Softpanorama

May the source be with you, but remember the KISS principle ;-)
Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and  bastardization of classic Unix

Samba

News

Summary Recommended Links

Accessing Linux Shares from Windows

Samba Daemons Troubleshooting Samba problems Configuring samba Users
 Samba Daemons SMB Protocol Authentication  GUI configuration of samba on Red Hat Connecting from Windows 7 client to to Red Hat Samba shares Horror Stories Humor Etc

SMB was Micrsoft weapon against Novell. Technical specification of SMB/CIFS is available from Microsoft ( Common Internet File System (CIFS) File Access Protocol)

Samba is a Unix-based re-implementation of SMB prototol. At a high level, the SMB protocol suite is relatively simple. It includes typical commands for the file and print operations such as Opening and closing a file, Creating and deleting files and directories, Reading and writing a file, etc. Each of these operations can be encoded into an SMB message and transmitted to and from a server. The original name SMB comes from their data format: these are versions of the standard DOS system-call data structures, or Server Message Blocks, redesigned for transmitting to another machine across a network.

Samba is a Linux reimplementation of SMB protocol in which file and print sharing are implemented by smbd,  one of the Samba daemons.

Here is a relevant quote from Sean A. Walberg tutorial published at IBM Developer Works ( Configure Samba, Apr 27,  2011 )

Microsoft file sharing used network basic input/output system (NetBIOS) over TCP when it first moved into the IP world. This method encapsulated NetBIOS content inside a TCP session using TCP port 139.  The NetBIOS protocol encompasses several features. TCP port 139 is used only for the session services, which are file transfer and message passing. The name lookup services are not handled on this port.

NetBIOS over TCP works, but there is overlap between the session and reliability features provided by NetBIOS and those provided by TCP. With some subtle changes, it became possible to run SMB/CIFS right on top of TCP. This method is known as direct hosting and is used to simplify the protocol. Direct hosting occurs on TCP port 445.  When NetBIOS was eliminated from the protocol suite, Microsoft needed another way to handle name lookups. Domain Name System (DNS) was a natural choice, which is why DNS forms the basis of AD DS.

By default, Samba listens on ports 139 and 445. You can change this behavior with the smb ports  global parameter. For example, smb ports = 445  tells Samba to listen only on port 445. You can have Samba listen on any port you want, although any client wanting to connect would have to be told to use the nonstandard port.

If you are unsure which ports Samba is listening on, you can use the netstat  command to find out.

Here are key facts from Samba An Introduction

Samba consists of two key programs, plus a bunch of other stuff that we'll get to later. The two key programs are smbd  and nmbd. Their job is to implement the four basic modern-day CIFS services, which are:

File and print services are, of course, the cornerstone of the CIFS suite. These are provided by smbd, the SMB Daemon. Smbd  also handles "share mode" and "user mode" authentication and authorization. That is, you can protect shared file and print services by requiring passwords. In share mode, the simplest and least recommended scheme, a password can be assigned to a shared directory or printer (simply called a "share"). This single password is then given to everyone who is allowed to use the share. With user mode authentication, each user has their own username and password and the System Administrator can grant or deny access on an individual basis.

The Windows NT Domain system provides a further level of authentication refinement for CIFS. The basic idea is that a user should only have to log in once to have access to all of the authorized services on the network. The NT Domain system handles this with an authentication server, called a Domain Controller. An NT Domain (which should not be confused with a Domain Name System (DNS) Domain) is basically a group of machines which share the same Domain Controller.

The NT Domain system deserves special mention because, until the release of Samba version 2, only Microsoft owned code to implement the NT Domain authentication protocols. With version 2, Samba introduced the first non-Microsoft-derived NT Domain authentication code. The eventual goal, of course, it to completely mimic a Windows NT Domain Controller.

The other two CIFS pieces, name resolution and browsing, are handled by nmbd. These two services basically involve the management and distribution of lists of NetBIOS names.

Name resolution takes two forms: broadcast and point-to-point. A machine may use either or both of these methods, depending upon its configuration. Broadcast resolution is the closest to the original NetBIOS mechanism. Basically, a client looking for a service named Trillian  will call out "Yo! Trillian! Where are you?", and wait for the machine with that name to answer with an IP address. This can generate a bit of broadcast traffic (a lot of shouting in the streets), but it is restricted to the local LAN so it doesn't cause too much trouble.

The other type of name resolution involves the use of an NBNS (NetBIOS Name Service) server. (Microsoft called their NBNS implementation WINS, for Windows Internet Name Service, and that acronym is more commonly used today.) The NBNS works something like the wall of an old fashioned telephone booth. (Remember those?) Machines can leave their name and number (IP address) for others to see.

	Hi, I'm node Voomba.  Call me for a good time!  192.168.100.101

It works like this: The clients send their NetBIOS names & IP addresses to the NBNS server, which keeps the information in a simple database. When a client wants to talk to another client, it sends the other client's name to the NBNS server. If the name is on the list, the NBNS hands back an IP address. You've got the name, look up the number.

