Date: Wed, 2 Apr 2003 18:07:52 +0000 Subject: Regenerate docs (This used to be commit 20ee66b661e295cc9fb66f00b16de3b382a7e723) --- docs/htmldocs/integrate-ms-networks.html | 602 +++++-------------------------- 1 file changed, 100 insertions(+), 502 deletions(-) (limited to 'docs/htmldocs/integrate-ms-networks.html') diff --git a/docs/htmldocs/integrate-ms-networks.html b/docs/htmldocs/integrate-ms-networks.html index 984f849f71..433fb5b50d 100644 --- a/docs/htmldocs/integrate-ms-networks.html +++ b/docs/htmldocs/integrate-ms-networks.html @@ -10,14 +10,14 @@ REL="HOME" TITLE="SAMBA Project Documentation" HREF="samba-howto-collection.html">Prev Next Chapter 10. Integrating MS Windows networks with Samba

10.1. Agenda

Chapter 17. Integrating MS Windows networks with Samba

To identify the key functional mechanisms of MS Windows networking -to enable the deployment of Samba as a means of extending and/or -replacing MS Windows NT/2000 technology.

We will examine:

This section deals with NetBIOS over TCP/IP name to IP address resolution. If you +your MS Windows clients are NOT configured to use NetBIOS over TCP/IP then this +section does not apply to your installation. If your installation involves use of +NetBIOS over TCP/IP then this section may help you to resolve networking problems.

Name resolution in a pure Unix/Linux TCP/IP - environment -
Name resolution as used within MS Windows - networking -
How browsing functions and how to deploy stable - and dependable browsing using Samba -

MS Windows security options and how to - configure Samba for seemless integration -

NetBIOS over TCP/IP has nothing to do with NetBEUI. NetBEUI is NetBIOS + over Logical Link Control (LLC). On modern networks it is highly advised + to NOT run NetBEUI at all. Note also that there is NO such thing as + NetBEUI over TCP/IP - the existence of such a protocol is a complete + and utter mis-apprehension.

Configuration of Samba as:

Since the introduction of MS Windows 2000 it is possible to run MS Windows networking +without the use of NetBIOS over TCP/IP. NetBIOS over TCP/IP uses UDP port 137 for NetBIOS +name resolution and uses TCP port 139 for NetBIOS session services. When NetBIOS over +TCP/IP is disabled on MS Windows 2000 and later clients then only TCP port 445 will be +used and UDP port 137 and TCP port 139 will not.

A stand-alone server
An MS Windows NT 3.x/4.0 security domain member -

An alternative to an MS Windows NT 3.x/4.0 Domain Controller -

When using Windows 2000 or later clients, if NetBIOS over TCP/IP is NOT disabled, then +the client will use UDP port 137 (NetBIOS Name Service, also known as the Windows Internet +Name Service or WINS), TCP port 139 AND TCP port 445 (for actual file and print traffic).

When NetBIOS over TCP/IP is disabled the use of DNS is essential. Most installations that +disable NetBIOS over TCP/IP today use MS Active Directory Service (ADS). ADS requires +Dynamic DNS with Service Resource Records (SRV RR) and with Incremental Zone Transfers (IXFR). +Use of DHCP with ADS is recommended as a further means of maintaining central control +over client workstation network configuration.

10.2. Name Resolution in a pure Unix/Linux world17.1. Name Resolution in a pure Unix/Linux world

The key configuration files covered in this section are:

10.2.1. `17.1.1. /etc/hosts`

10.2.2. 17.1.2. /etc/resolv.conf10.2.3. 17.1.3. /etc/host.conf10.2.4. 17.1.4. /etc/nsswitch.conf10.3. Name resolution as used within MS Windows networking17.2. Name resolution as used within MS Windows networking MS Windows networking is predicated about the name each machine @@ -491,8 +499,8 @@ CLASS="SECT2" > 10.3.1. The NetBIOS Name Cache17.2.1. The NetBIOS Name Cache All MS Windows machines employ an in memory buffer in which is @@ -518,8 +526,8 @@ CLASS="SECT2" > 10.3.2. The LMHOSTS file17.2.2. The LMHOSTS file This file is usually located in MS Windows NT 4.0 or @@ -621,8 +629,8 @@ CLASS="SECT2" > 10.3.3. HOSTS file17.2.3. HOSTS file This file is usually located in MS Windows NT 4.0 or 2000 in @@ -643,8 +651,8 @@ CLASS="SECT2" > 10.3.4. DNS Lookup17.2.4. DNS Lookup This capability is configured in the TCP/IP setup area in the network @@ -663,8 +671,8 @@ CLASS="SECT2" > 10.3.5. WINS Lookup17.2.5. WINS Lookup A WINS (Windows Internet Name Server) service is the equivaent of the @@ -699,416 +707,6 @@ CLASS="REPLACEABLE" of the WINS server.

