--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 16. Networking Primer</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.68.1"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="RefSection.html" title="Part III. Reference Section"><link rel="prev" href="appendix.html" title="Chapter 15. A Collection of Useful Tidbits"><link rel="next" href="gpl.html" title="Appendix A. GNU General Public License"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 16. Networking Primer</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="appendix.html">Prev</a> </td><th width="60%" align="center">Part III. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="gpl.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="primer"></a>Chapter 16. Networking Primer</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="primer.html#id2593882">Requirements and Notes</a></span></dt><dt><span class="sect1"><a href="primer.html#id2594044">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="primer.html#id2594105">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="primer.html#id2594222">Exercises</a></span></dt><dd><dl><dt><span class="sect2"><a href="primer.html#id2594347">Single-Machine Broadcast Activity</a></span></dt><dt><span class="sect2"><a href="primer.html#secondmachine">Second Machine Startup Broadcast Interaction</a></span></dt><dt><span class="sect2"><a href="primer.html#id2595493">Simple Windows Client Connection Characteristics</a></span></dt><dt><span class="sect2"><a href="primer.html#id2595990">Windows 200x/XP Client Interaction with Samba-3</a></span></dt><dt><span class="sect2"><a href="primer.html#id2596558">Conclusions to Exercises</a></span></dt></dl></dd><dt><span class="sect1"><a href="primer.html#chap01conc">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="primer.html#id2596672">Technical Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="primer.html#chap01qa">Questions and Answers</a></span></dt></dl></div><p>
+ You are about to use the equivalent of a microscope to look at the information
+ that runs through the veins of a Windows network. We do more to observe the information than
+ to interrogate it. When you are done with this primer, you should have a good understanding
+ of the types of information that flow over the network. Do not worry, this is not
+ a biology lesson. We won't lose you in unnecessary detail. Think to yourself, “<span class="quote">This
+ is easy,</span>” then tackle each exercise without fear.
+ </p><p>
+ Samba can be configured with a minimum of complexity. Simplicity should be mastered
+ before you get too deeply into complexities. Let's get moving: we have work to do.
+ </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2593882"></a>Requirements and Notes</h2></div></div></div><p>
+ Successful completion of this primer requires two Microsoft Windows 9x/Me Workstations
+ as well as two Microsoft Windows XP Professional Workstations, each equipped with an Ethernet
+ card connected using a hub. Also required is one additional server (either Windows
+ NT4 Server, Windows 2000 Server, or a Samba-3 on UNIX/Linux server) running a network
+ sniffer and analysis application (ethereal is a good choice). All work should be undertaken
+ on a quiet network where there is no other traffic. It is best to use a dedicated hub
+ with only the machines under test connected at the time of the exercises.
+ </p><p><a class="indexterm" name="id2593903"></a>
+ Ethereal has become the network protocol analyzer of choice for many network administrators.
+ You may find more information regarding this tool from the
+ <a href="http://www.ethereal.com" target="_top">Ethereal</a> Web site. Ethereal installation
+ files for Windows may be obtained from the Ethereal Web site. Ethereal is provided with
+ SUSE and Red Hat Linux distributions, as well as with many other Linux distributions. It may
+ not be installed on your system by default. If it is not installed, you may also need
+ to install the <span><strong class="command">libpcap </strong></span> software before you can install or use Ethereal.
+ Please refer to the instructions for your operating system or to the Ethereal Web site
+ for information regarding the installation and operation of Ethereal.
+ </p><p>
+ To obtain <span><strong class="command">ethereal</strong></span> for your system, please visit the Ethereal
+ <a href="http://www.ethereal.com/download.html#binaries" target="_top">download site</a>.
+ </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ The successful completion of this chapter requires that you capture network traffic
+ using <span><strong class="command">Ethereal</strong></span>. It is recommended that you use a hub, not an
+ Ethernet switch. It is necessary for the device used to act as a repeater, not as a
+ filter. Ethernet switches may filter out traffic that is not directed at the machine
+ that is used to monitor traffic; this would not allow you to complete the projects.
+ </p></div><p>
+ <a class="indexterm" name="id2593972"></a>
+ Do not worry too much if you do not have access to all this equipment; network captures
+ from the exercises are provided on the enclosed CD-ROM. This makes it possible to dive directly
+ into the analytical part of the exercises if you so desire.
+ </p><p><a class="indexterm" name="id2593988"></a><a class="indexterm" name="id2593999"></a>
+ Please do not be alarmed at the use of a high-powered analysis tool (Ethereal) in this
+ primer. We expose you only to a minimum of detail necessary to complete
+ the exercises. If you choose to use any other network sniffer and protocol
+ analysis tool, be advised that it may not allow you to examine the contents of
+ recently added security protocols used by Windows 200x/XP.
+ </p><p>
+ You could just skim through the exercises and try to absorb the key points made.
+ The exercises provide all the information necessary to convince the die-hard network
+ engineer. You possibly do not require so much convincing and may just want to move on,
+ in which case you should at least read <a href="primer.html#chap01conc" title="Dissection and Discussion">???</a>.
+ </p><p>
+ <a href="primer.html#chap01qa" title="Questions and Answers">???</a> also provides useful information
+ that may help you to avoid significantly time-consuming networking problems.
+ </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2594044"></a>Introduction</h2></div></div></div><p>
+ The purpose of this chapter is to create familiarity with key aspects of Microsoft Windows
+ network computing. If you want a solid technical grounding, do not gloss over these exercises.
+ The points covered are recurrent issues on the Samba mailing lists.
+ </p><p><a class="indexterm" name="id2594059"></a>
+ You can see from these exercises that Windows networking involves quite a lot of network
+ broadcast traffic. You can look into the contents of some packets, but only to see
+ some particular information that the Windows client sends to a server in the course of
+ establishing a network connection.
+ </p><p>
+ To many people, browsing is everything that happens when one uses Microsoft Internet Explorer.