Clients on different subnets can all share the same NBNS server so, unlike broadcast, the point-to-point mechanism is not limited to the local LAN. In many ways the NBNS is similar to the DNS, but the NBNS name list is almost completely dynamic and there are few controls to ensure that only authorized clients can register names. Conflicts can, and do, occur fairly easily.

Finally, there's browsing. This is a whole 'nother kettle of worms, but Samba's nmbd  handles it anyway. This is not the web browsing we know and love, but a browsable list of services (file and print shares) offered by the computers on a network.

On a LAN, the participating computers hold an election to decide which of them will become the Local Master Browser (LMB). The "winner" then identifies itself by claiming a special NetBIOS name (in addition to any other names it may have). The LMBs job is to keep a list of available services, and it is this list that appears when you click on the Windows "Network Neighborhood" icon.

In addition to LMBs, there are Domain Master Browsers (DMBs). DMBs coordinate browse lists across NT Domains, even on routed networks. Using the NBNS, an LMB will locate its DMB to exchange and combine browse lists. Thus, the browse list is propagated to all hosts in the NT Domain. Unfortunately, the synchronization times are spread apart a bit. It can take more than an hour for a change on a remote subnet to appear in the Network Neighborhood.

Other Stuff

Samba comes with a variety of utilities. The most commonly used are:

smbclient
A simple SMB client, with an interface similar to that of the FTP utility. It can be used from a Unix system to connect to a remote SMB share, transfer files, and send files to remote print shares (printers).
nmblookup
A NetBIOS name service client. Nmblookup  can be used to find NetBIOS names on a network, lookup their IP addresses, and query a remote machine for the list of names the machine believes it ownes.
swat
The Samba Web Administration Tool. Swat  allows you to configure Samba remotely, using a web browser.
There are more, of course, but describing them would require explaining even more bits and pieces of CIFS, SMB, and Samba. That's where things really get tedious, so we'll leave it alone for now.

SMB Filesystems for Linux

One of the cool things that you can do with a Windows box is use an SMB file share as if it were a hard disk on your own machine. The N:  drive can look, smell, feel, and act like your own disk space, but it's really disk space on some other computer somewhere else on the network.

Linux systems can do this too, using the smbfs  filesystem. Built from Samba code, smbfs  (which stands for SMB Filesystem) allows Linux to map a remote SMB share into its directory structure. So, for example, the /mnt/zarquon  directory might actually be an SMB share, yet you can read, write, edit, delete, and copy the files in that directory just as you would local files.

The smbfs  is nifty, but it only works with Linux. In fact, it's not even part of the Samba suite. It is distributed with Samba as a courtesy and convenience. A more general solution is the new smbsh  (SMB shell, which is still under development at the time of this writing). This is a cool gadget. It is run like a Unix shell, but it does some funky fiddling with calls to Unix libraries. By intercepting these calls, smbsh  can make it look as though SMB shares are mounted. All of the read, write, etc. operations are available to the smbsh  user. Another feature of smbsh  is that it works on a per-user, per shell basis, while mounting a filesystem is a system-wide operation. This allows for much finer-grained access controls.

Setup and Management

Samba is configured using the smb.conf  file. This is a simple text file designed to look a lot like those *.ini files used in Windows. The goal, of course, is to give network administrators familiar with Windows something comfortable to play with. Over time, though, the number of things that can be configured in Samba has grown, and the percentage of Network Admins willing to edit a Windows *.ini file has shrunk. For some people, that makes managing the smb.conf  file a bit daunting.

Still, learning the ins and outs of smb.conf  is a worth-while penance. Each of the smb.conf  variables has a purpose, and a lot of fine tuning can be accomplished. The file structure contents are fully documented, so as to give administrators a running head start, and smb.conf  can be manipulated using swat, which at least makes it nicer to look at.

The Present

Samba 2.0 was released in January 1999. One of the most significant and cool features of the 2.0 release was improved speed. Ziff-Davis Publishing used their Netbench software to benchmark Samba 2.0 on Linux against Windows NT4. They ran all of their tests on the same PC hardware, and their results showed Samba's throughput under load to be at least twice that of NT. Samba is shipped with all major Linux distributions, and Ziff-Davis tested three of those.

Another milestone was reached when Silicon Graphics (SGI) became the first commercial Unix vendor to support Samba. In their December 1998 press release, they claimed that their Origin series servers running Samba 2.0 were the most powerful line of file servers for Windows clients available. SGI now offers commercial support for Samba as do several other providers, many of which are listed on the Samba web site (see http://samba.org/). Traditional Internet support is, of course, still available via the comp.protocols.smb  newsgroup and the [email protected]  mailing list.

The Samba Team continues to work on new goodies. Current interests include NT ACLs (Access Control Lists), support for LDAP (the Lightweight Directory Access Protocol), NT Domain Control, and Microsoft's DFS (Distributed File System).

The SMB protocol over TCP/IP uses three ports:

There are two main authentication models available.

