Networking Primer You are about to use the equivalent of a microscope to look at the information that runs through the veins of a Windows network. We do more to observe the information than to interrogate it. When you are done with this primer, you should have a good understanding of the types of information that flow over the network. Do not worry, this is not a biology lesson. We won't lose you in unnecessary detail. Think to yourself, This is easy, then tackle each exercise without fear. Samba can be configured with a minimum of complexity. Simplicity should be mastered before you get too deeply into complexities. Let's get moving: we have work to do. Requirements and Notes Successful completion of this primer requires two Microsoft Windows 9x/Me Workstations as well as two Microsoft Windows XP Professional Workstations, each equipped with an Ethernet card connected using a hub. Also required is one additional server (either Windows NT4 Server, Windows 2000 Server, or a Samba-3 on UNIX/Linux server) running a network sniffer and analysis application (Wireshark is a good choice). All work should be undertaken on a quiet network where there is no other traffic. It is best to use a dedicated hub with only the machines under test connected at the time of the exercises. Wireshark Wireshark (formerly Ethereal) has become the network protocol analyzer of choice for many network administrators. You may find more information regarding this tool from the Wireshark Web site. Wireshark installation files for Windows may be obtained from the Wireshark Web site. Wireshark is provided with SUSE and Red Hat Linux distributions, as well as with many other Linux distributions. It may not be installed on your system by default. If it is not installed, you may also need to install the libpcap software before you can install or use Wireshark. Please refer to the instructions for your operating system or to the Wireshark Web site for information regarding the installation and operation of Wireshark. To obtain Wireshark for your system, please visit the Wireshark download site. The successful completion of this chapter requires that you capture network traffic using Wireshark. It is recommended that you use a hub, not an Ethernet switch. It is necessary for the device used to act as a repeater, not as a filter. Ethernet switches may filter out traffic that is not directed at the machine that is used to monitor traffic; this would not allow you to complete the projects. networkcaptures Do not worry too much if you do not have access to all this equipment; network captures from the exercises are provided on the enclosed CD-ROM. This makes it possible to dive directly into the analytical part of the exercises if you so desire. network sniffer protocol analysis Please do not be alarmed at the use of a high-powered analysis tool (Wireshark) in this primer. We expose you only to a minimum of detail necessary to complete the exercises. If you choose to use any other network sniffer and protocol analysis tool, be advised that it may not allow you to examine the contents of recently added security protocols used by Windows 200x/XP. You could just skim through the exercises and try to absorb the key points made. The exercises provide all the information necessary to convince the die-hard network engineer. You possibly do not require so much convincing and may just want to move on, in which case you should at least read . also provides useful information that may help you to avoid significantly time-consuming networking problems. Introduction The purpose of this chapter is to create familiarity with key aspects of Microsoft Windows network computing. If you want a solid technical grounding, do not gloss over these exercises. The points covered are recurrent issues on the Samba mailing lists. network broadcast You can see from these exercises that Windows networking involves quite a lot of network broadcast traffic. You can look into the contents of some packets, but only to see some particular information that the Windows client sends to a server in the course of establishing a network connection. To many people, browsing is everything that happens when one uses Microsoft Internet Explorer. It is only when you start looking at network traffic and noting the protocols and types of information that are used that you can begin to appreciate the complexities of Windows networking and, more importantly, what needs to be configured so that it can work. Detailed information regarding browsing is provided in the recommended preparatory reading. Recommended preparatory reading: The Official Samba-3 HOWTO and Reference Guide, Second Edition (TOSHARG2) Chapter 9, Network Browsing, and Chapter 3, Server Types and Security Modes. Assignment Tasks browsing You are about to witness how Microsoft Windows computer networking functions. The exercises step through identification of how a client machine establishes a connection to a remote Windows server. You observe how Windows machines find each other (i.e., how browsing works) and how the two key types of user identification (share mode security and user mode security) are affected. network analyzer The networking protocols used by MS Windows networking when working with Samba use TCP/IP as the transport protocol. The protocols that are specific to Windows networking are encapsulated in TCP/IP. The network analyzer we use (Wireshark) is able to show you the