + In the dissection (analysis) panel, expand the SMB, Session Setup AndX Request, + and Tree Connect AndX Request. Examine both operations. Identify the name of + the user Account and what password was used. The Account name should be empty. + This is a NULL session setup packet. + + + + Return to the packet capture sequence. There will be a number of packets that have been + decoded of the type Session Setup AndX. Locate the last such packet + that was targeted at the \\MILGATE98\IPC$ service. + + + + password length + User Mode + Dissect this packet as per the previous one. This packet should have a password length + of 24 (characters) and should have a password field, the contents of which is a + long hexadecimal number. Observe the name in the Account field. This is a User Mode + session setup packet. + + + + + Findings and Comments + + + IPC$ + The IPC$ share serves a vital purposeTOSHARG, Sect 4.5.1 + in SMB/CIFS-based networking. A Windows client connects to this resource to obtain the list of + resources that are available on the server. The server responds with the shares and print queues that + are available. In most but not all cases, the connection is made with a NULL + username and a NULL password. + + + + account credentials + The two packets examined are material evidence of how Windows clients may + interoperate with Samba. Samba requires every connection setup to be authenticated using + valid UNIX account credentials (UID/GID). This means that even a NULL + session setup can be established only by automatically mapping it to a valid UNIX + account. + + + + NULL session + guest account + + nobody + Samba has a special name for the NULL, or empty, user account: + it calls it the . The + default value of this parameter is nobody; however, this can be + changed to map the function of the guest account to any other UNIX identity. Some + UNIX administrators prefer to map this account to the system default anonymous + FTP account. A sample NULL Session Setup AndX packet dissection is shown in + . + + + + Typical Windows 9x/Me NULL SessionSetUp AndX Request + + NullConnect + + + + nobody + /etc/passwd + guest account + When a UNIX/Linux system does not have a nobody user account + (/etc/passwd), the operation of the NULL + account cannot validate and thus connections that utilize the guest account + fail. This breaks all ability to browse the Samba server and is a common + problem reported on the Samba mailing list. A sample User Mode session setup AndX + is shown in . + + + + Typical Windows 9x/Me User SessionSetUp AndX Request + UserConnect + + + + encrypted + The User Mode connection packet contains the account name and the domain name. + The password is provided in Microsoft encrypted form, and its length is shown + as 24 characters. This is the length of Microsoft encrypted passwords. + + + + + + + + Windows 200x/XP Client Interaction with Samba-3 + + + By now you may be asking, Why did you choose to work with Windows 9x/Me? + + + + First, we want to demonstrate the simple case. This book is not intended to be a detailed treatise + on the Windows networking protocols, but rather to provide prescriptive guidance for deployment of Samba. + Second, by starting out with the simple protocol, it can be demonstrated that the more complex case mostly + follows the same principles. + + + + The following exercise demonstrates the case that even MS Windows XP Professional with up-to-date service + updates also uses the NULL account, as well as user accounts. Simply follow the procedure + to complete this exercise. + + + + To complete this exercise, you need a Windows XP Professional client that has been configured as + a domain member of either a Samba-controlled domain or a Windows NT4 or 200x Active Directory domain. + Here we do not provide details for how to configure this, as full coverage is provided earlier in this book. + + + + Steps to Explore Windows XP Pro Connection Set-up + + + Start your domain controller. Also, start the ethereal monitoring machine, launch ethereal, + and then wait for the next step to complete. + + + + Start the Windows XP Client and wait 5 minutes before proceeding. + + + + On the machine from which network activity will be monitored (using ethereal), + launch ethereal and click + + Capture + Start + . + + + + Click: + + Update list of packets in real time + Automatic scrolling in live capture + Enable MAC name resolution + Enable network name resolution + Enable transport name resolution + + Click OK. + + + + On the Windows XP Professional client, press Ctrl-Alt-Delete to bring + up the domain logon screen. Log in using valid credentials for a domain user account. + + + + Now proceed to connect to the domain controller as follows: + + Start + (right-click) My Network Places + Explore + {Left Panel} [+] Entire Network + {Left Panel} [+] Microsoft Windows Network + {Left Panel} [+] Midearth + {Left Panel} [+] Frodo + {Left Panel} [+] data + . Close the explorer window. + + + + In this step, our domain name is Midearth, the domain controller is called + Frodo, and we have connected to a share called data. + + + + Stop the capture on the ethereal monitoring machine. Be sure to save the captured data + to a file so that you can refer to it again later. + + + + If desired, the Windows XP Professional client and the domain controller are no longer needed for exercises + in