The SMB model defines two levels of security:


Top Visited
Switchboard
Latest
Past week
Past month

NEWS CONTENTS

Old News ;-)

[May 03, 2021] 3 Best Free NAS Software Solutions For Network Storage by Bobby Borisov

Apr 27, 2021 | linuxiac.com

If you've been looking for a way to keep your data safe and secure you've most likely come across NAS. Let's take a look at 3 best in our opinion free NAS software solutions for home users and businesses.

Table of contents

Nowadays, NAS is used by everyday families who simply want to share photos and enjoy access to a digital library of entertainment, no matter where they're at. So whether you're looking to build your own private network, gather movies, music, and TV shows, or just to take data backup to the next level, NAS might be what you're looking for.

What is NAS

NAS (Network Attached Storage) is a term used to refer to storage devices that connect to a network and provide file access services to computer systems. The simplest way to think of NAS is as a type of specialized file server. It allows data storage and retrieval from a central location for authorized network users and various clients.

In other words, NAS is similar to having your own private cloud in home or in the office. It is faster, less expensive, and offers all of the benefits of a public cloud on-premises, giving you complete control.

NAS software solutions come in all sorts of flavors. Finding the right one for your needs is the real challenge. There are many of NAS servers and options available today but how to find the best NAS software for your home or business needs? With that being said, lets look at 3 best in our opinion free NAS software solutions.

TrueNAS CORE

TrueNAS CORE (previously known as FreeNAS) is a FreeBSD-based operating system which provides free NAS services. It is community-supported, open source branch of the TrueNAS project, sponsored by iXsystems .

TrueNAS CORE is probably the best known NAS operating system out there. It's been in development since 2005 and has over 10 million downloads. It is more focused on power users , so this may not be recommended for people who are making a NAS server for the first time.

OpenZFS is the heart of TrueNAS CORE. It is an enterprise-ready open source file system, RAID controller, and volume manager with unprecedented flexibility and an uncompromising commitment to data integrity. It eliminates most, if not all of the shortcomings found in legacy file systems and hardware RAID devices. Once you go OpenZFS, you will never want to go back.

RAID-Z, the software RAID that is part of OpenZFS, offers single parity redundancy equivalent to RAID 5. The additional levels RAID-Z2 and RAID-Z3 offer double and triple parity protection respectively. If you want to eliminate almost entirely any possibility of data loss and stability is the name of the game, OpenZFS is what you're looking for.

TrueNAS CORE has some of the best features that you can find in NAS devices, such as data snapshots, a self-repair file system, encryption on their data volumes, and so on. Almost every file sharing is supported via TrueNAS CORE, which includes major file systems like SMB/CIFS (Windows file shares), NFS (Linux/UNIX files), AFP (Apple file shares), FTP, iSCSI, and WebDAV. It also supports integration with cloud storage providers like Amazon S3 and Google Cloud out of the box.

If TrueNAS CORE has one goal, it is simplifying complex administrative tasks for users. Every aspect of a system can be managed from the web-based management interface. Administrative tasks ranging from storage configuration to share and user management to software updating can all be performed with confidence without missing a critical step or experiencing a silent failure.

Even though storage is its primary feature, there is much more that really makes this product shine. TrueNAS CORE supports plugins to extend its functionally such as Plex Media Server, Nextcloud, BitTorrent, OpenVPN, MadSonic, GitLab, Jenkins, etc. This means that it is capable of more than just storage. For example, TrueNAS CORE can be used as part of your home entertainment setup, serving your media to your Home Theater PC, PSP, iPod, or other network devices.

TrueNAS CORE is recommended if you are making an enterprise-grade server for your home, office or large businesses where data is stored centrally and share from there. In addition to, TrueNAS CORE is the best choice when you are looking to find some storage network which is reasonable.

On the other hand, TrueNAS CORE is not perfect for low-RAM users. It is a highly advanced level and feature-rich NAS solution that recommends at least 8GB of RAM, a multi-core processor as well as a reliable storage drive to keep your data safe.

TrueNAS CORE pros and cons

Pros

Cons

Download TrueNAS CORE

One thing should be noticed before installing TrueNAS CORE on some old specs system is that it needs a good amount of RAM (you need minimum 8GB RAM) to work, especially when you planning to install a OpenZFS file system. In addition to, for every terabyte of storage, TrueNAS CORE requires 1 GB of RAM. Because of this, you will need newer hardware to make a server.

You can install TrueNAS CORE by downloading an ISO image which you then burn to a USB drive , stick it in the PC/server and boot.

OpenMediaVault (OMV)

OpenMediaVault is a Debian based Linux distribution for NAS and well-known for home users and small businesses. It supports all major protocols such as SSH, (S)FTP, SMB, CIFS, and RSync and offers a straightforward way to set up NAS servers for home users. In addition, the server is modular and can be extended with a variety of official and third-party plugins. For example, you can turn your NAS into a torrent client to download data directly into the NAS storage. You can use it also to stream stored music and videos across the network via Plex Media Server plugin.

OpenMediaVault is straightforward to rollout and simple to manage, thanks to its well designed web-based user interface, which makes it suitable for even non-technical users. The user interface can further be enhanced by using its plugin directories.