`10.4. How browsing functions and how to deploy stable and -dependable browsing using Samba`

As stated above, MS Windows machines register their NetBIOS names -(i.e.: the machine name for each service type in operation) on start -up. Also, as stated above, the exact method by which this name registration -takes place is determined by whether or not the MS Windows client/server -has been given a WINS server address, whether or not LMHOSTS lookup -is enabled, or if DNS for NetBIOS name resolution is enabled, etc.

In the case where there is no WINS server all name registrations as -well as name lookups are done by UDP broadcast. This isolates name -resolution to the local subnet, unless LMHOSTS is used to list all -names and IP addresses. In such situations Samba provides a means by -which the samba server name may be forcibly injected into the browse -list of a remote MS Windows network (using the "remote announce" parameter).

Where a WINS server is used, the MS Windows client will use UDP -unicast to register with the WINS server. Such packets can be routed -and thus WINS allows name resolution to function across routed networks.

During the startup process an election will take place to create a -local master browser if one does not already exist. On each NetBIOS network -one machine will be elected to function as the domain master browser. This -domain browsing has nothing to do with MS security domain control. -Instead, the domain master browser serves the role of contacting each local -master browser (found by asking WINS or from LMHOSTS) and exchanging browse -list contents. This way every master browser will eventually obtain a complete -list of all machines that are on the network. Every 11-15 minutes an election -is held to determine which machine will be the master browser. By the nature of -the election criteria used, the machine with the highest uptime, or the -most senior protocol version, or other criteria, will win the election -as domain master browser.

Clients wishing to browse the network make use of this list, but also depend -on the availability of correct name resolution to the respective IP -address/addresses.

Any configuration that breaks name resolution and/or browsing intrinsics -will annoy users because they will have to put up with protracted -inability to use the network services.

Samba supports a feature that allows forced synchonisation -of browse lists across routed networks using the "remote -browse sync" parameter in the smb.conf file. This causes Samba -to contact the local master browser on a remote network and -to request browse list synchronisation. This effectively bridges -two networks that are separated by routers. The two remote -networks may use either broadcast based name resolution or WINS -based name resolution, but it should be noted that the "remote -browse sync" parameter provides browse list synchronisation - and -that is distinct from name to address resolution, in other -words, for cross subnet browsing to function correctly it is -essential that a name to address resolution mechanism be provided. -This mechanism could be via DNS, /etc/hosts, -and so on.

`10.5. MS Windows security options and how to configure -Samba for seemless integration`

MS Windows clients may use encrypted passwords as part of a -challenege/response authentication model (a.k.a. NTLMv1) or -alone, or clear text strings for simple password based -authentication. It should be realized that with the SMB -protocol the password is passed over the network either -in plain text or encrypted, but not both in the same -authentication requets.

When encrypted passwords are used a password that has been -entered by the user is encrypted in two ways:

An MD4 hash of the UNICODE of the password - string. This is known as the NT hash. -
The password is converted to upper case, - and then padded or trucated to 14 bytes. This string is - then appended with 5 bytes of NULL characters and split to - form two 56 bit DES keys to encrypt a "magic" 8 byte value. - The resulting 16 bytes for the LanMan hash. -

You should refer to the Password Encryption chapter in this HOWTO collection -for more details on the inner workings

MS Windows 95 pre-service pack 1, MS Windows NT versions 3.x -and version 4.0 pre-service pack 3 will use either mode of -password authentication. All versions of MS Windows that follow -these versions no longer support plain text passwords by default.

MS Windows clients have a habit of dropping network mappings that -have been idle for 10 minutes or longer. When the user attempts to -use the mapped drive connection that has been dropped, the client -re-establishes the connection using -a cached copy of the password.

When Microsoft changed the default password mode, they dropped support for -caching of the plain text password. This means that when the registry -parameter is changed to re-enable use of plain text passwords it appears to -work, but when a dropped mapping attempts to revalidate it will fail if -the remote authentication server does not support encrypted passwords. -This means that it is definitely not a good idea to re-enable plain text -password support in such clients.

The following parameters can be used to work around the -issue of Windows 9x client upper casing usernames and -password before transmitting them to the SMB server -when using clear text authentication.

	passsword level = integer
-	username level = integer

By default Samba will lower case the username before attempting -to lookup the user in the database of local system accounts. -Because UNIX usernames conventionally only contain lower case -character, the username level parameter -is rarely even needed.

However, password on UNIX systems often make use of mixed case -characters. This means that in order for a user on a Windows 9x -client to connect to a Samba server using clear text authentication, -the password level must be set to the maximum -number of upper case letter which could appear -is a password. Note that is the server OS uses the traditional -DES version of crypt(), then a password level -of 8 will result in case insensitive passwords as seen from Windows -users. This will also result in longer login times as Samba -hash to compute the permutations of the password string and -try them one by one until a match is located (or all combinations fail).

