File (and printer) sharing

There are many technologies that enable sharing. The choice depends on the situation, policies and politics, security, and convenience required. The different scenarios are (“AS” = Autonomous System):


File Sharing Scenario	Technology Choices
User A to share with self	On Same host	—
	Different hosts, same type, on same AS	sFTP, scp, NFS, Samba
	Different hosts, different types, on same AS	sFTP, scp, SMBfs, Samba
	Different hosts, same type, on different ASes	sFTP, scp, NFS, Samba
	Different hosts, different types, on different ASes	sFTP, scp, SMBfs, Samba
User A to share with User B
	On same host	cp, NFS (insecure), Samba
	Different hosts, same type, on same AS	sFTP, scp, NFS, Samba
	Different hosts, different types, on same AS	sFTP, scp, SMBfs, Samba
	Different hosts, same type, on different ASes	sFTP, scp, NFS, Samba
Different hosts, different types, on different ASes	sFTP, scp, SMBfs

In addition to the technologies shown above additional “push” technologies can sometimes be used, including email and rdist.

Sharing printer resources with Windows clients can't be done with CUPS, however it can be done with LPRng (Windows supports LPD protocol). Even email can be used to allow remote access to printers.
Two choices stand out for ease of administration and security: sFTP and scp
For ease of use two choices stand out, NFS and SMBfs
Samba addresses many of the problems with NFS and SMBfs. Samba provides a complete SMB server that clients can use to access files and printers, browse available resources, and also provides authentication and authorization services. However Samba opens other security holes and is more complex to use than NFS or SMBfs.

NFS

NFS was never designed for security. NFS restricts access to shares based on IP address. It then trusts the UID in the access request from that IP address. So anyone with root access (or a Knoppix CD) can “su” to any user ID and then access any files!
NFS has had three versions so far, 2, 3, and 4. It is important that the client and server are using the same version.
NFS is designed to be a stateless system. When a remote mount request is served, a token called a cookie is returned (and saved on disk). File access requests from that IP that contain the cookie are approved. This scheme means that even if the NFS server crashes, when it comes back on-line the clients won't notice any problems. However statelessness means that file-locking is a difficult problem, and a file can be modified by two clients at once, thus corrupting the file.
To mount some NFS share from a client, you merely issue a mount command. These can be placed in the fstab file or monitored with some automounter.

A sample fstab entry:

remote:/foo  /share/foo nfs  rw,bg,intr,hard 0 0

To specify version 3 add the option nfsvers=3. To specify version 4, replace “nfs” with “nsf4”.
Other client-side tasks include configuring identd, TCPWrappers, and enabling UDP and TCP ports through your firewall(s): port 111 (for portmap RPC services), 2049 (NFS ports), plus other ports for various RPC services. You may wish to configure the automounter as well.
On the server NFS is implemented by a number of services that run as daemons: rpc.lockd and rpc.statd for locking, rpc.rquotad for quota enforcement, rpc.mountd to handle mount and umount requests, and rpc.nfsd to handle the actual file service. All RPC (remote procedure call) services depend on another RPC daemon, portmap. (On Unix systems the daemons omit the "rpc." prefix.)
To indicate some directory and all its contents can be remotely accessed, you must use the exportfs command. You use this same command to stop sharing.
An fstab-like file called exports (or dfs/dfstab on Solaris) can be used to make exporting shares easy. NFS will usually export all shares defined in this file at boot time.
The syntax of the exports file varies between Unix and Linux. For Linux the format of /etc/exports is:
```
directory-to-share    client(option, option, ...) ...
```
with no space between the client name (or IP address) and the open parenthesis of the options. Here's an example entry:
```
/usr/share/man    *.wpollock.com(ro)
```
On Unix the format of exports file /etc/exports is:
```
directory-to-share -option,option,...
```
An example is:
```
/usr/share/man -ro=*.wpollock.com
```
And on some versions of Solaris, a different file and format are used. The file /etc/dfs/dfstab lists the exportfs commands. This same example on Solaris is:
```
share -F nfs -o ro=*.wpollock.com /usr/share/man
```

NetBIOS

NetBIOS started life as an IBM BIOS replacement that sent requests across a network rather than to a local disk. NetBIOS is more of an API than a protocol. Somehow NetBIOS packets must be transported across a network. NetBIOS itself doesn't address this at all.
Microsoft then updated NetBIOS to allow file sharing across a single LAN by using a second protocol SMB (service message blocks) that runs on top of NetBIOS. Later print sharing was added as well.
The UNC (Universial Naming Convention) name was used to access a share: \\server\share Today forward slashes can be used. The NetBIOS names must be unique on the network and are upto 15 characters long. When a NetBIOS computer advertises its presence (via a broadcast) it also tells others what types of services it offers. This is done by adding a 16th byte to the end of the server name called the resource type, and registering the name multiple times (once for each service that the server offers).