this appendix. + + + + NTLMSSP_AUTH + session setup + From the top of the packets captured, scan down to locate the first packet that has + interpreted as Session Setup AndX Request, NTLMSSP_AUTH. + + + + GSS-API + SPNEGO + NTLMSSP + In the dissection (analysis) panel, expand the SMB, Session Setup AndX Request. + Expand the packet decode information, beginning at the Security Blob: + entry. Expand the GSS-API -> SPNEGO -> netTokenTarg -> responseToken -> NTLMSSP + keys. This should reveal that this is a NULL session setup packet. + The User name: NULL so indicates. An example decode is shown in + . + + + + Return to the packet capture sequence. There will be a number of packets that have been + decoded of the type Session Setup AndX Request. Click the last such packet that + has been decoded as Session Setup AndX Request, NTLMSSP_AUTH. + + + + encrypted password + In the dissection (analysis) panel, expand the SMB, Session Setup AndX Request. + Expand the packet decode information, beginning at the Security Blob: + entry. Expand the GSS-API -> SPNEGO -> netTokenTarg -> responseToken -> NTLMSSP + keys. This should reveal that this is a User Mode session setup packet. + The User name: jht so indicates. An example decode is shown in + . In this case the user name was jht. This packet + decode includes the Lan Manager Response: and the NTLM Response:. + The values of these two parameters are the Microsoft encrypted password hashes: respectively, the LanMan + password and then the NT (case-preserving) password hash. + + + + password length + User Mode + The passwords are 24-character hexadecimal numbers. This packet confirms that this is a User Mode + session setup packet. + + + + + + Typical Windows XP NULL Session Setup AndX Request + WindowsXP-NullConnection + + + + Typical Windows XP User Session Setup AndX Request + WindowsXP-UserConnection + + + + Discussion + + + NULL-Session + + This exercise demonstrates that, while the specific protocol for the Session Setup AndX is handled + in a more sophisticated manner by recent MS Windows clients, the underlying rules or principles + remain the same. Thus it is demonstrated that MS Windows XP Professional clients still use a + NULL-Session connection to query and locate resources on an advanced network + technology server (one using Windows NT4/200x or Samba). It also demonstrates that an authenticated + connection must be made before resources can be used. + + + + + + + + Conclusions to Exercises + + + In summary, the following points have been established in this appendix: + + + + + When NetBIOS over TCP/IP protocols are enabled, MS Windows networking employs broadcast-oriented messaging protocols to provide knowledge of network services. + + + + Network browsing protocols query information stored on browse masters that manage + information provided by NetBIOS Name Registrations and by way of ongoing host + announcements and workgroup announcements. + + + + All Samba servers must be configured with a mechanism for mapping the NULL-Session + to a valid but nonprivileged UNIX system account. + + + + The use of Microsoft encrypted passwords is built right into the fabric of Windows + networking operations. Such passwords cannot be provided from the UNIX /etc/passwd + database and thus must be stored elsewhere on the UNIX system in a manner that Samba can + use. Samba-2.x permitted such encrypted passwords to be stored in the smbpasswd + file or in an LDAP database. Samba-3 permits use of multiple passdb backend + databases in concurrent deployment. Refer to TOSHARG, Chapter 10, Account Information Databases. + + + + + + + + + Dissection and Discussion + + + guest account + The exercises demonstrate the use of the guest account, the way that + MS Windows clients and servers resolve computer names to a TCP/IP address, and how connections + between a client and a server are established. + + + + Those wishing background information regarding NetBIOS name types should refer to + the Microsoft knowledgebase article + Q102878. + + + + Technical Issues + + + guest account + Network browsing involves SMB broadcast announcements, SMB enumeration requests, + connections to the IPC$ share, share enumerations, and SMB connection + setup processes. The use of anonymous connections to a Samba server involve the use of + the guest account that must map to a valid UNIX UID. + + + + + + + + Questions and Answers + + + The questions and answers given in this section are designed to highlight important aspects of Microsoft + Windows networking. + + + + + + + + What is the significance of the MIDEARTH<1b> type query? + + + + + + + Domain Master BrowserDMB + DMB + This is a broadcast announcement by which the Windows machine is attempting to + locate a Domain Master Browser (DMB) in the event that it might exist on the network. + Refer to TOSHARG, Chapter 9, Section 9.7, Technical Overview of Browsing, + for details regarding the function of the DMB and its role in network browsing. + + + + + + + + + + What is the significance of the MIDEARTH<1d> type name registration? + + + + + + + Local Master BrowserLMB + LMB + This name registration records the machine IP addresses of the LMBs. + Network clients can query this name type to obtain a list of browser servers from the + master browser. + + + + The LMB is responsible for monitoring all host announcements on the local network and for + collating the information contained within them. Using this information, it can provide answers to other Windows + network clients that request information such as: + + + + + The list of machines known to the LMB (i.e., the browse list) + + + + The IP addresses of all domain controllers known for the domain + + + + The IP addresses of LMBs + + + + The IP address of the DMB (if one exists) + + + + The IP address of the LMB on the local segment + + + + + + + + + + + What is the role and significance of the <01><02>__MSBROWSE__<02><01> + name registration? + + + + + + + Browse Master + This name is registered by the browse master to broadcast and receive domain announcements. + Its scope is limited to the local network segment, or subnet. By querying this name type, + master browsers on networks that have multiple domains can find the names of master browsers + for each domain. + + + + + + + + + + What is the significance of the MIDEARTH<1e> type name registration? + + + + + + + Browser Election Service + This name is registered by all browse masters in a domain or workgroup. The registration + name type is known as the Browser Election Service. Master browsers register themselves + with this name type so that DMBs can locate them to perform cross-subnet + browse list updates. This name type is also used to initiate elections for Master Browsers. + + + + + + + + + + guest account + What is the significance of the guest account in smb.conf? + + + + + + + This parameter specifies the default UNIX account to which MS Windows networking + NULL session connections are mapped. The default name for the UNIX account used for + this mapping is called nobody. If the UNIX/Linux system that + is hosting Samba does not have a nobody account and an alternate + mapping has not been specified, network browsing will not work at all. + + + + It should be noted that the guest account is essential to + Samba operation. Either the operating system must have an account called nobody + or there must be an entry in the &smb.conf; file with a valid UNIX account, such as + ftp. + + + + + + + + + + Is it possible to reduce network broadcast activity with Samba-3? + + + + + + + WINS + NetBIOS + Yes, there are two ways to do this. The first involves use of WINS (See TOSHARG, Chapter 9, + Section 9.5, WINS &smbmdash; The Windows Inter-networking Name Server); the + alternate method involves disabling the use of NetBIOS over TCP/IP. This second method requires + a correctly configured DNS server (see TOSHARG, Chapter 9, Section 9.3, Discussion). + + + + broadcast + NetBIOSNode Type + Hybrid + The use of WINS reduces network broadcast traffic. The reduction is greatest when all network + clients are configured to operate in Hybrid Mode. This can be effected through + use of DHCP to set the NetBIOS node type to type 8 for all network clients. Additionally, it is + beneficial to configure Samba to use wins host cast. + + + + Use of SMB without NetBIOS is possible only on Windows 200x/XP Professional clients and servers, as + well as with Samba-3. + + + + + + + + + + Can I just use plain-text passwords with Samba? + + + + + + + Yes, you can configure Samba to use plain-text passwords, though this does create a few problems. + + + + First, the use of /etc/passwd-based plain-text passwords requires that registry + modifications be made on all MS Windows client machines to enable plain-text passwords support. This + significantly diminishes the security of MS Windows client operation. Many network administrators + are bitterly opposed to doing this. + + + + Second, Microsoft has not maintained plain-text password support since the default setting was made + disabling this. When network connections are dropped by the client, it is not possible to re-establish + the connection automatically. Users need to log off and then log on again. Plain-text password support + may interfere with recent enhancements that are part of the Microsoft move toward a more secure computing + environment. + + + + Samba-3 supports Microsoft encrypted passwords. Be advised not to reintroduce plain-text password handling. + Just create user accounts by running smbpasswd -a 'username' + + + + It is not possible to add a user to the passdb backend database unless there is + a UNIX system account for that user. On systems that run winbindd to access the Samba + PDC/BDC to provide Windows user and group accounts, the idmap uid, idmap gid ranges + set in the &smb.conf; file provide the local UID/GIDs needed for local identity management purposes. + + + + + + + + + + What parameter in the &smb.conf; file is used to enable the use of encrypted passwords? + + + + + + + The parameter in the &smb.conf; file that controls this behavior is known as encrypt + passwords. The default setting for this in Samba-3 is Yes (Enabled). + + + + + + + + + + Is it necessary to specify Yes + when Samba-3 is configured as a domain member? + + + + + + + No. This is the default behavior. + + + + + + + + + + Is it necessary to specify a guest account when Samba-3 is configured + as a domain member server? + + + + + + + Yes. This is a local function on the server. The default setting is to use the UNIX account + nobody. If this account does not exist on the UNIX server, then it is + necessary to provide a an_account, + where an_account is a valid local UNIX user account. + + + + + + + + + + -- cgit