OpenMediaVault supports all the popular deployment mechanisms, including several levels of software RAID, each of which necessitates a different number of disks. The project shares some features with TrueNAS CORE like storage monitoring, file sharing, and disk management and supports multiple file systems like ext4, Btrfs, JFS, and XFS. However, it doesn't have some of the more advanced features that TrueNAS CORE has, like hot-swapping or the OpenZFS file system.

One of OpenMediaVault's best features compared to TrueNAS CORE is it's low system requirements. You can run OMV on low-powered devices like the Raspberry Pi.

The project is complimented with an extensive support infrastructure with plenty of documentation to handhold first time users.

OpenMediaVault is a very capable NAS deployment distro right out of the box. However, it can be made more advanced with tons of features using plugins integrated into the base system, and even with third party plugins using the OMV-Extras repository.

OpenMediaVault pros and cons

Pros

Cons

Download OpenMediaVault

OpenMediaVault installable media is available for 64-bit machines. The installation images can be found here . OMV even supports a number of ARM architectures, including the one used by the Raspberry Pi. The ISO image can also be used to create an USB stick in addition to hard drives and SSDs, which is especially useful if you plan to use a single-board computer like the Raspberry Pi.

Rockstor

Rockstor is a free NAS management system and probably the best alternative to TrueNAS CORE. It is Linux-based NAS server distro that's based on a rock-solid openSUSE Leap and focuses solely on the Btrfs file system . The previous Rockstor's releases were based on CentOS, however CentOS development considerations have now been deprecated.

In addition to standard NAS features like file sharing via NFS, Samba, SFTP and AFP, advanced features such as online volume management, CoW Snapshots, asynchronous replication, compression, and Bitrot protection are also supported.

The biggest difference between TrueNAS CORE and Rockstor is it uses the Btrfs file system , which is very similar to ZFS used by TrueNAS CORE. Btrfs' big draw is its Copy-on-Write (CoW) nature of the filesystem. Btrfs is the new player among file systems. It knew how to capture many looks in the community because it comes to compete directly with advanced functions of ZFS.

Rockstor lets you arrange the available space into different RAID configurations and give you control over how you want to store your data. You also get the ability to resize a pool by adding or removing disks and even change its RAID profile without losing your data and without disrupting access.

Rockstor supports two update channels. There's the freely available Testing Updates channel that gets updates that haven't been thoroughly tested. Conversely, the updates in the Stable Updates channel have been tested for use in a production environment but are only available at a yearly subscription fee of £20.

One of the best things that Rocktor provides to its users is its plugin system, which has a variety of different plugins, more well-known by the name Rock-ons. The plugins are available as containers, which Docker virtualizes on the host system. These Rock-ons, combined with advanced NAS features, turn Rockstor into a private cloud storage solution accessible from anywhere, giving users complete control of cost, ownership, privacy and data security.

If you need a reliable NAS server with no frills, the Rockstor NAS Server is the way to go.

Rockstor pros and cons

Pros

Cons

Download Rockstor

There is nothing about Rockstor that requires special hardware. You can check the minimum system requirements in the official project documentation .

You can download the Rockstor ISO file from Sourceforge. The ISO image can be used to install Rockstor into a virtual machine like VMWare or Virtualbox directly. To install the software on real hardware, you need a boot media like a bootable USB stick . Just burn the downloaded ISO image onto USB drive .

Conclusion

With these NAS solutions on hand we have added choices for not only businesses and small offices, but home users as well. Considering the significance of data in this day and age, you would be wise to take one of these solutions to manage your NAS efficiently.

Whether you choose TrueNAS CORE, OpenMediaVault or Rockstor, you'll have software that's in active development, well supported and with plenty of available features. When these storage solutions are implemented and maintained properly, they provide the required safety to data.

[Jun 01, 2017] How To Configure SAMBA Server And Transfer Files Between Linux Windows - LinuxAndUbuntu - Linux News Apps Reviews Linux T

Jun 01, 2017 | www.linuxandubuntu.com

If you are setting this on a Ubuntu server you can use vim or nano to edit smb.conf file, for Ubuntu desktop just use the default text editor file. Note that all commands (Server or Desktop) must be run as a root. $ sudo nano /etc/samba/smb.conf ​Then add the information below to the very end of the file -

[share] 
comment = Ubuntu File Server Share 
path = /srv/samba/share 
browsable = yes 
guest ok = yes 
read only = no 
create mask = 0755 ​ 

Comment : is a short description of the share.
Path : the path of the directory to be shared.

This example uses /srv/ samba/share because, according to the Filesystem Hierarchy Standard (FHS), /srv is where site-specific data should be served. Technically Samba shares can be placed anywhere on the filesystem as long as the permissions are correct, but adhering to standards is recommended.

create mask : determines the permissions new files will have when created.

Now that Samba is configured, the directory /srv/samba/share needs to be created and the permissions need to be set. Create the directory and change permissions from the terminal - sudo mkdir -p /srv/samba/share

   sudo chown nobody:nogroup /srv/samba/share/ ​

The -p switch tells mkdir to create the entire directory tree if it does not exist.