contents of the TCP/IP packets (or messages). Diagnostic Tasks network trace host announcement name resolution Examine network traces to witness SMB broadcasts, host announcements, and name resolution processes. Examine network traces to witness how share mode security functions. Examine network traces to witness the use of user mode security. Review traces of network logons for a Windows 9x/Me client as well as a domain logon for a Windows XP Professional client. Exercises wireshark You are embarking on a course of discovery. The first part of the exercise requires two MS Windows 9x/Me systems. We called one machine WINEPRESSME and the other MILGATE98. Each needs an IP address; we used 10.1.1.10 and 10.1.1.11. The test machines need to be networked via a hub. A UNIX/Linux machine is required to run Wireshark to enable the network activity to be captured. It is important that the machine from which network activity is captured must not interfere with the operation of the Windows workstations. It is helpful for this machine to be passive (does not send broadcast information) to the network. For these exercises, our test environment consisted of a SUSE 9.2 Professional Linux Workstation running VMWare 4.5. The following VMWare images were prepared: Windows 98 &smbmdash; name: MILGATE98 Windows Me &smbmdash; name: WINEPRESSME Windows XP Professional &smbmdash; name: LightrayXP Samba-3.0.20 running on a SUSE Enterprise Linux 9 Choose a workgroup name (MIDEARTH) for each exercise. ethereal The network captures provided on the CD-ROM included with this book were captured using Ethereal version 0.10.6. A later version suffices without problems (i.e. you should be using Wireshark), but an earlier version may not expose all the information needed. Each capture file has been decoded and listed as a trace file. A summary of all packets has also been included. This makes it possible for you to do all the studying you like without the need to perform the time-consuming equipment configuration and test work. This is a good time to point out that the value that can be derived from this book really does warrant your taking sufficient time to practice each exercise with care and attention to detail. Single-Machine Broadcast Activity In this section, we start a single Windows 9x/Me machine, then monitor network activity for 30 minutes. Monitoring Windows 9x Steps Start the machine from which network activity will be monitored (using Wireshark). Launch Wireshark, click Capture Start . Click the following: Update list of packets in real time Automatic scrolling in live capture Enable MAC name resolution Enable network name resolution Enable transport name resolution Click OK. Start the Windows 9x/Me machine to be monitored. Let it run for a full 30 minutes. While monitoring, do not press any keyboard keys, do not click any on-screen icons or menus, and do not answer any dialog boxes. At the conclusion of 30 minutes, stop the capture. Save the capture to a file so you can go back to it later. Leave this machine running in preparation for the task in . Analyze the capture. Identify each discrete message type that was captured. Note what transport protocol was used. Identify the timing between messages of identical types. Findings The summary of the first 10 minutes of the packet capture should look like . A screenshot of a later stage of the same capture is shown in .
Windows Me &smbmdash; Broadcasts &smbmdash; The First 10 Minutes WINREPRESSME-Capture
Windows Me &smbmdash; Later Broadcast Sample WINREPRESSME-Capture2
Local Master Browser LMB LMB Broadcast messages observed are shown in . Actual observations vary a little, but not by much. Early in the startup process, the Windows Me machine broadcasts its name for two reasons: first to ensure that its name would not result in a name clash, and second to establish its presence with the Local Master Browser (LMB). Windows Me &smbmdash; Startup Broadcast Capture Statistics Message Type Num Notes WINEPRESSME<00> Reg 8 4 lots of 2, 0.6 sec apart WINEPRESSME<03> Reg 8 4 lots of 2, 0.6 sec apart WINEPRESSME<20> Reg 8 4 lots of 2, 0.75 sec apart MIDEARTH<00> Reg 8 4 lots of 2, 0.75 sec apart MIDEARTH<1d> Reg 8 4 lots of 2, 0.75 sec apart MIDEARTH<1e> Reg 8 4 lots of 2, 0.75 sec apart MIDEARTH<1b> Qry 84 300 sec apart at stable operation __MSBROWSE__ Reg 8 Registered after winning election to Browse Master JHT<03> Reg 8 4 x 2. This is the name of the user that logged onto Windows Host Announcement WINEPRESSME Ann 2 Observed at 10 sec Domain/Workgroup Announcement MIDEARTH Ann 18 300 sec apart at stable operation Local Master Announcement WINEPRESSME Ann 18 300 sec apart at stable operation Get Backup List Request Qry 12 6 x 2 early in startup, 0.5 sec apart Browser Election Request Ann 10 5 x 2 early in startup Request Announcement WINEPRESSME Ann 4 Early in startup
election browse master From the packet trace, it should be noted that no messages were propagated over TCP/IP; all messages employed UDP/IP. When steady-state operation has been achieved, there is a cycle of various announcements, re-election of a browse master, and name queries. These create the symphony of announcements by which network browsing is made possible. CIFS For detailed information regarding the precise behavior of the CIFS/SMB protocols, refer to the book Implementing CIFS: The Common Internet File System, by Christopher Hertel, (Prentice Hall PTR, ISBN: 013047116X).
