There are many technologies that enable sharing.
The choice depends on the situation, policies and politics,
security, and convenience required.
The different scenarios are (“AS” = Autonomous System):
File Sharing Scenario | Technology Choices |
User A to share with self |
On Same host | — |
Different hosts, same type, on same AS |
sFTP, scp, NFS, Samba |
Different hosts, different types, on same AS |
sFTP, scp, SMBfs, Samba |
Different hosts, same type, on different ASes |
sFTP, scp, NFS, Samba |
Different hosts, different types, on different ASes |
sFTP, scp, SMBfs, Samba |
User A to share with User B |
On same host | cp, NFS (insecure), Samba |
Different hosts, same type, on same AS |
sFTP, scp, NFS, Samba |
Different hosts, different types, on same AS |
sFTP, scp, SMBfs, Samba |
Different hosts, same type, on different ASes |
sFTP, scp, NFS, Samba |
Different hosts, different types, on different ASes |
sFTP, scp, SMBfs |
In addition to the technologies shown above additional “push”
technologies can sometimes be used, including email and rdist.
-
Sharing printer resources with Windows clients can't be done with CUPS,
however it can be done with LPRng (Windows supports LPD protocol).
Even email can be used to allow remote access to printers.
-
Two choices stand out for ease of administration and security:
sFTP and scp
-
For ease of use two choices stand out, NFS and SMBfs
-
Samba addresses many of the problems with NFS and SMBfs.
Samba provides a complete SMB server that clients can use
to access files and printers, browse available resources,
and also provides authentication and authorization services.
However Samba opens other security holes and is more complex
to use than NFS or SMBfs.
NFS
-
NFS was never designed for security.
NFS restricts access to shares based on IP address.
It then trusts the UID in the access request from that IP address.
So anyone with root access (or a Knoppix CD) can “su” to any
user ID and then access any files!
-
NFS has had three versions so far, 2, 3, and 4.
It is important that the client and server are using
the same version.
-
NFS is designed to be a stateless system.
When a remote mount request is served, a token called
a cookie is returned (and saved on disk).
File access requests from that IP that contain the cookie
are approved.
This scheme means that even if the NFS server crashes,
when it comes back on-line the clients won't notice any problems.
However statelessness means that file-locking is a
difficult problem, and a file can be modified by two
clients at once, thus corrupting the file.
-
To mount some NFS share from a client, you merely issue
a mount command.
These can be placed in the fstab file
or monitored with some automounter.
-
A sample fstab entry:
remote:/foo /share/foo nfs rw,bg,intr,hard 0 0
-
To specify version 3 add the option nfsvers=3.
To specify version 4, replace “nfs” with “nsf4”.
-
Other client-side tasks include configuring identd, TCPWrappers,
and enabling UDP and TCP ports through your firewall(s):
port 111 (for portmap RPC services), 2049 (NFS ports),
plus other ports for various RPC services.
You may wish to configure the automounter as well.
-
On the server NFS is implemented by a number of services
that run as daemons: rpc.lockd and rpc.statd for locking,
rpc.rquotad for quota enforcement,
rpc.mountd to handle mount and umount requests,
and rpc.nfsd to handle the actual file service.
All RPC (remote procedure call) services depend on another RPC daemon, portmap.
(On Unix systems the daemons omit the "rpc." prefix.)
-
To indicate some directory and all its contents can be
remotely accessed, you must use the exportfs command.
You use this same command to stop sharing.
-
An fstab-like file called exports (or dfs/dfstab on Solaris)
can be used to make exporting shares easy.
NFS will usually export all shares defined in this file at boot time.
-
The syntax of the exports file varies between Unix and Linux.
For Linux the format of /etc/exports is:
directory-to-share client(option, option, ...) ...
with no space between the client name (or IP address) and
the open parenthesis of the options.
Here's an example entry:
/usr/share/man *.wpollock.com(ro)
-
On Unix the format of exports file /etc/exports is:
directory-to-share -option,option,...
An example is:
/usr/share/man -ro=*.wpollock.com
And on some versions of Solaris, a different file
and format are used.
The file /etc/dfs/dfstab lists the exportfs
commands.
This same example on Solaris is:
share -F nfs -o ro=*.wpollock.com /usr/share/man
NetBIOS
-
NetBIOS started life as an IBM BIOS replacement that sent requests
across a network rather than to a local disk.
NetBIOS is more of an API than a protocol.
Somehow NetBIOS packets must be transported across a network.
NetBIOS itself doesn't address this at all.
-
Microsoft then updated NetBIOS to allow file sharing across a single LAN
by using a second protocol SMB (service message blocks)
that runs on top of NetBIOS.