Finally, restart the samba services to enable the new configuration: sudo systemctl restart smbd.service nmbd.service ​From a Windows client, you should now be able to browse to the Ubuntu file server and see the shared directory. If your client doesn't show your share automatically, try to access your server by its IP address, e.g. \\192.168.1.1 or hostname in a Windows Explorer window. To check that everything is working try creating a directory from Windows.

To create additional shares simply create new [dir] sections in /etc/samba/smb.conf , and restart Samba. Just make sure that the directory you want to share actually exists and the permissions are correct.

[Feb 24, 2015] Critical remote code execution flaw patched in Samba

February 24, 2015 | ITworld

Security researchers are urging users to install new Samba security updates in order to address a critical vulnerability that allows attackers to execute arbitrary code with root privileges.

Samba is an implementation of the SMB/CIFS networking protocol that enables Unix-like systems, including Linux, BSD, Solaris and Mac OS X to share files and printers with Windows computers. It also allows such systems to be integrated into Microsoft Active Directory environments and even act as domain controllers.

The new vulnerability is located in the smbd file server and was discovered by Richard van Eeden of Microsoft Vulnerability Research.

Linux Users Beware Patch New Samba Flaw 'Immediately' - Dark Reading

Apr 11, 2012 | 05:07 PM |
By Kelly Jackson Higgins
Dark Reading
A dangerous vulnerability in a pervasive tool for running Linux systems in a Windows environment leaves the door open for an attacker to access these systems without requiring any authentication.

The open-source Samba group this week released an update to the Samba program to fix a bug that could allow an attacker to remotely acquire root access to the targeted server. The bug in Samba versions 3.6.3 and previous versions is a buffer overflow flaw in Samba's remote procedure call code. "As this does not require an authenticated connection it is the most serious vulnerability possible in a program, and users and vendors are encouraged to patch their Samba installations immediately," according to a newly issued advisory from Samba on the new CVE-2012-1182 vulnerability, which includes links to patches for the software.

Nicholas Percoco, senior vice president and head of Trustwave SpiderLabs, says the flaw affects anyone who has embedded Linux-based appliances that use Samba for file sharing, such as NASes, print servers, and printers. While these devices tend to run in an intranet rather than over the big Internet, the main risk would be from a sophisticated targeted attack or a malicious insider, he says.

"This is a very critical patch you should be applying ... if an attacker gets root access, it's game over from a security perspective," Percoco says. "You should not be running Samba [systems] on the Internet. That being said, it doesn't mean people aren't."

A proof-of-concept is circulating, and Percoco says the vulnerability is prime for abuse as a network worm as well as for a targeted attack. "It can also be the perfect storm for a Unix-based worm. This is something like the Nimda For Linux/Unix," he says.

[Jul 04, 2011] Learn Linux, 302 (Mixed environments) Configure Samba by Sean A. Walberg

Apr 27, 2011 | developerWorks

Troubleshooting Samba problems

Samba is not immune to problems. Sometimes, these problems are caused by the system administrator; sometimes they're caused by the user. Your job as the system administrator is to figure out where the problem lies, then how to solve it.

Testing the configuration file

If Samba won't start or you want to check your configuration file for correctness, then the testparm utility will help. This utility checks smb.conf for correctness. Listing 4 shows the result of testparm if there is an error.


Listing 4. Using testparm on an incorrect smb.conf file
	
# testparm
Load smb config files from /etc/samba/smb.conf
Unknown parameter encountered: "hide dto files"
Ignoring unknown parameter "hide dto files"
Processing section "[homes]"
Processing section "[printers]"
Processing section "[public]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
        workgroup = MYGROUP
        server string = Samba Server Version %v
        passdb backend = tdbsam
        log file = /var/log/samba/log.%m
        max log size = 50
        cups options = raw

<< rest of the output omitted >>

The output of testparm starts with the location of the files. If you want to specify a different file, pass the name of the file on the command line, as in this example:

testparm /home/me/smb.conf

Next, testparm is complaining about an invalid parameter called hide dto files. This parameter should really be hide dot files.

After processing the configuration file, you are given some information about the server's role and a condensed version of the configuration file. This version has the comments stripped out and is consistently formatted, so you will sometimes catch errors here that you missed while browsing smb.conf in a text editor.

You should run testparm on your configuration file after making changes. Samba ignores most typographical errors in the configuration files and doesn't always write messages to the console when starting up. It's likely that you won't catch these types of mistakes until something isn't working properly. Testparm alerts you to any typos in smb.conf.

By default, testparm only shows you the configuration as entered in smb.conf. If you suspect that you are using a default value somewhere, you can use the -v option to force testparm also to show default values.

Another use of testparm is to limit the output to a single section or parameter. Listing 5 shows how to use testparm to see the value of the security mask option.


Listing 5. Limiting testparm to a single parameter
	
# testparm -s --parameter-name "security mask"
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[public]"
Loaded services file OK.
0777

In Listing 5, the -s parameter stops testparm from waiting for user input in between parsing smb.conf and displaying it to the screen. Using --parameter name "security mask" asks for the value of security mask. The result is 0777, which is the default value. In this mode, it is not necessary to specify -v to show default values.