+ It is only when you start looking at network traffic and noting the protocols
+ and types of information that are used that you can begin to appreciate the complexities of
+ Windows networking and, more importantly, what needs to be configured so that it can work.
+ Detailed information regarding browsing is provided in the recommended
+ preparatory reading.
+ </p><p>
+ Recommended preparatory reading: <span class="emphasis"><em>The Official Samba-3 HOWTO and Reference Guide, Second
+ Edition</em></span> (TOSHARG2) Chapter 9, “<span class="quote">Network Browsing,</span>” and Chapter 3,
+ “<span class="quote">Server Types and Security Modes.</span>”
+ </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2594105"></a>Assignment Tasks</h3></div></div></div><p><a class="indexterm" name="id2594111"></a>
+ You are about to witness how Microsoft Windows computer networking functions. The
+ exercises step through identification of how a client machine establishes a
+ connection to a remote Windows server. You observe how Windows machines find
+ each other (i.e., how browsing works) and how the two key types of user identification
+ (share mode security and user mode security) are affected.
+ </p><p><a class="indexterm" name="id2594129"></a>
+ The networking protocols used by MS Windows networking when working with Samba
+ use TCP/IP as the transport protocol. The protocols that are specific to Windows
+ networking are encapsulated in TCP/IP. The network analyzer we use (Ethereal)
+ is able to show you the contents of the TCP/IP packets (or messages).
+ </p><div class="procedure"><a name="chap01tasks"></a><p class="title"><b>Procedure 16.1. Diagnostic Tasks</b></p><ol type="1"><li><p><a class="indexterm" name="id2594162"></a><a class="indexterm" name="id2594174"></a><a class="indexterm" name="id2594182"></a>
+ Examine network traces to witness SMB broadcasts, host announcements,
+ and name resolution processes.
+ </p></li><li><p>
+ Examine network traces to witness how share mode security functions.
+ </p></li><li><p>
+ Examine network traces to witness the use of user mode security.
+ </p></li><li><p>
+ Review traces of network logons for a Windows 9x/Me client as well as
+ a domain logon for a Windows XP Professional client.
+ </p></li></ol></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2594222"></a>Exercises</h2></div></div></div><p>
+ <a class="indexterm" name="id2594229"></a>
+ You are embarking on a course of discovery. The first part of the exercise requires
+ two MS Windows 9x/Me systems. We called one machine <code class="constant">WINEPRESSME</code> and the
+ other <code class="constant">MILGATE98</code>. Each needs an IP address; we used <code class="literal">10.1.1.10</code>
+ and <code class="literal">10.1.1.11</code>. The test machines need to be networked via a <span class="emphasis"><em>hub</em></span>. A UNIX/Linux
+ machine is required to run <span><strong class="command">Ethereal</strong></span> to enable the network activity to be captured.
+ It is important that the machine from which network activity is captured must not interfere with
+ the operation of the Windows workstations. It is helpful for this machine to be passive (does not
+ send broadcast information) to the network.
+ </p><p>
+ For these exercises, our test environment consisted of a SUSE 9.2 Professional Linux Workstation running
+ VMWare 4.5. The following VMWare images were prepared:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>Windows 98 name: MILGATE98</p></li><li><p>Windows Me name: WINEPRESSME</p></li><li><p>Windows XP Professional name: LightrayXP</p></li><li><p>Samba-3.0.20 running on a SUSE Enterprise Linux 9</p></li></ul></div><p>
+ Choose a workgroup name (MIDEARTH) for each exercise.
+ </p><p>
+ <a class="indexterm" name="id2594319"></a>
+ The network captures provided on the CD-ROM included with this book were captured using <code class="constant">Ethereal</code>
+ version <code class="literal">0.10.6</code>. A later version suffices without problems, but an earlier version may not
+ expose all the information needed. Each capture file has been decoded and listed as a trace file. A summary of all
+ packets has also been included. This makes it possible for you to do all the studying you like without the need to
+ perform the time-consuming equipment configuration and test work. This is a good time to point out that the value
+ that can be derived from this book really does warrant your taking sufficient time to practice each exercise with
+ care and attention to detail.
+ </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2594347"></a>Single-Machine Broadcast Activity</h3></div></div></div><p>
+ In this section, we start a single Windows 9x/Me machine, then monitor network activity for 30 minutes.
+ </p><div class="procedure"><a name="id2594358"></a><p class="title"><b>Procedure 16.2. Monitoring Windows 9x Steps</b></p><ol type="1"><li><p>
+ Start the machine from which network activity will be monitored (using <span><strong class="command">ethereal</strong></span>).
+ Launch <span><strong class="command">ethereal</strong></span>, click
+ <span class="guimenu">Capture</span>-><span class="guimenuitem">Start</span>.
+ </p><p>
+ Click the following:
+ </p><div class="orderedlist"><ol type="1"><li><p>Update list of packets in real time</p></li><li><p>Automatic scrolling in live capture</p></li><li><p>Enable MAC name resolution</p></li><li><p>Enable network name resolution</p></li><li><p>Enable transport name resolution</p></li></ol></div><p>
+ Click <span class="guibutton">OK</span>.
+ </p></li><li><p>
+ Start the Windows 9x/Me machine to be monitored. Let it run for a full 30 minutes. While monitoring,
+ do not press any keyboard keys, do not click any on-screen icons or menus, and do not answer any dialog boxes.
+ </p></li><li><p>
+ At the conclusion of 30 minutes, stop the capture. Save the capture to a file so you can go back to it later.
+ Leave this machine running in preparation for the task in <a href="primer.html#secondmachine" title="Second Machine Startup Broadcast Interaction">???</a>.
+ </p></li><li><p>
+ Analyze the capture. Identify each discrete message type that was captured. Note what transport protocol
+ was used. Identify the timing between messages of identical types.
+ </p></li></ol></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2594481"></a>Findings</h4></div></div></div><p>
+ The summary of the first 10 minutes of the packet capture should look like <a href="primer.html#pktcap01" title="Figure 16.1. Windows Me Broadcasts The First 10 Minutes">???</a>.