A list of types is:


Type	Hex 16th byte value
Standard Workstation Service	00
Messenger Service	03
RAS Server Service	06
Domain Master Browser Service (associated with primary domain controller)	1B
Logon server	1C
Master Browser name	1D
Normal Group name (used in browser elections)	1E
NetDDE Service	1F
Fileserver (including printer server)	20
RAS Client Service	21
Network Monitor Agent	BE
Network Monitor Utility	BF
<01><02>_ _MSBROWSE_ _<02>	01

NetBEUI (NetBIOS Enhanced User Interface) was developed by IBM, and later enhanced by Microsoft, for Lan Manager. It allows NetBIOS over a LAN (it is not routable and can't be used across an internet). The NetBEUI protocol was very popular with networking applications, including those running under Windows for Workgroups. Implementations of NetBIOS over Novell's IPX networking protocols also emerged for those with Netware LAN servers.
Todays networks generally use Ethernet TCP/IP. TCP/IP uses numbers to represent computer addresses while NetBIOS uses only 15 character names. In 1987 the IETF published standardization documents, titled RFC 1001 and 1002 that outlined how NetBIOS would work over a TCP/UDP network. This set of documents still governs each implementation that exists today, including those provided by Microsoft with its Windows operating systems as well as the Samba suite. This has become known as NetBIOS over TCP/IP, or NBT.
NBT offers two services: the session service and the datagram service.
Somehow the server name (NetBIOS name) has to be translated into a network address. How this is done depends on what transport service is used (e.g., NetBEUI, IPX, or TCP/IP). Different schemes include a special file to be used as a database called lmhosts (For Lan Manager Hosts) with lists names and addresses, periodic broadcasts and caching of addresses, a special server for addresses called WINS (the technical name is NetBIOS name server, or NBNS), and even DNS and others.
NetBIOS hosts can be grouped. Originally the group name was known as the workgroup (in Windows for Workgroups) but today it is more commonly referred to as a Windows domain.

Samba and SMB

Samba is a SMB (Server Message Block) Unix/Linux platforms, enabling Unix/Linux hosts to share files and printers with Windows (or other Unix/Linux) clients. The Samba client tools allow a Unix/Linux platform to browse and access SMB shares (both file and printer shares). Samba can also operate as a Windows primary domain controller and/or a WINS server.
SMB is very complex (due to backward compatibility and other issues) and provides hundreds of service calls, no system (not even MS servers!) fully implement them all.
Initially there way no way to browse the network to see what servers and shares existed. Microsoft added browsing.
On each LAN with at least one Windows workgroup or domain on it, one computer has the responsibility of maintaining a list of the computers that are currently accessible through the network. This computer is called the local master browser. The list that it maintains is called the browse list. SMB clients can see what's available by examining this list, rather than using broadcast requests and announcments each time.
The various hosts capable of running the master browser participate in browser elections, whenever such a host comes on-line. One is selected as the master browser for that group (domain), and others are elected as backup browsers. The elections use broadcasts and thus wouldn't normally work across network boundries. Thus a master browser is elected per network. (a.k.a. subnet or LAN).
Windows 95/98/Me authentication Three types of passwords arise when Windows 95/98/Me is operating in a Windows workgroup: A Windows password, a Windows Networking password, and a password for each shared resource that has been assigned password protection. The Windows password is not there to prevent unauthorized users from using the computer. Instead the Windows password is used to gain access to a file that contains the Windows Networking and network resource passwords. There is one such file per registered user of the system, and they can be found in the C:\Windows directory with a name composed of the user's account name, followed by a .pwl extension.
The first time the network is accessed Windows attempts to use the Windows password as the Windows Networking password. If this fails the user will be prompted for the network password. (This password is used to enable access to some server.)
Shared network resources in the workgroup can also have passwords assigned to them to limit their accessibility. This is known as share level security. Such passwords can be stored in the user's password list file, to make future use automatic.
WindowsNT introduced domain controllers. These provide user-level security by providing authentication and authorization services for all users and hosts within a single domain. Samba can provide this service, or can contain the IP address of some domain controller to provide the service.
Domain controllers may have trust relationships. This means if userA is authenticated by Domain1 controller and attempts to access resources controlled by Domain2 controller, and Domain2 controller trusts the Domain1 controller, than UserA is considered authenticated. Of course UserA's access rights to Domain2 resources are still controlled by Domain2 controller.
For this scheme to work it is important that the names of all users in an AS be consistant across all domains. It also implies that a domain is only as secure at the lest secure domain controller it trusts. (Similar trust occurs in Unix/Linux with rhosts and hosts.equiv.)
WindowsNT Domains are not a good solution (the same reason why rhosts use is discouraged) and current Windows servers use a single database for authentication and authorization known as an active directory domain. Active directory uses a single central LDAP databse for user authentication and authorization data. Additionally the new scheme uses DNS to resolve host names.
Another new feature is DFS. Microsoft Dfs allows shared resources that are dispersed among a number of servers in the network to be gathered together and appear to users as if they all exist in a single directory tree on one server. The idea is to group all printers together regardless of which domain/server they reside on.
These services are provided by two daemons, nmbd and smbd. The first handles all NetBIOS naming and browsing work, the second handles all other tasks (authentication, authorization, and serving shares).
Modern Samba uses a GUI configuration interface that works through your web browser called swat (although other tools such as webmin can be used). Swat is started via xinetd (the firewall won't need any adjustment to allow the connection from localhost:901 only).