Second Machine Startup Broadcast Interaction At this time, the machine you used to capture the single-system startup trace should still be running. The objective of this task is to identify the interaction of two machines in respect to broadcast activity. Monitoring of Second Machine Activity On the machine from which network activity will be monitored (using Wireshark), launch Wireshark and click Capture Start . Click: Update list of packets in real time Automatic scrolling in live capture Enable MAC name resolution Enable network name resolution Enable transport name resolution Click OK. Start the second Windows 9x/Me machine. Let it run for 15 to 20 minutes. While monitoring, do not press any keyboard keys, do not click any on-screen icons or menus, and do not answer any dialog boxes. At the conclusion of the capture time, stop the capture. Be sure to save the captured data so you can examine the network data capture again at a later date should that be necessary. Analyze the capture trace, taking note of the transport protocols used, the types of messages observed, and what interaction took place between the two machines. Leave both machines running for the next task. Findings summarizes capture statistics observed. As in the previous case, all announcements used UDP/IP broadcasts. Also, as was observed with the last example, the second Windows 9x/Me machine broadcasts its name on startup to ensure that there exists no name clash (i.e., the name is already registered by another machine) on the network segment. Those wishing to explore the inner details of the precise mechanism of how this functions should refer to Implementing CIFS: The Common Internet File System. Second Machine (Windows 98) &smbmdash; Capture Statistics Message Type Num Notes MILGATE98<00> Reg 8 4 lots of 2, 0.6 sec apart MILGATE98<03> Reg 8 4 lots of 2, 0.6 sec apart MILGATE98<20> Reg 8 4 lots of 2, 0.75 sec apart MIDEARTH<00> Reg 8 4 lots of 2, 0.75 sec apart MIDEARTH<1d> Reg 8 4 lots of 2, 0.75 sec apart MIDEARTH<1e> Reg 8 4 lots of 2, 0.75 sec apart MIDEARTH<1b> Qry 18 900 sec apart at stable operation JHT<03> Reg 2 This is the name of the user that logged onto Windows Host Announcement MILGATE98 Ann 14 Every 120 sec Domain/Workgroup Announcement MIDEARTH Ann 6 900 sec apart at stable operation Local Master Announcement WINEPRESSME Ann 6 Insufficient detail to determine frequency
host announcement Local Master Announcement Workgroup Announcement Observation of the contents of Host Announcements, Domain/Workgroup Announcements, and Local Master Announcements is instructive. These messages convey a significant level of detail regarding the nature of each machine that is on the network. An example dissection of a Host Announcement is given in .