+ A screenshot of a later stage of the same capture is shown in <a href="primer.html#pktcap02" title="Figure 16.2. Windows Me Later Broadcast Sample">???</a>.
+ </p><div class="figure"><a name="pktcap01"></a><p class="title"><b>Figure 16.1. Windows Me Broadcasts The First 10 Minutes</b></p><div class="mediaobject"><img src="images/WINREPRESSME-Capture.png" width="216" alt="Windows Me Broadcasts The First 10 Minutes"></div></div><div class="figure"><a name="pktcap02"></a><p class="title"><b>Figure 16.2. Windows Me Later Broadcast Sample</b></p><div class="mediaobject"><img src="images/WINREPRESSME-Capture2.png" width="226.8" alt="Windows Me Later Broadcast Sample"></div></div><p><a class="indexterm" name="id2594598"></a><a class="indexterm" name="id2594610"></a>
+ Broadcast messages observed are shown in <a href="primer.html#capsstats01" title="Table 16.1. Windows Me Startup Broadcast Capture Statistics">???</a>.
+ Actual observations vary a little, but not by much.
+ Early in the startup process, the Windows Me machine broadcasts its name for two reasons:
+ first to ensure that its name would not result in a name clash, and second to establish its
+ presence with the Local Master Browser (LMB).
+ </p><div class="table"><a name="capsstats01"></a><p class="title"><b>Table 16.1. Windows Me Startup Broadcast Capture Statistics</b></p><table summary="Windows Me Startup Broadcast Capture Statistics" border="1"><colgroup><col align="left"><col align="center"><col align="center"><col align="left"></colgroup><thead><tr><th align="left">Message</th><th align="center">Type</th><th align="center">Num</th><th align="left">Notes</th></tr></thead><tbody><tr><td align="left">WINEPRESSME<00></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.6 sec apart</td></tr><tr><td align="left">WINEPRESSME<03></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.6 sec apart</td></tr><tr><td align="left">WINEPRESSME<20></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.75 sec apart</td></tr><tr><td align="left">MIDEARTH<00></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.75 sec apart</td></tr><tr><td align="left">MIDEARTH<1d></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.75 sec apart</td></tr><tr><td align="left">MIDEARTH<1e></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.75 sec apart</td></tr><tr><td align="left">MIDEARTH<1b></td><td align="center">Qry</td><td align="center">84</td><td align="left">300 sec apart at stable operation</td></tr><tr><td align="left">__MSBROWSE__</td><td align="center">Reg</td><td align="center">8</td><td align="left">Registered after winning election to Browse Master</td></tr><tr><td align="left">JHT<03></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 x 2. This is the name of the user that logged onto Windows</td></tr><tr><td align="left">Host Announcement WINEPRESSME</td><td align="center">Ann</td><td align="center">2</td><td align="left">Observed at 10 sec</td></tr><tr><td align="left">Domain/Workgroup Announcement MIDEARTH</td><td align="center">Ann</td><td align="center">18</td><td align="left">300 sec apart at stable operation</td></tr><tr><td align="left">Local Master Announcement WINEPRESSME</td><td align="center">Ann</td><td align="center">18</td><td align="left">300 sec apart at stable operation</td></tr><tr><td align="left">Get Backup List Request</td><td align="center">Qry</td><td align="center">12</td><td align="left">6 x 2 early in startup, 0.5 sec apart</td></tr><tr><td align="left">Browser Election Request</td><td align="center">Ann</td><td align="center">10</td><td align="left">5 x 2 early in startup</td></tr><tr><td align="left">Request Announcement WINEPRESSME</td><td align="center">Ann</td><td align="center">4</td><td align="left">Early in startup</td></tr></tbody></table></div><p><a class="indexterm" name="id2594955"></a><a class="indexterm" name="id2594963"></a>
+ From the packet trace, it should be noted that no messages were propagated over TCP/IP;
+ all messages employed UDP/IP. When steady-state operation has been achieved, there is a cycle
+ of various announcements, re-election of a browse master, and name queries. These create
+ the symphony of announcements by which network browsing is made possible.
+ </p><p><a class="indexterm" name="id2594980"></a>
+ For detailed information regarding the precise behavior of the CIFS/SMB protocols,
+ refer to the book “<span class="quote">Implementing CIFS: The Common Internet File System,</span>”
+ by Christopher Hertel, (Prentice Hall PTR, ISBN: 013047116X).
+ </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="secondmachine"></a>Second Machine Startup Broadcast Interaction</h3></div></div></div><p>
+ At this time, the machine you used to capture the single-system startup trace should still be running.
+ The objective of this task is to identify the interaction of two machines in respect to broadcast activity.
+ </p><div class="procedure"><a name="id2595016"></a><p class="title"><b>Procedure 16.3. Monitoring of Second Machine Activity</b></p><ol type="1"><li><p>
+ On the machine from which network activity will be monitored (using <span><strong class="command">ethereal</strong></span>),
+ launch <span><strong class="command">ethereal</strong></span> and click
+ <span class="guimenu">Capture</span>-><span class="guimenuitem">Start</span>.
+ </p><p>
+ Click:
+ </p><div class="orderedlist"><ol type="1"><li><p>Update list of packets in real time</p></li><li><p>Automatic scrolling in live capture</p></li><li><p>Enable MAC name resolution</p></li><li><p>Enable network name resolution</p></li><li><p>Enable transport name resolution</p></li></ol></div><p>
+ Click <span class="guibutton">OK</span>.
+ </p></li><li><p>
+ Start the second Windows 9x/Me machine. Let it run for 15 to 20 minutes. While monitoring, do not press
+ any keyboard keys, do not click any on-screen icons or menus, and do not answer any dialog boxes.
+ </p></li><li><p>
+ At the conclusion of the capture time, stop the capture. Be sure to save the captured data so you
+ can examine the network data capture again at a later date should that be necessary.