Later print sharing was added as well.
-
The UNC (Universial Naming Convention) name was used to access a share:
\\server\share
Today forward slashes can be used.
The NetBIOS names must be unique on the network and are upto 15 characters long.
When a NetBIOS computer advertises its presence (via a broadcast)
it also tells others what types of services it offers.
This is done by adding a 16th byte to the end of the server name
called the resource type, and registering the name multiple times
(once for each service that the server offers).
-
A list of types is:
Type | Hex 16th byte value |
Standard Workstation Service | 00 |
Messenger Service | 03 |
RAS Server Service | 06 |
Domain Master Browser Service
(associated with primary domain controller) |
1B |
Logon server | 1C |
Master Browser name | 1D |
Normal Group name (used in browser elections) |
1E |
NetDDE Service | 1F |
Fileserver (including printer server) | 20 |
RAS Client Service | 21 |
Network Monitor Agent | BE |
Network Monitor Utility | BF |
<01><02>_ _MSBROWSE_ _<02> |
01 |
-
NetBEUI (NetBIOS Enhanced User Interface) was developed
by IBM, and later enhanced by Microsoft, for Lan Manager.
It allows NetBIOS over a LAN (it is not routable and can't be
used across an internet).
The NetBEUI protocol was very popular with networking applications,
including those running under Windows for Workgroups.
Implementations of NetBIOS over Novell's IPX networking protocols also emerged
for those with Netware LAN servers.
-
Todays networks generally use Ethernet TCP/IP.
TCP/IP uses numbers to represent computer addresses
while NetBIOS uses only 15 character names.
In 1987 the IETF published standardization documents, titled RFC 1001 and 1002
that outlined how NetBIOS would work over a TCP/UDP network.
This set of documents still governs each implementation that exists today,
including those provided by Microsoft with its Windows operating systems
as well as the Samba suite.
This has become known as NetBIOS over TCP/IP, or NBT.
-
NBT offers two services: the session service and the datagram service.
-
Somehow the server name (NetBIOS name) has to be translated
into a network address.
How this is done depends on what transport service is used (e.g.,
NetBEUI, IPX, or TCP/IP).
Different schemes include a special file to be used as a database
called lmhosts (For Lan Manager Hosts) with lists names and
addresses, periodic broadcasts and caching of addresses, a
special server for addresses called WINS (the technical name
is NetBIOS name server, or NBNS), and even DNS and others.
-
NetBIOS hosts can be grouped. Originally the group name
was known as the workgroup (in Windows for Workgroups)
but today it is more commonly referred to as a Windows domain.
Samba and SMB
-
Samba is a SMB (Server Message Block) Unix/Linux platforms,
enabling Unix/Linux hosts to share files and printers with Windows
(or other Unix/Linux) clients.
The Samba client tools allow a Unix/Linux platform
to browse and access SMB shares (both file and printer shares).
Samba can also operate as a Windows primary domain controller
and/or a WINS server.
-
SMB is very complex (due to backward compatibility and other issues)
and provides hundreds of service calls, no system (not even MS servers!)
fully implement them all.
-
Initially there way no way to browse the network to see what
servers and shares existed.
Microsoft added browsing.
-
On each LAN with at least one Windows workgroup or domain on it,
one computer has the responsibility of maintaining a list of
the computers that are currently accessible through the network.
This computer is called the local master browser.
The list that it maintains is called the browse list.
SMB clients can see what's available by examining this list, rather
than using broadcast requests and announcments each time.
-
The various hosts capable of running the master browser participate in
browser elections, whenever such a host comes on-line.
One is selected as the master browser for that group (domain), and others
are elected as backup browsers.
The elections use broadcasts and thus wouldn't normally work across
network boundries.
Thus a master browser is elected per network. (a.k.a. subnet or LAN).
-
Windows 95/98/Me authentication
Three types of passwords arise when Windows 95/98/Me is operating in a
Windows workgroup: A Windows password, a Windows Networking password,
and a password for each shared resource that has been assigned password
protection.
The Windows password is not there to prevent unauthorized users from using
the computer.
Instead the Windows password is used to gain access to a file that
contains the Windows Networking and network resource passwords.
There is one such file per registered user of the system,
and they can be found in the C:\Windows directory with a name composed
of the user's account name, followed by a .pwl extension.
-
The first time the network is accessed Windows attempts to use the Windows
password as the Windows Networking password.
If this fails the user will be prompted for the network password.
(This password is used to enable access to some server.)
-
Shared network resources in the workgroup can also have passwords
assigned to them to limit their accessibility.
This is known as share level security.