Samba Configuration

Both Samba daemons use the same configuration file, smb.conf. This "INI" like file contains comments, blank lines, and various sections. Aside from a few special sections there is one section per share.

After editing smb.conf you should run "testparm" to verify the syntax of this file.

Samba/SMB use the following port numbers. You must make some holes in your firewall or Samba can't work!

Samba Port Numbers
UDP/137	Used for NetBIOS network browsing
UDP/138	Used for NetBIOS name service
TCP/139	Used for file and printer sharing and other operations
TCP/445	Used by Windows 2000/XP when NetBIOS over TCP/IP is disabled
TCP/901	Used by SWAT

Samba can be configured to start on demand (by configuring xinetd) or at boot time (by enabling the smb (sometimes samba) service).

Sharing files

You can create your test share with:

mkdir -p -m 1777 /tmp/wpshare
echo 'it works' > /tmp/wpshare/afile.txt
chmod 444 /tmp/wpshare/afile.txt

You can test your server with:

	smbclient -L wpserver -U%

Your smb.conf file should look similar to this one:

[global]
    netbios name = wpserver
    workgroup = CTS2322
    wins support = yes       ***OR the following instead:
    wins server = IP Address of WINS server

[wpshare]
    comment = For testing only!
    path = /tmp/wpshare
    read only = no
    browseable = yes
    guest ok = yes

Sharing printers

First define a printer (and enable CUPS if needed). Then modify your smb.conf file by adding:

[global]
   load printers = yes
   printing = cups
   printcap name = cups
   auto services = list of printers

[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = no
   use client driver = Yes
   public = yes
   guest ok = yes
   writable = no
   printable = yes
   printer admin = root

The "auto services" lists the printers that you want browseable; other printers are available but not visible in the borwse list.

If you wish to allow Windows clients to point and click through the Add-A-Printer dialog you must provide the Windows print drivers for your printers. This is done by changes the "use client driver" value to "no", and adding the following section:

[print$]
   comment = Printer Drivers
   path = /etc/samba/drivers
   browseable = yes
   guest ok = no
   read only = yes
   write list = root

You also need to actually download and install the printer drivers! You get them from: ftp://ftp2.easysw.com/pub/cups/windows/. These drivers work on NT, 2000, and XP. You need drivers from Adobe for Win95, 98, and ME; this is not discussed here. Then do the following to install them:

# mkdir /tmp/cups-samba; cd /tmp/cups-samba
# mv ~/ cups-samba-version.tar.gz .
# tar xvzf cups-samba-version.tar.gz
# ./cups-samba.install
# cupsaddsmb -v -H localhost -U root -a

Sharing home directories

Add the following to share all user's home directories, except the ones listed:

[global]
    invalid users = root bin daemon adm sync shutdown \
                    halt mail news uucp operator ...

[homes]
    browsable = no
    writable = yes

The non-browser feature means that users will need to know their username.