+ </p></li><li><p>
+ Analyze the capture trace, taking note of the transport protocols used, the types of messages observed,
+ and what interaction took place between the two machines. Leave both machines running for the next task.
+ </p></li></ol></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2595133"></a>Findings</h4></div></div></div><p>
+ <a href="primer.html#capsstats02" title="Table 16.2. Second Machine (Windows 98) Capture Statistics">???</a> summarizes capture statistics observed. As in the previous case,
+ all announcements used UDP/IP broadcasts. Also, as was observed with the last example, the second
+ Windows 9x/Me machine broadcasts its name on startup to ensure that there exists no name clash
+ (i.e., the name is already registered by another machine) on the network segment. Those wishing
+ to explore the inner details of the precise mechanism of how this functions should refer to
+ “<span class="quote">Implementing CIFS: The Common Internet File System.</span>”
+ </p><div class="table"><a name="capsstats02"></a><p class="title"><b>Table 16.2. Second Machine (Windows 98) Capture Statistics</b></p><table summary="Second Machine (Windows 98) Capture Statistics" border="1"><colgroup><col align="left"><col align="center"><col align="center"><col align="left"></colgroup><thead><tr><th align="left">Message</th><th align="center">Type</th><th align="center">Num</th><th align="left">Notes</th></tr></thead><tbody><tr><td align="left">MILGATE98<00></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.6 sec apart</td></tr><tr><td align="left">MILGATE98<03></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.6 sec apart</td></tr><tr><td align="left">MILGATE98<20></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.75 sec apart</td></tr><tr><td align="left">MIDEARTH<00></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.75 sec apart</td></tr><tr><td align="left">MIDEARTH<1d></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.75 sec apart</td></tr><tr><td align="left">MIDEARTH<1e></td><td align="center">Reg</td><td align="center">8</td><td align="left">4 lots of 2, 0.75 sec apart</td></tr><tr><td align="left">MIDEARTH<1b></td><td align="center">Qry</td><td align="center">18</td><td align="left">900 sec apart at stable operation</td></tr><tr><td align="left">JHT<03></td><td align="center">Reg</td><td align="center">2</td><td align="left">This is the name of the user that logged onto Windows</td></tr><tr><td align="left">Host Announcement MILGATE98</td><td align="center">Ann</td><td align="center">14</td><td align="left">Every 120 sec</td></tr><tr><td align="left">Domain/Workgroup Announcement MIDEARTH</td><td align="center">Ann</td><td align="center">6</td><td align="left">900 sec apart at stable operation</td></tr><tr><td align="left">Local Master Announcement WINEPRESSME</td><td align="center">Ann</td><td align="center">6</td><td align="left">Insufficient detail to determine frequency</td></tr></tbody></table></div><p>
+ <a class="indexterm" name="id2595415"></a>
+ <a class="indexterm" name="id2595422"></a>
+ <a class="indexterm" name="id2595429"></a>
+ Observation of the contents of Host Announcements, Domain/Workgroup Announcements,
+ and Local Master Announcements is instructive. These messages convey a significant
+ level of detail regarding the nature of each machine that is on the network. An example
+ dissection of a Host Announcement is given in <a href="primer.html#hostannounce" title="Figure 16.3. Typical Windows 9x/Me Host Announcement">???</a>.
+ </p><div class="figure"><a name="hostannounce"></a><p class="title"><b>Figure 16.3. Typical Windows 9x/Me Host Announcement</b></p><div class="mediaobject"><img src="images/HostAnnouncment.png" width="221.4" alt="Typical Windows 9x/Me Host Announcement"></div></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2595493"></a>Simple Windows Client Connection Characteristics</h3></div></div></div><p>
+ The purpose of this exercise is to discover how Microsoft Windows clients create (establish)
+ connections with remote servers. The methodology involves analysis of a key aspect of how
+ Windows clients access remote servers: the session setup protocol.
+ </p><div class="procedure"><a name="id2595507"></a><p class="title"><b>Procedure 16.4. Client Connection Exploration Steps</b></p><ol type="1"><li><p>
+ Configure a Windows 9x/Me machine (MILGATE98) with a share called <code class="constant">Stuff</code>.
+ Create a <em class="parameter"><code>Full Access</code></em> control password on this share.
+ </p></li><li><p>
+ Configure another Windows 9x/Me machine (WINEPRESSME) as a client. Make sure that it exports
+ no shared resources.
+ </p></li><li><p>
+ Start both Windows 9x/Me machines and allow them to stabilize for 10 minutes. Log on to both
+ machines using a user name (JHT) of your choice. Wait approximately 2 minutes before proceeding.
+ </p></li><li><p>
+ Start ethereal (or the network sniffer of your choice).
+ </p></li><li><p>
+ From the WINEPRESSME machine, right-click <span class="guimenu">Network Neighborhood</span>, select
+ <span class="guimenuitem">Explore</span>, select
+ <span class="guimenuitem">My Network Places</span>-><span class="guimenuitem">Entire Network</span>-><span class="guimenuitem">MIDEARTH</span>-><span class="guimenuitem">MILGATE98</span>-><span class="guimenuitem">Stuff</span>.
+ Enter the password you set for the <code class="constant">Full Control</code> mode for the
+ <code class="constant">Stuff</code> share.
+ </p></li><li><p>
+ When the share called <code class="constant">Stuff</code> is being displayed, stop the capture.
+ Save the captured data in case it is needed for later analysis.
+ </p></li><li><p>
+ <a class="indexterm" name="id2595638"></a>
+ From the top of the packets captured, scan down to locate the first packet that has
+ interpreted as <code class="constant">Session Setup AndX, User: anonymous; Tree Connect AndX,
+ Path: \\MILGATE98\IPC$</code>.
+ </p></li><li><p><a class="indexterm" name="id2595657"></a><a class="indexterm" name="id2595665"></a>
+ In the dissection (analysis) panel, expand the <code class="constant">SMB, Session Setup AndX Request,
+ and Tree Connect AndX Request</code>. Examine both operations. Identify the name of
+ the user Account and what password was used. The Account name should be empty.