Typical Windows 9x/Me Host Announcement HostAnnouncment
Simple Windows Client Connection Characteristics The purpose of this exercise is to discover how Microsoft Windows clients create (establish) connections with remote servers. The methodology involves analysis of a key aspect of how Windows clients access remote servers: the session setup protocol. Client Connection Exploration Steps Configure a Windows 9x/Me machine (MILGATE98) with a share called Stuff. Create a Full Access control password on this share. Configure another Windows 9x/Me machine (WINEPRESSME) as a client. Make sure that it exports no shared resources. Start both Windows 9x/Me machines and allow them to stabilize for 10 minutes. Log on to both machines using a user name (JHT) of your choice. Wait approximately 2 minutes before proceeding. Start Wireshark (or the network sniffer of your choice). From the WINEPRESSME machine, right-click Network Neighborhood, select Explore, select My Network Places Entire Network MIDEARTH MILGATE98 Stuff . Enter the password you set for the Full Control mode for the Stuff share. When the share called Stuff is being displayed, stop the capture. Save the captured data in case it is needed for later analysis. session setup From the top of the packets captured, scan down to locate the first packet that has interpreted as Session Setup AndX, User: anonymous; Tree Connect AndX, Path: \\MILGATE98\IPC$. Session Setup Tree Connect In the dissection (analysis) panel, expand the SMB, Session Setup AndX Request, and Tree Connect AndX Request. Examine both operations. Identify the name of the user Account and what password was used. The Account name should be empty. This is a NULL session setup packet. Return to the packet capture sequence. There will be a number of packets that have been decoded of the type Session Setup AndX. Locate the last such packet that was targeted at the \\MILGATE98\IPC$ service. password length User Mode Dissect this packet as per the previous one. This packet should have a password length of 24 (characters) and should have a password field, the contents of which is a long hexadecimal number. Observe the name in the Account field. This is a User Mode session setup packet. Findings and Comments IPC$ The IPC$ share serves a vital purposeTOSHARG2, Sect 4.5.1 in SMB/CIFS-based networking. A Windows client connects to this resource to obtain the list of resources that are available on the server. The server responds with the shares and print queues that are available. In most but not all cases, the connection is made with a NULL username and a NULL password. account credentials The two packets examined are material evidence of how Windows clients may interoperate with Samba. Samba requires every connection setup to be authenticated using valid UNIX account credentials (UID/GID). This means that even a NULL session setup can be established only by automatically mapping it to a valid UNIX account. NULL session guest account nobody Samba has a special name for the NULL, or empty, user account: it calls it the . The default value of this parameter is nobody; however, this can be changed to map the function of the guest account to any other UNIX identity. Some UNIX administrators prefer to map this account to the system default anonymous FTP account. A sample NULL Session Setup AndX packet dissection is shown in .
Typical Windows 9x/Me NULL SessionSetUp AndX Request NullConnect
nobody /etc/passwd guest account When a UNIX/Linux system does not have a nobody user account (/etc/passwd), the operation of the NULL account cannot validate and thus connections that utilize the guest account fail. This breaks all ability to browse the Samba server and is a common problem reported on the Samba mailing list. A sample User Mode session setup AndX is shown in .
Typical Windows 9x/Me User SessionSetUp AndX Request UserConnect
encrypted The User Mode connection packet contains the account name and the domain name. The password is provided in Microsoft encrypted form, and its length is shown as 24 characters. This is the length of Microsoft encrypted passwords.
Windows 200x/XP Client Interaction with Samba-3 By now you may be asking, Why did you choose to work with Windows 9x/Me? First, we want to demonstrate the simple case. This book is not intended to be a detailed treatise on the Windows networking protocols, but rather to provide prescriptive guidance for deployment of Samba. Second, by starting out with the simple protocol, it can be demonstrated that the more complex case mostly follows the same principles. The following exercise demonstrates the case that even MS Windows XP Professional with up-to-date service updates also uses the NULL account, as well as user accounts. Simply follow the procedure to complete this exercise. To complete this exercise, you need a Windows XP Professional client that has been configured as a domain member of either a Samba-controlled