Connecting as a client

In lieu of going to a user's desktop and trying things out yourself, you can do a great deal of testing from the command line at your own desk. The first and easiest test is to make sure that you can connect to the Samba port. The easiest way to do this is with the telnet command, which is shown in Listing 6.


Listing 6. Testing connectivity with telnet
	
# telnet bob 139
Trying 192.168.1.134...
telnet: connect to address 192.168.1.134: Connection refused

In Listing 6, the root user is connecting to the server bob on port 139. You could also use port 445 to test for the direct-hosted SMB port. The result is Connection refused, which indicates either that the daemon isn't listening on that address or that a firewall is blocking the connection. Other results, such as No route to host or Connection timed out, can mean the same thing.

Clients generally connect to a server with a name, not an IP address. If you use telnet to connect to the server by name rather than IP address, pay special attention to the IP address returned. In the example above, the server (bob) was resolved to 192.168.1.134. Sometimes, you can have errors in your DNS records that result in the clients connecting to the wrong address.

If you are not using DNS for Windows name resolution, you can use the nmblookup command to perform a NetBIOS name lookup. Listing 7 shows a query for the bob server.


Listing 7. Performing a NetBIOS name query for bob

	
# nmblookup bob
querying bob on 192.168.1.255
192.168.1.138 bob<00>

According to Listing 7, the server bob is at 192.168.1.138, not 192.168.1.134, as you saw in Listing 6. This result points to a problem with DNS, especially if ports 139 and 445 are responsive on 192.168.1.138.

Another test is to see whether the configuration file denies access to a particular host. Testparm is used again in Listing 8.


Listing 8. Checking access with testparm
	
# testparm /etc/samba/smb.conf  seanspc 192.168.1.147
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[public]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Deny connection from seanspc (192.168.1.147) to homes
Deny connection from seanspc (192.168.1.147) to printers
Deny connection from seanspc (192.168.1.147) to public

Firewalls or application?

There are many ways to block a connection to a host, but all the options can be grouped into two categories: network and application. By blocking at the network layer, either on a firewall or using a host-based firewall like iptables, you will see that the telnet connection shown in Listing 6 is refused or times out. This is because the packet never makes it to the Samba application.

If Samba is configured not to allow connections from a particular host, you will see that the telnet connection succeeds, but any client access is greeted with an error. This is because the packet is read by the application but doesn't like the IP address or hostname and sends an application-level error. Without accepting the packet at the application layer, Samba can't know whether the IP address is acceptable.

In Listing 8, three items are passed to testparm:

The output from Listing 8 shows that the machine in question is denied access to all shares. When using testparm in this mode, the utility does not actually connect as that machine. Instead, testparm processes the configuration file to see whether the access would be allowed.

If all the tests up to now succeed, you can attempt to make a client connection using the smbclient utility. The first test is to attempt to browse the share list, which is shown in Listing 9.


Listing 9. Showing a machine's shares
	
[sean@bob source3]$ smbclient -L '\\bob'
Enter sean's password:
Anonymous login successful
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.5.6-69.fc13]

        Sharename       Type      Comment
        ---------       ----      -------
        extdrive        Disk
        Sean Walberg's iMac Disk
        timemachine     Disk
        IPC$            IPC       IPC Service (Samba Server Version 3.5.6-69.fc13)
        test            Printer   test
        Downstairs_Laser Printer   HP 6L
        Cups-PDF        Printer   Cups-PDF
Anonymous login successful
Domain=[MYGROUP] OS=[Unix] Server=[Samba 3.5.6-69.fc13]

        Server               Comment
        ---------            -------
        BOB                  Samba Server Version 3.5.6-69.fc13

        Workgroup            Master
        ---------            -------
        MYGROUP              BOB
        WORK                 SWALBERG-XPLT
        WORKGROUP            IMAC-1FC525

In Listing 9, the user is requesting a list of shares with the -L parameter on the server called bob. The server name is prefixed with two backslashes (\\), because it is a Universal Naming Convention (UNC) path. Be careful about your choice of single versus double quotation marks, as well. Single quotation marks interpolate and see the backslashes as escape characters.

If your server has more security set up, you may need to pass the name of the user or the domain with the -W and -U parameters, respectively.

Finally, you can try to connect to a share by omitting the -L parameter and specifying a full UNC path to the share. Listing 10 shows the client connecting to a server using a different workgroup and user name.


Listing 10. Connecting to a share with a different user name and domain
	
[sean@bob source3]$ smbclient '\\swalberg-xplt\photos' -U swalberg -W WORK
Enter swalberg's password:
Domain=[WORK] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
smb: \> dir
  .                                   D        0  Thu Jan  6 11:39:50 2011
  ..                                  D        0  Thu Jan  6 11:39:50 2011
<< files omitted >>
                38156 blocks of size 4194304. 2938 blocks available
smb: \>>

If these tests pass, you can be reasonably certain that the problem is not with the Samba configuration but somewhere between the client and the server or something on the client itself. You look at the logs in the next section, which offer some clues as to where the problem lies.