+ This is a <code class="constant">NULL</code> session setup packet.
+ </p></li><li><p>
+ Return to the packet capture sequence. There will be a number of packets that have been
+ decoded of the type <code class="constant">Session Setup AndX</code>. Locate the last such packet
+ that was targeted at the <code class="constant">\\MILGATE98\IPC$</code> service.
+ </p></li><li><p>
+ <a class="indexterm" name="id2595709"></a>
+ <a class="indexterm" name="id2595716"></a>
+ Dissect this packet as per the previous one. This packet should have a password length
+ of 24 (characters) and should have a password field, the contents of which is a
+ long hexadecimal number. Observe the name in the Account field. This is a User Mode
+ session setup packet.
+ </p></li></ol></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2595730"></a>Findings and Comments</h4></div></div></div><p>
+ <a class="indexterm" name="id2595739"></a>
+ The <code class="constant">IPC$</code> share serves a vital purpose<sup>[<a name="id2595750" href="#ftn.id2595750">15</a>]</sup>
+ in SMB/CIFS-based networking. A Windows client connects to this resource to obtain the list of
+ resources that are available on the server. The server responds with the shares and print queues that
+ are available. In most but not all cases, the connection is made with a <code class="constant">NULL</code>
+ username and a <code class="constant">NULL</code> password.
+ </p><p>
+ <a class="indexterm" name="id2595770"></a>
+ The two packets examined are material evidence of how Windows clients may
+ interoperate with Samba. Samba requires every connection setup to be authenticated using
+ valid UNIX account credentials (UID/GID). This means that even a <code class="constant">NULL</code>
+ session setup can be established only by automatically mapping it to a valid UNIX
+ account.
+ </p><p>
+ <a class="indexterm" name="id2595790"></a><a class="indexterm" name="id2595796"></a>
+ <a class="indexterm" name="id2595805"></a>
+ Samba has a special name for the <code class="constant">NULL</code>, or empty, user account:
+ it calls it the <a class="indexterm" name="id2595817"></a>guest account. The
+ default value of this parameter is <code class="constant">nobody</code>; however, this can be
+ changed to map the function of the guest account to any other UNIX identity. Some
+ UNIX administrators prefer to map this account to the system default anonymous
+ FTP account. A sample NULL Session Setup AndX packet dissection is shown in
+ <a href="primer.html#nullconnect" title="Figure 16.4. Typical Windows 9x/Me NULL SessionSetUp AndX Request">???</a>.
+ </p><div class="figure"><a name="nullconnect"></a><p class="title"><b>Figure 16.4. Typical Windows 9x/Me NULL SessionSetUp AndX Request</b></p><div class="mediaobject"><img src="images/NullConnect.png" width="221.4" alt="Typical Windows 9x/Me NULL SessionSetUp AndX Request"></div></div><p>
+ <a class="indexterm" name="id2595885"></a>
+ <a class="indexterm" name="id2595892"></a>
+ <a class="indexterm" name="id2595898"></a>
+ When a UNIX/Linux system does not have a <code class="constant">nobody</code> user account
+ (<code class="filename">/etc/passwd</code>), the operation of the <code class="constant">NULL</code>
+ account cannot validate and thus connections that utilize the guest account
+ fail. This breaks all ability to browse the Samba server and is a common
+ problem reported on the Samba mailing list. A sample User Mode session setup AndX
+ is shown in <a href="primer.html#userconnect" title="Figure 16.5. Typical Windows 9x/Me User SessionSetUp AndX Request">???</a>.
+ </p><div class="figure"><a name="userconnect"></a><p class="title"><b>Figure 16.5. Typical Windows 9x/Me User SessionSetUp AndX Request</b></p><div class="mediaobject"><img src="images/UserConnect.png" width="221.4" alt="Typical Windows 9x/Me User SessionSetUp AndX Request"></div></div><p>
+ <a class="indexterm" name="id2595976"></a>
+ The User Mode connection packet contains the account name and the domain name.
+ The password is provided in Microsoft encrypted form, and its length is shown
+ as 24 characters. This is the length of Microsoft encrypted passwords.
+ </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2595990"></a>Windows 200x/XP Client Interaction with Samba-3</h3></div></div></div><p>
+ By now you may be asking, “<span class="quote">Why did you choose to work with Windows 9x/Me?</span>”
+ </p><p>
+ First, we want to demonstrate the simple case. This book is not intended to be a detailed treatise
+ on the Windows networking protocols, but rather to provide prescriptive guidance for deployment of Samba.
+ Second, by starting out with the simple protocol, it can be demonstrated that the more complex case mostly
+ follows the same principles.
+ </p><p>
+ The following exercise demonstrates the case that even MS Windows XP Professional with up-to-date service
+ updates also uses the <code class="constant">NULL</code> account, as well as user accounts. Simply follow the procedure
+ to complete this exercise.
+ </p><p>
+ To complete this exercise, you need a Windows XP Professional client that has been configured as
+ a domain member of either a Samba-controlled domain or a Windows NT4 or 200x Active Directory domain.
+ Here we do not provide details for how to configure this, as full coverage is provided earlier in this book.
+ </p><div class="procedure"><a name="id2596032"></a><p class="title"><b>Procedure 16.5. Steps to Explore Windows XP Pro Connection Set-up</b></p><ol type="1"><li><p>
+ Start your domain controller. Also, start the ethereal monitoring machine, launch ethereal,
+ and then wait for the next step to complete.
+ </p></li><li><p>
+ Start the Windows XP Client and wait 5 minutes before proceeding.
+ </p></li><li><p>
+ On the machine from which network activity will be monitored (using <span><strong class="command">ethereal</strong></span>),
+ launch <span><strong class="command">ethereal</strong></span> and click
+ <span class="guimenu">Capture</span>-><span class="guimenuitem">Start</span>.