domain or a Windows NT4 or 200x Active Directory domain. Here we do not provide details for how to configure this, as full coverage is provided earlier in this book. Steps to Explore Windows XP Pro Connection Set-up Start your domain controller. Also, start the Wireshark monitoring machine, launch Wireshark, and then wait for the next step to complete. Start the Windows XP Client and wait 5 minutes before proceeding. On the machine from which network activity will be monitored (using Wireshark), launch Wireshark and click Capture Start . Click: Update list of packets in real time Automatic scrolling in live capture Enable MAC name resolution Enable network name resolution Enable transport name resolution Click OK. On the Windows XP Professional client, press Ctrl-Alt-Delete to bring up the domain logon screen. Log in using valid credentials for a domain user account. Now proceed to connect to the domain controller as follows: Start (right-click) My Network Places Explore {Left Panel} [+] Entire Network {Left Panel} [+] Microsoft Windows Network {Left Panel} [+] Midearth {Left Panel} [+] Frodo {Left Panel} [+] data . Close the explorer window. In this step, our domain name is Midearth, the domain controller is called Frodo, and we have connected to a share called data. Stop the capture on the Wireshark monitoring machine. Be sure to save the captured data to a file so that you can refer to it again later. If desired, the Windows XP Professional client and the domain controller are no longer needed for exercises in this chapter. NTLMSSP_AUTH session setup From the top of the packets captured, scan down to locate the first packet that has interpreted as Session Setup AndX Request, NTLMSSP_AUTH. GSS-API SPNEGO NTLMSSP In the dissection (analysis) panel, expand the SMB, Session Setup AndX Request. Expand the packet decode information, beginning at the Security Blob: entry. Expand the GSS-API -> SPNEGO -> netTokenTarg -> responseToken -> NTLMSSP keys. This should reveal that this is a NULL session setup packet. The User name: NULL so indicates. An example decode is shown in . Return to the packet capture sequence. There will be a number of packets that have been decoded of the type Session Setup AndX Request. Click the last such packet that has been decoded as Session Setup AndX Request, NTLMSSP_AUTH. encrypted password In the dissection (analysis) panel, expand the SMB, Session Setup AndX Request. Expand the packet decode information, beginning at the Security Blob: entry. Expand the GSS-API -> SPNEGO -> netTokenTarg -> responseToken -> NTLMSSP keys. This should reveal that this is a User Mode session setup packet. The User name: jht so indicates. An example decode is shown in . In this case the user name was jht. This packet decode includes the Lan Manager Response: and the NTLM Response:. The values of these two parameters are the Microsoft encrypted password hashes: respectively, the LanMan password and then the NT (case-preserving) password hash. password length User Mode The passwords are 24-character hexadecimal numbers. This packet confirms that this is a User Mode session setup packet.
Typical Windows XP NULL Session Setup AndX Request WindowsXP-NullConnection
Typical Windows XP User Session Setup AndX Request WindowsXP-UserConnection
Discussion NULL-Session This exercise demonstrates that, while the specific protocol for the Session Setup AndX is handled in a more sophisticated manner by recent MS Windows clients, the underlying rules or principles remain the same. Thus it is demonstrated that MS Windows XP Professional clients still use a NULL-Session connection to query and locate resources on an advanced network technology server (one using Windows NT4/200x or Samba). It also demonstrates that an authenticated connection must be made before resources can be used.
Conclusions to Exercises In summary, the following points have been established in this chapter: When NetBIOS over TCP/IP protocols are enabled, MS Windows networking employs broadcast-oriented messaging protocols to provide knowledge of network services. Network browsing protocols query information stored on browse masters that manage information provided by NetBIOS Name Registrations and by way of ongoing host announcements and workgroup announcements. All Samba servers must be configured with a mechanism for mapping the NULL-Session to a valid but nonprivileged UNIX system account. The use of Microsoft encrypted passwords is built right into the fabric of Windows networking operations. Such passwords cannot be provided from the UNIX /etc/passwd database and thus must be stored elsewhere on the UNIX system in a manner that Samba can use. Samba-2.x permitted such encrypted passwords to be stored in the smbpasswd file or in an LDAP database. Samba-3 permits use of multiple passdb backend databases in concurrent deployment. Refer to TOSHARG2, Chapter 10, Account Information Databases.