The best option to adopt is to enable support for encrypted passwords -where ever Samba is used. There are three configuration possibilities -for support of encrypted passwords:

`10.5.1. Use MS Windows NT as an authentication server`

This method involves the additions of the following parameters -in the smb.conf file:

	encrypt passwords = Yes
-	security = server
-	password server = "NetBIOS_name_of_PDC"

There are two ways of identifying whether or not a username and -password pair was valid or not. One uses the reply information provided -as part of the authentication messaging process, the other uses -just and error code.

The down-side of this mode of configuration is the fact that -for security reasons Samba will send the password server a bogus -username and a bogus password and if the remote server fails to -reject the username and password pair then an alternative mode -of identification of validation is used. Where a site uses password -lock out after a certain number of failed authentication attempts -this will result in user lockouts.

Use of this mode of authentication does require there to be -a standard Unix account for the user, this account can be blocked -to prevent logons by other than MS Windows clients.

`10.5.2. Make Samba a member of an MS Windows NT security domain`

This method involves additon of the following paramters in the smb.conf file:

	encrypt passwords = Yes
-	security = domain
-	workgroup = "name of NT domain"
-	password server = *

The use of the "*" argument to "password server" will cause samba -to locate the domain controller in a way analogous to the way -this is done within MS Windows NT.

In order for this method to work the Samba server needs to join the -MS Windows NT security domain. This is done as follows:

On the MS Windows NT domain controller using - the Server Manager add a machine account for the Samba server. -
Next, on the Linux system execute: - smbpasswd -r PDC_NAME -j DOMAIN_NAME -

Use of this mode of authentication does require there to be -a standard Unix account for the user in order to assign -a uid once the account has been authenticated by the remote -Windows DC. This account can be blocked to prevent logons by -other than MS Windows clients by things such as setting an invalid -shell in the /etc/passwd entry.

An alternative to assigning UIDs to Windows users on a -Samba member server is presented in the Winbind Overview chapter in -this HOWTO collection.

`10.5.3. Configure Samba as an authentication server`

This mode of authentication demands that there be on the -Unix/Linux system both a Unix style account as well as an -smbpasswd entry for the user. The Unix system account can be -locked if required as only the encrypted password will be -used for SMB client authentication.

This method involves addition of the following parameters to -the smb.conf file:

## please refer to the Samba PDC HOWTO chapter later in 
-## this collection for more details
-[global]
-	encrypt passwords = Yes
-	security = user
-	domain logons = Yes
-	; an OS level of 33 or more is recommended
-	os level = 33
-
-[NETLOGON]
-	path = /somewhare/in/file/system
-	read only = yes

in order for this method to work a Unix system account needs -to be created for each user, as well as for each MS Windows NT/2000 -machine. The following structure is required.

`10.5.3.1. Users`

A user account that may provide a home directory should be -created. The following Linux system commands are typical of -the procedure for creating an account.

	# useradd -s /bin/bash -d /home/"userid" -m "userid"
-	# passwd "userid"
-	  Enter Password: <pw>
-	  
-	# smbpasswd -a "userid"
-	  Enter Password: <pw>

`10.5.3.2. MS Windows NT Machine Accounts`

These are required only when Samba is used as a domain -controller. Refer to the Samba-PDC-HOWTO for more details.

	# useradd -s /bin/false -d /dev/null "machine_name"\$
-	# passwd -l "machine_name"\$
-	# smbpasswd -a -m "machine_name"

`10.6. Conclusions`

Samba provides a flexible means to operate as...

A Stand-alone server - No special action is needed - other than to create user accounts. Stand-alone servers do NOT - provide network logon services, meaning that machines that use this - server do NOT perform a domain logon but instead make use only of - the MS Windows logon which is local to the MS Windows - workstation/server. -
An MS Windows NT 3.x/4.0 security domain member. -
An alternative to an MS Windows NT 3.x/4.0 - Domain Controller. -

PrevNextOptional configurationUnified Logons between Windows NT and UNIX using WinbindUNIX Permission Bits and Windows NT Access Control ListsImproved browsing in samba

10.1. Agenda

10.2. Name Resolution in a pure Unix/Linux world17.1. Name Resolution in a pure Unix/Linux world

10.2.1. `17.1.1. /etc/hosts`

`10.3. Name resolution as used within MS Windows networking17.2. Name resolution as used within MS Windows networking`

`10.3.1. The NetBIOS Name Cache17.2.1. The NetBIOS Name Cache`

`10.3.2. The LMHOSTS file17.2.2. The LMHOSTS file`

`10.3.3. HOSTS file17.2.3. HOSTS file`

`10.3.4. DNS Lookup17.2.4. DNS Lookup`

`10.3.5. WINS Lookup17.2.5. WINS Lookup`