Such passwords can be stored in the user's password list file, to
make future use automatic.
-
WindowsNT introduced domain controllers.
These provide user-level security by providing authentication
and authorization services for all users and hosts within
a single domain.
Samba can provide this service, or can contain the IP address
of some domain controller to provide the service.
-
Domain controllers may have trust relationships.
This means if userA is authenticated by Domain1 controller and
attempts to access resources controlled by Domain2 controller,
and Domain2 controller trusts the Domain1 controller, than
UserA is considered authenticated.
Of course UserA's access rights to Domain2 resources are
still controlled by Domain2 controller.
-
For this scheme to work it is important that the names of
all users in an AS be consistant across all domains.
It also implies that a domain is only as secure at the lest
secure domain controller it trusts.
(Similar trust occurs in Unix/Linux with rhosts and hosts.equiv.)
-
WindowsNT Domains are not a good solution (the same reason why
rhosts use is discouraged) and current Windows servers
use a single database for authentication and authorization
known as an active directory domain.
Active directory uses a single central LDAP databse for user
authentication and authorization data. Additionally the
new scheme uses DNS to resolve host names.
-
Another new feature is DFS.
Microsoft Dfs allows shared resources that are dispersed among
a number of servers in the network to be gathered together and
appear to users as if they all exist in a single directory tree
on one server.
The idea is to group all printers together regardless of which
domain/server they reside on.
-
These services are provided by two daemons, nmbd and smbd.
The first handles all NetBIOS naming and browsing work,
the second handles all other tasks (authentication, authorization,
and serving shares).
-
Modern Samba uses a GUI configuration interface that works through
your web browser called swat (although other tools such
as webmin can be used).
Swat is started via xinetd
(the firewall won't need any adjustment to allow the connection
from localhost:901 only).
Samba Configuration
Both Samba daemons use the same configuration file, smb.conf.
This "INI" like file contains comments, blank lines, and
various sections.
Aside from a few special sections there is one section per
share.
After editing smb.conf you should run "testparm" to verify
the syntax of this file.
Samba/SMB use the following port numbers.
You must make some holes in your firewall or Samba can't
work!
Samba Port Numbers
UDP/137 | Used for NetBIOS network browsing |
UDP/138 | Used for NetBIOS name service |
TCP/139 | Used for file and printer sharing
and other operations |
TCP/445 | Used by Windows 2000/XP when NetBIOS
over TCP/IP is disabled |
TCP/901 | Used by SWAT |
Samba can be configured to start on demand (by configuring
xinetd) or at boot time (by enabling the smb (sometimes samba) service).
Sharing files
You can create your test share with:
mkdir -p -m 1777 /tmp/wpshare
echo 'it works' > /tmp/wpshare/afile.txt
chmod 444 /tmp/wpshare/afile.txt
You can test your server with:
smbclient -L wpserver -U%
Your smb.conf file should look similar to this one:
[global]
netbios name = wpserver
workgroup = CTS2322
wins support = yes ***OR the following instead:
wins server = IP Address of WINS server
[wpshare]
comment = For testing only!
path = /tmp/wpshare
read only = no
browseable = yes
guest ok = yes
Sharing printers
First define a printer (and enable CUPS if needed).
Then modify your smb.conf file by adding:
[global]
load printers = yes
printing = cups
printcap name = cups
auto services = list of printers
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
use client driver = Yes
public = yes
guest ok = yes
writable = no
printable = yes
printer admin = root
The "auto services" lists the printers that you want browseable;
other printers are available but not visible in the borwse list.
If you wish to allow Windows clients to point and click through
the Add-A-Printer dialog you must provide the Windows
print drivers for your printers.
This is done by changes the "use client driver" value to "no",
and adding the following section:
[print$]
comment = Printer Drivers
path = /etc/samba/drivers
browseable = yes
guest ok = no
read only = yes
write list = root
You also need to actually download and install the printer drivers!
You get them from: ftp://ftp2.easysw.com/pub/cups/windows/.
These drivers work on NT, 2000, and XP.
You need drivers from Adobe for Win95, 98, and ME; this is not discussed here.
Then do the following to install them:
# mkdir /tmp/cups-samba; cd /tmp/cups-samba
# mv ~/ cups-samba-version.tar.gz .
# tar xvzf cups-samba-version.tar.gz
# ./cups-samba.install
# cupsaddsmb -v -H localhost -U root -a
Sharing home directories
Add the following to share all user's home directories, except
the ones listed:
[global]
invalid users = root bin daemon adm sync shutdown \
halt mail news uucp operator ...
[homes]
browsable = no
writable = yes
The non-browser feature means that users will need to know their
username.