Dissection and Discussion guest account The exercises demonstrate the use of the guest account, the way that MS Windows clients and servers resolve computer names to a TCP/IP address, and how connections between a client and a server are established. Those wishing background information regarding NetBIOS name types should refer to the Microsoft knowledgebase article Q102878. Technical Issues guest account Network browsing involves SMB broadcast announcements, SMB enumeration requests, connections to the IPC$ share, share enumerations, and SMB connection setup processes. The use of anonymous connections to a Samba server involve the use of the guest account that must map to a valid UNIX UID. Questions and Answers The questions and answers given in this section are designed to highlight important aspects of Microsoft Windows networking. What is the significance of the MIDEARTH<1b> type query? Domain Master BrowserDMB DMB This is a broadcast announcement by which the Windows machine is attempting to locate a Domain Master Browser (DMB) in the event that it might exist on the network. Refer to TOSHARG2, Chapter 9, Section 9.7, Technical Overview of Browsing, for details regarding the function of the DMB and its role in network browsing. What is the significance of the MIDEARTH<1d> type name registration? Local Master BrowserLMB LMB This name registration records the machine IP addresses of the LMBs. Network clients can query this name type to obtain a list of browser servers from the master browser. The LMB is responsible for monitoring all host announcements on the local network and for collating the information contained within them. Using this information, it can provide answers to other Windows network clients that request information such as: The list of machines known to the LMB (i.e., the browse list) The IP addresses of all domain controllers known for the domain The IP addresses of LMBs The IP address of the DMB (if one exists) The IP address of the LMB on the local segment What is the role and significance of the <01><02>__MSBROWSE__<02><01> name registration? Browse Master This name is registered by the browse master to broadcast and receive domain announcements. Its scope is limited to the local network segment, or subnet. By querying this name type, master browsers on networks that have multiple domains can find the names of master browsers for each domain. What is the significance of the MIDEARTH<1e> type name registration? Browser Election Service This name is registered by all browse masters in a domain or workgroup. The registration name type is known as the Browser Election Service. Master browsers register themselves with this name type so that DMBs can locate them to perform cross-subnet browse list updates. This name type is also used to initiate elections for Master Browsers. guest account What is the significance of the guest account in smb.conf? This parameter specifies the default UNIX account to which MS Windows networking NULL session connections are mapped. The default name for the UNIX account used for this mapping is called nobody. If the UNIX/Linux system that is hosting Samba does not have a nobody account and an alternate mapping has not been specified, network browsing will not work at all. It should be noted that the guest account is essential to Samba operation. Either the operating system must have an account called nobody or there must be an entry in the &smb.conf; file with a valid UNIX account, such as ftp. Is it possible to reduce network broadcast activity with Samba-3? WINS NetBIOS Yes, there are two ways to do this. The first involves use of WINS (See TOSHARG2, Chapter 9, Section 9.5, WINS &smbmdash; The Windows Inter-networking Name Server); the alternate method involves disabling the use of NetBIOS over TCP/IP. This second method requires a correctly configured DNS server (see TOSHARG2, Chapter 9, Section 9.3, Discussion). broadcast NetBIOSNode Type Hybrid The use of WINS reduces network broadcast traffic. The reduction is greatest when all network clients are configured to operate in Hybrid Mode. This can be effected through use of DHCP to set the NetBIOS node type to type 8 for all network clients. Additionally, it is beneficial to configure Samba to use wins host cast. Use of SMB without NetBIOS is possible only on Windows 200x/XP Professional clients and servers, as well as with Samba-3. Can I just use plain-text passwords with Samba? Yes, you can configure Samba to use plain-text passwords, though this does create a few problems. First, the use of /etc/passwd-based plain-text passwords requires that registry modifications be made on all MS Windows client machines to enable plain-text passwords support. This significantly diminishes the security of MS Windows client operation. Many network administrators are bitterly opposed to doing this. Second, Microsoft has not maintained plain-text password support since the default setting was made disabling this. When network connections are dropped by the client, it is not possible to re-establish the connection automatically. Users need to log off and then log on again. Plain-text password support may interfere with recent enhancements that are part of the Microsoft move toward a more secure computing environment. Samba-3 supports Microsoft encrypted passwords. Be advised not to reintroduce plain-text password handling. Just create user accounts by running smbpasswd -a 'username' It is not possible to add a user to the passdb backend database unless there is a UNIX system account for that user. On systems that run winbindd to access the Samba PDC/BDC to provide Windows user and group accounts, the idmap uid, idmap gid ranges set in the &smb.conf; file provide the local UID/GIDs needed for local identity management purposes. What parameter in the &smb.conf; file is used to enable the use of encrypted passwords? The parameter in the &smb.conf; file that controls this behavior is known as encrypt passwords. The default setting for this in Samba-3 is Yes (Enabled). Is it necessary to specify Yes when Samba-3 is configured as a domain member? No. This is the default behavior. Is it necessary to specify a guest account when Samba-3 is configured as a domain member server? Yes. This is a local function on the server. The default setting is to use the UNIX account nobody. If this account does not exist on the UNIX server, then it is necessary to provide a an_account, where an_account is a valid local UNIX user account.