+ </p><p>
+ Click:
+ </p><div class="orderedlist"><ol type="1"><li><p>Update list of packets in real time</p></li><li><p>Automatic scrolling in live capture</p></li><li><p>Enable MAC name resolution</p></li><li><p>Enable network name resolution</p></li><li><p>Enable transport name resolution</p></li></ol></div><p>
+ Click <span class="guibutton">OK</span>.
+ </p></li><li><p>
+ On the Windows XP Professional client, press <span class="guimenu">Ctrl-Alt-Delete</span> to bring
+ up the domain logon screen. Log in using valid credentials for a domain user account.
+ </p></li><li><p>
+ Now proceed to connect to the domain controller as follows:
+ <span class="guimenu">Start</span>-><span class="guimenuitem">(right-click) My Network Places</span>-><span class="guimenuitem">Explore</span>-><span class="guimenuitem">{Left Panel} [+] Entire Network</span>-><span class="guimenuitem">{Left Panel} [+] Microsoft Windows Network</span>-><span class="guimenuitem">{Left Panel} [+] Midearth</span>-><span class="guimenuitem">{Left Panel} [+] Frodo</span>-><span class="guimenuitem">{Left Panel} [+] data</span>. Close the explorer window.
+ </p><p>
+ In this step, our domain name is <code class="constant">Midearth</code>, the domain controller is called
+ <code class="constant">Frodo</code>, and we have connected to a share called <code class="constant">data</code>.
+ </p></li><li><p>
+ Stop the capture on the <span><strong class="command">ethereal</strong></span> monitoring machine. Be sure to save the captured data
+ to a file so that you can refer to it again later.
+ </p></li><li><p>
+ If desired, the Windows XP Professional client and the domain controller are no longer needed for exercises
+ in this chapter.
+ </p></li><li><p>
+ <a class="indexterm" name="id2596259"></a>
+ <a class="indexterm" name="id2596266"></a>
+ From the top of the packets captured, scan down to locate the first packet that has
+ interpreted as <code class="constant">Session Setup AndX Request, NTLMSSP_AUTH</code>.
+ </p></li><li><p>
+ <a class="indexterm" name="id2596286"></a>
+ <a class="indexterm" name="id2596293"></a>
+ <a class="indexterm" name="id2596299"></a>
+ In the dissection (analysis) panel, expand the <code class="constant">SMB, Session Setup AndX Request</code>.
+ Expand the packet decode information, beginning at the <code class="constant">Security Blob:</code>
+ entry. Expand the <code class="constant">GSS-API -> SPNEGO -> netTokenTarg -> responseToken -> NTLMSSP</code>
+ keys. This should reveal that this is a <code class="constant">NULL</code> session setup packet.
+ The <code class="constant">User name: NULL</code> so indicates. An example decode is shown in
+ <a href="primer.html#XPCap01" title="Figure 16.6. Typical Windows XP NULL Session Setup AndX Request">???</a>.
+ </p></li><li><p>
+ Return to the packet capture sequence. There will be a number of packets that have been
+ decoded of the type <code class="constant">Session Setup AndX Request</code>. Click the last such packet that
+ has been decoded as <code class="constant">Session Setup AndX Request, NTLMSSP_AUTH</code>.
+ </p></li><li><p>
+ <a class="indexterm" name="id2596362"></a>
+ In the dissection (analysis) panel, expand the <code class="constant">SMB, Session Setup AndX Request</code>.
+ Expand the packet decode information, beginning at the <code class="constant">Security Blob:</code>
+ entry. Expand the <code class="constant">GSS-API -> SPNEGO -> netTokenTarg -> responseToken -> NTLMSSP</code>
+ keys. This should reveal that this is a <code class="constant">User Mode</code> session setup packet.
+ The <code class="constant">User name: jht</code> so indicates. An example decode is shown in
+ <a href="primer.html#XPCap02" title="Figure 16.7. Typical Windows XP User Session Setup AndX Request">???</a>. In this case the user name was <code class="constant">jht</code>. This packet
+ decode includes the <code class="constant">Lan Manager Response:</code> and the <code class="constant">NTLM Response:</code>.
+ The values of these two parameters are the Microsoft encrypted password hashes: respectively, the LanMan
+ password and then the NT (case-preserving) password hash.
+ </p></li><li><p>
+ <a class="indexterm" name="id2596423"></a>
+ <a class="indexterm" name="id2596430"></a>
+ The passwords are 24-character hexadecimal numbers. This packet confirms that this is a User Mode
+ session setup packet.
+ </p></li></ol></div><div class="figure"><a name="XPCap01"></a><p class="title"><b>Figure 16.6. Typical Windows XP NULL Session Setup AndX Request</b></p><div class="mediaobject"><img src="images/WindowsXP-NullConnection.png" width="270" alt="Typical Windows XP NULL Session Setup AndX Request"></div></div><div class="figure"><a name="XPCap02"></a><p class="title"><b>Figure 16.7. Typical Windows XP User Session Setup AndX Request</b></p><div class="mediaobject"><img src="images/WindowsXP-UserConnection.png" width="270" alt="Typical Windows XP User Session Setup AndX Request"></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2596526"></a>Discussion</h4></div></div></div><p><a class="indexterm" name="id2596533"></a>
+ This exercise demonstrates that, while the specific protocol for the Session Setup AndX is handled
+ in a more sophisticated manner by recent MS Windows clients, the underlying rules or principles
+ remain the same. Thus it is demonstrated that MS Windows XP Professional clients still use a
+ <code class="constant">NULL-Session</code> connection to query and locate resources on an advanced network
+ technology server (one using Windows NT4/200x or Samba). It also demonstrates that an authenticated
+ connection must be made before resources can be used.
+ </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2596558"></a>Conclusions to Exercises</h3></div></div></div><p>
+ In summary, the following points have been established in this chapter:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>
+ When NetBIOS over TCP/IP protocols are enabled, MS Windows networking employs broadcast-oriented messaging protocols to provide knowledge of network services.
+ </p></li><li><p>
+ Network browsing protocols query information stored on browse masters that manage
+ information provided by NetBIOS Name Registrations and by way of ongoing host
+ announcements and workgroup announcements.