OpenSUSE 11.4 Samba Standalone Server With tdbsam Backend HowtoForge - Linux Howtos and Tutorials

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Follow me on Twitter
Last edited 04/0/2011

This tutorial explains the installation of a Samba fileserver on OpenSUSE 11.4 and how to configure it to share files over the SMB protocol as well as how to add users. Samba is configured as a standalone server, not as a domain controller. In the resulting setup, every user has his own home directory accessible via the SMB protocol and all users have a shared directory with read-/write access.

I do not issue any guarantee that this will work for you!

1 Preliminary Note
I'm using an OpenSUSE 11.4 system here with the hostname server1.example.com and the IP address 192.168.0.100.

2 Installing Samba
We need to install Samba in this chapter, but it conflicts with the package patterns-openSUSE-minimal_base. Therefore we must uninstall that package first. To do so, start YaST:

yast2

In YaST, go to Software > Software Management:

Type patterns-openSUSE-minimal_base in the Search field and press ENTER. The package should be listed as installed (i) in the main window. Mark the package and press the ENTER key until there's a minus (-) sign in front of the package (the minus stands for uninstall), then hit [Accept]:

As a replacment for the package, some other packages need to be installed. Accept the selection by hitting [OK]:

Leave YaST afterwards.

Now install the Samba packages:

yast -i cups-libs samba

Edit the smb.conf file:

vi /etc/samba/smb.conf

Make sure you have the following lines in the [global] section:

[...]
security = user
passdb backend = tdbsam
[...]

This enables Linux system users to log in to the Samba server.

(If you get the message You do not have a valid vim binary package installed. Please install either "vim", "vim-enhanced" or "gvim"., please run

yast2 -i vim

to install vi and try again. )

Then create the system startup links for Samba and start it:

chkconfig -f --add smb
/etc/init.d/smb start

3 Adding Samba Shares
Now I will add a share that is accessible by all users.

Create the directory for sharing the files and change the group to the users group:

mkdir -p /home/shares/allusers
chown -R root:users /home/shares/allusers/
chmod -R ug+rwx,o+rx-w /home/shares/allusers/

At the end of the file /etc/samba/smb.conf add the following lines:

vi /etc/samba/smb.conf

[...]
[allusers]
comment = All Users
path = /home/shares/allusers
valid users = @users
force group = users
create mask = 0660
directory mask = 0771
writable = yes

If you want all users to be able to read and write to their home directories via Samba, add the following lines to /etc/samba/smb.conf (make sure you comment out or remove the other [homes] section in the smb.conf file!):

[...]
[homes]
comment = Home Directories
browseable = no
valid users = %S
writable = yes
create mask = 0700
directory mask = 0700

Now we restart Samba:

/etc/init.d/smb restart

4 Adding And Managing Users
In this example, I will add a user named tom. You can add as many users as you need in the same way, just replace the username tom with the desired username in the commands.

useradd tom -m -G users

Set a password for tom in the Linux system user database. If the user tom should not be able to log in to the Linux system, skip this step.

passwd tom

-> Enter the password for the new user.

Now add the user to the Samba user database:

smbpasswd -a tom

-> Enter the password for the new user.

Now you should be able to log in from your Windows workstation with the file explorer (address is \\192.168.0.100 or \\192.168.0.100\tom for tom's home directory) using the username tom and the chosen password and store files on the Linux server either in tom's home directory or in the public shared directory.

smbtad 1.2.5

smbtad is the data receiver of the SMB Traffic Analyzer project. With SMB Traffic Analyzer, statistics about the data flow on a Samba network can be created.

Test Your Config File with testparm

It's important to validate the contents of the smb.conf file using the testparm program. If testparm runs correctly, it will list the loaded services. If not, it will give an error message. Make sure it runs correctly and that the services look reasonable before proceeding. Enter the command:

	root#  testparm /etc/samba/smb.conf

can't connect to samba server [Archive] - FedoraForum.org

security=share is the easiest way to share files
July 13, 2004

paperdiesel

I set up a samba share on my fc2 laptop, and I can't seem to connect to it from Windows XP or another fc2 laptop. Here's my samba server config. Keep in mind that I want it simple, no hassle, guest access where anyone can read/write/delete, etc.

config:

[global]
workgroup = boxes
netbios name = arsenal
hosts allow = 192.168.1. 192.168.2. 127.
security = share

[ paperarsenal ]
comment = whatever
path = /public
read only = no
writable = yes
guests ok = yes
browseable = yes
public = yes

getpeername failed

May 1, 2001

elena s ackley elenas at unm.edu


hi,

i upgraded from 2.0.7 to 2.2 last night hoping to lose these getpeername
errors that show up in my log.smbd.0.0.0.0 file (and now also
/var/log/messages YIKES!).