+ </p></li><li><p>
+ All Samba servers must be configured with a mechanism for mapping the <code class="constant">NULL-Session</code>
+ to a valid but nonprivileged UNIX system account.
+ </p></li><li><p>
+ The use of Microsoft encrypted passwords is built right into the fabric of Windows
+ networking operations. Such passwords cannot be provided from the UNIX <code class="filename">/etc/passwd</code>
+ database and thus must be stored elsewhere on the UNIX system in a manner that Samba can
+ use. Samba-2.x permitted such encrypted passwords to be stored in the <code class="constant">smbpasswd</code>
+ file or in an LDAP database. Samba-3 permits use of multiple <em class="parameter"><code>passdb backend</code></em>
+ databases in concurrent deployment. Refer to <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 10, “<span class="quote">Account Information Databases.</span>”
+ </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="chap01conc"></a>Dissection and Discussion</h2></div></div></div><p>
+ <a class="indexterm" name="id2596645"></a>
+ The exercises demonstrate the use of the <code class="constant">guest</code> account, the way that
+ MS Windows clients and servers resolve computer names to a TCP/IP address, and how connections
+ between a client and a server are established.
+ </p><p>
+ Those wishing background information regarding NetBIOS name types should refer to
+ the Microsoft knowledgebase article
+ <a href="http://support.microsoft.com/support/kb/articles/Q102/78/8.asp" target="_top">Q102878.</a>
+ </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2596672"></a>Technical Issues</h3></div></div></div><p>
+ <a class="indexterm" name="id2596680"></a>
+ Network browsing involves SMB broadcast announcements, SMB enumeration requests,
+ connections to the <code class="constant">IPC$</code> share, share enumerations, and SMB connection
+ setup processes. The use of anonymous connections to a Samba server involve the use of
+ the <em class="parameter"><code>guest account</code></em> that must map to a valid UNIX UID.
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="chap01qa"></a>Questions and Answers</h2></div></div></div><p>
+ The questions and answers given in this section are designed to highlight important aspects of Microsoft
+ Windows networking.
+ </p><div class="qandaset"><dl><dt> <a href="primer.html#id2596724">
+ What is the significance of the MIDEARTH<1b> type query?
+ </a></dt><dt> <a href="primer.html#id2596770">
+ What is the significance of the MIDEARTH<1d> type name registration?
+ </a></dt><dt> <a href="primer.html#id2596844">
+ What is the role and significance of the <01><02>__MSBROWSE__<02><01>
+ name registration?
+ </a></dt><dt> <a href="primer.html#id2596877">
+ What is the significance of the MIDEARTH<1e> type name registration?
+ </a></dt><dt> <a href="primer.html#id2596913">
+ guest account
+ What is the significance of the guest account in smb.conf?
+ </a></dt><dt> <a href="primer.html#id2596986">
+ Is it possible to reduce network broadcast activity with Samba-3?
+ </a></dt><dt> <a href="primer.html#id2597091">
+ Can I just use plain-text passwords with Samba?
+ </a></dt><dt> <a href="primer.html#id2597179">
+ What parameter in the smb.conf file is used to enable the use of encrypted passwords?
+ </a></dt><dt> <a href="primer.html#id2597221">
+ Is it necessary to specify encrypt passwordsencrypt passwords = Yes
+ when Samba-3 is configured as a domain member?
+ </a></dt><dt> <a href="primer.html#id2597246">
+ Is it necessary to specify a guest account when Samba-3 is configured
+ as a domain member server?
+ </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id2596724"></a><a name="id2596726"></a><b></b></td><td align="left" valign="top"><p>
+ What is the significance of the MIDEARTH<1b> type query?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
+ <a class="indexterm" name="id2596738"></a>
+ <a class="indexterm" name="id2596748"></a>
+ This is a broadcast announcement by which the Windows machine is attempting to
+ locate a Domain Master Browser (DMB) in the event that it might exist on the network.
+ Refer to <span class="emphasis"><em>TOSHARG2,</em></span> Chapter 9, Section 9.7, “<span class="quote">Technical Overview of Browsing,</span>”
+ for details regarding the function of the DMB and its role in network browsing.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2596770"></a><a name="id2596772"></a><b></b></td><td align="left" valign="top"><p>
+ What is the significance of the MIDEARTH<1d> type name registration?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
+ <a class="indexterm" name="id2596784"></a>
+ <a class="indexterm" name="id2596794"></a>
+ This name registration records the machine IP addresses of the LMBs.
+ Network clients can query this name type to obtain a list of browser servers from the
+ master browser.
+ </p><p>
+ The LMB is responsible for monitoring all host announcements on the local network and for
+ collating the information contained within them. Using this information, it can provide answers to other Windows
+ network clients that request information such as:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>
+ The list of machines known to the LMB (i.e., the browse list)
+ </p></li><li><p>
+ The IP addresses of all domain controllers known for the domain
+ </p></li><li><p>
+ The IP addresses of LMBs
+ </p></li><li><p>
+ The IP address of the DMB (if one exists)
+ </p></li><li><p>
+ The IP address of the LMB on the local segment
+ </p></li></ul></div></td></tr><tr class="question"><td align="left" valign="top"><a name="id2596844"></a><a name="id2596846"></a><b></b></td><td align="left" valign="top"><p>
+ What is the role and significance of the <01><02>__MSBROWSE__<02><01>
+ name registration?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
+ <a class="indexterm" name="id2596861"></a>
+ This name is registered by the browse master to broadcast and receive domain announcements.
+ Its scope is limited to the local network segment, or subnet. By querying this name type,
+ master browsers on networks that have multiple domains can find the names of master browsers
+ for each domain.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2596877"></a><a name="id2596879"></a><b></b></td><td align="left" valign="top"><p>
+ What is the significance of the MIDEARTH<1e> type name registration?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
+ <a class="indexterm" name="id2596891"></a>
+ This name is registered by all browse masters in a domain or workgroup. The registration
+ name type is known as the Browser Election Service. Master browsers register themselves
+ with this name type so that DMBs can locate them to perform cross-subnet
+ browse list updates. This name type is also used to initiate elections for Master Browsers.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2596913"></a><a name="id2596915"></a><b></b></td><td align="left" valign="top"><p>
+ <a class="indexterm" name="id2596920"></a>
+ What is the significance of the <em class="parameter"><code>guest account</code></em> in smb.conf?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
+ This parameter specifies the default UNIX account to which MS Windows networking
+ NULL session connections are mapped. The default name for the UNIX account used for
+ this mapping is called <code class="constant">nobody</code>. If the UNIX/Linux system that
+ is hosting Samba does not have a <code class="constant">nobody</code> account and an alternate
+ mapping has not been specified, network browsing will not work at all.
+ </p><p>
+ It should be noted that the <em class="parameter"><code>guest account</code></em> is essential to
+ Samba operation. Either the operating system must have an account called <code class="constant">nobody</code>
+ or there must be an entry in the <code class="filename">smb.conf</code> file with a valid UNIX account, such as
+ <a class="indexterm" name="id2596976"></a>guest account = ftp.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2596986"></a><a name="id2596988"></a><b></b></td><td align="left" valign="top"><p>
+ Is it possible to reduce network broadcast activity with Samba-3?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
+ <a class="indexterm" name="id2597000"></a>
+ <a class="indexterm" name="id2597007"></a>
+ Yes, there are two ways to do this. The first involves use of WINS (See <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 9,
+ Section 9.5, “<span class="quote">WINS The Windows Inter-networking Name Server</span>”); the
+ alternate method involves disabling the use of NetBIOS over TCP/IP. This second method requires
+ a correctly configured DNS server (see <span class="emphasis"><em>TOSHARG2</em></span>, Chapter 9, Section 9.3, “<span class="quote">Discussion</span>”).
+ </p><p>
+ <a class="indexterm" name="id2597040"></a>
+ <a class="indexterm" name="id2597046"></a>
+ <a class="indexterm" name="id2597056"></a>
+ The use of WINS reduces network broadcast traffic. The reduction is greatest when all network
+ clients are configured to operate in <em class="parameter"><code>Hybrid Mode</code></em>. This can be effected through
+ use of DHCP to set the NetBIOS node type to type 8 for all network clients. Additionally, it is
+ beneficial to configure Samba to use <a class="indexterm" name="id2597074"></a>name resolve order = wins host cast.
+ </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ Use of SMB without NetBIOS is possible only on Windows 200x/XP Professional clients and servers, as
+ well as with Samba-3.
+ </p></div></td></tr><tr class="question"><td align="left" valign="top"><a name="id2597091"></a><a name="id2597093"></a><b></b></td><td align="left" valign="top"><p>
+ Can I just use plain-text passwords with Samba?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
+ Yes, you can configure Samba to use plain-text passwords, though this does create a few problems.
+ </p><p>
+ First, the use of <code class="filename">/etc/passwd</code>-based plain-text passwords requires that registry
+ modifications be made on all MS Windows client machines to enable plain-text passwords support. This
+ significantly diminishes the security of MS Windows client operation. Many network administrators
+ are bitterly opposed to doing this.
+ </p><p>
+ Second, Microsoft has not maintained plain-text password support since the default setting was made
+ disabling this. When network connections are dropped by the client, it is not possible to re-establish
+ the connection automatically. Users need to log off and then log on again. Plain-text password support
+ may interfere with recent enhancements that are part of the Microsoft move toward a more secure computing
+ environment.
+ </p><p>
+ Samba-3 supports Microsoft encrypted passwords. Be advised not to reintroduce plain-text password handling.
+ Just create user accounts by running <span><strong class="command">smbpasswd -a 'username'</strong></span>
+ </p><p>
+ It is not possible to add a user to the <em class="parameter"><code>passdb backend</code></em> database unless there is
+ a UNIX system account for that user. On systems that run <span><strong class="command">winbindd</strong></span> to access the Samba
+ PDC/BDC to provide Windows user and group accounts, the <em class="parameter"><code>idmap uid, idmap gid</code></em> ranges
+ set in the <code class="filename">smb.conf</code> file provide the local UID/GIDs needed for local identity management purposes.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2597179"></a><a name="id2597182"></a><b></b></td><td align="left" valign="top"><p>
+ What parameter in the <code class="filename">smb.conf</code> file is used to enable the use of encrypted passwords?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
+ The parameter in the <code class="filename">smb.conf</code> file that controls this behavior is known as <em class="parameter"><code>encrypt
+ passwords</code></em>. The default setting for this in Samba-3 is <code class="constant">Yes (Enabled)</code>.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2597221"></a><a name="id2597223"></a><b></b></td><td align="left" valign="top"><p>
+ Is it necessary to specify <a class="indexterm" name="id2597228"></a>encrypt passwords = Yes
+ when Samba-3 is configured as a domain member?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
+ No. This is the default behavior.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2597246"></a><a name="id2597248"></a><b></b></td><td align="left" valign="top"><p>
+ Is it necessary to specify a <em class="parameter"><code>guest account</code></em> when Samba-3 is configured
+ as a domain member server?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
+ Yes. This is a local function on the server. The default setting is to use the UNIX account
+ <code class="constant">nobody</code>. If this account does not exist on the UNIX server, then it is
+ necessary to provide a <a class="indexterm" name="id2597274"></a>guest account = an_account,
+ where <code class="constant">an_account</code> is a valid local UNIX user account.
+ </p></td></tr></tbody></table></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"><p><sup>[<a name="ftn.id2595750" href="#id2595750">15</a>] </sup>TOSHARG2, Sect 4.5.1</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="appendix.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="RefSection.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="gpl.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 15. A Collection of Useful Tidbits </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Appendix A. GNU General Public License</td></tr></table></div></body></html>
projects / samba / blobdiff