grepping on the time in my samba log files, i come up with at least three
different cases for when this error occurs: a denied connection because
the ip is not allowed;  a bad user map (when 2.2 upgrade didn't restore
smbuser); and a successful connection. the first kind happens ALOT, though
i don't know why? perhaps the election process or some other such
windows magic?


i also include my smb.conf (which i did restore with path corrections),
perhaps with your experience you'll see something right away that escapes
me.

how can i get rid of these getpeername errors?


thanks!!

elena



[2001/05/01 02:08:25, 0] lib/util_sock.c:get_socket_addr(1084)
  getpeername failed. Error was Bad file descriptor
[2001/05/01 02:08:25, 0] lib/util_sock.c:get_socket_addr(1084)
  getpeername failed. Error was Bad file descriptor


[2001/05/01 02:08:25, 0] lib/access.c:check_access(324)
  Denied connection from  (129.24.181.51)
[2001/05/01 02:08:25, 1] smbd/process.c:process_smb(824)
  Connection denied from 129.24.181.51

-----------

[2001/05/01 08:09:48, 0] lib/util_sock.c:get_socket_addr(1084)
  getpeername failed. Error was Bad file descriptor
[2001/05/01 08:09:48, 0] lib/util_sock.c:get_socket_addr(1084)
  getpeername failed. Error was Bad file descriptor


[2001/05/01 08:09:48, 1] smbd/password.c:pass_check_smb(526)
  Couldn't find user 'pboyd' in UNIX password database.
[2001/05/01 08:09:48, 1] smbd/reply.c:reply_sesssetup_and_X(975)
  Rejecting user 'pboyd': authentication failed

----------

[2001/05/01 07:32:17, 0] lib/util_sock.c:get_socket_addr(1084)
  getpeername failed. Error was Bad file descriptor
[2001/05/01 07:32:17, 0] lib/util_sock.c:get_socket_addr(1084)
  getpeername failed. Error was Bad file descriptor

[2001/05/01 07:32:17, 1] smbd/service.c:make_connection(638)
  conf2 (129.24.176.41) connect to service conf as user slullie (uid=526,
gid=2\
40) (pid 30230)

/etc/samba/smb.conf:

# Samba config file created using SWAT
# from localhost.localdomain (127.0.0.1)
# Date: 2000/10/23 14:00:49

# Global parameters
[global]
        workgroup = bsvcs-grp
        netbios name = WhateverItTakes
        server string = UNM Business Services
        encrypt passwords = Yes
        update encrypted = Yes
        unix password sync = Yes
        passwd program = /usr/bin/passwd
        username map = /etc/samba/smbusers
        log file = /var/log/samba/log.%m.%I
        log level = 1
        max log size = 15
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        load printers = No
        domain logons = Yes
        preferred master = No
        domain master = No
        dns proxy = No
        name resolve order = lmhosts hosts bcast
        invalid users = root bin daemon adm sync shutdown \
                        halt mail news uucp operator gopher \
                        nobody games ftp lp xfs named gdm \
                        piranha postgres pvm squid default \
                        autobot
        hosts allow = 129.24.176. 127.0.0.1 EXCEPT  129.24.180.
129.24.178. 129\
.24.177. 129.24.179. 129.24.181. 129.24.182 129.24.183
        directory mask = 0770
        create mask = 0770
        force create mode = 0770
        force directory mode = 0770
[homes]
        comment = Home Directories
        read only = No
        browseable = No
        directory mask = 0700
        create mask = 0700
        force create mode = 0700
        force directory mode = 0700

[support]
        path = /home/support
        comment = Tech Support
        writeable = yes
        valid users = @support
        force group = support

[business]
        path = /home/business
        comment = Business Services
        writeable = yes
        valid users = @business @support
        force group = business

[root at wit /etc]# testparm
Load smb config files from /etc/samba/smb.conf
INFO: Debug class all level = 1   (pid 30978 from pid 30978)
Loaded services file OK.

Put the fun back into computing.

DistroWatch.com

Samba Client

This wasn't received as a question but I thought I might share one of my favorite little tricks (if I can call it that) when using Linux. In my work, I commonly need to transfer files from one home computer to another and I've found the quickest and easiest way to do this is to use Samba, or more specifically smbclient (which is sometimes a link to smbclient3). For me, typing a bit in a terminal is much easier than most other methods of transferring files locally.

In the past it could take a bit of effort to get Samba and the Samba tools to function properly, but today many distributions set it up to function almost out-of-the-box (albeit less secure). I've found that in most distributions all I need to do is set a password on my main work computer. This is easily done using the smbpasswd tool. As root (or for Ubuntu users, prefaced with sudo):

smbpasswd <username>, then type in the new password.

From then on, I can samba into my desktop and drop files as needed. If desired, one can list the IP addresses and hostnames for each machine in their /etc/hosts so that computer names can be used, but in my work, I'm installing new releases all the time. So, I just use my desktop's local IP address. So, say for example that I needed to transfer a couple of screenshots from my testing machine to my desktop, I merely samba into my desktop and drop the files into my home directory. To log in:

smbclient --user=s //192.168.0.100/s, then give the password.

Then to move those screenshots I use a simple command:

mput *png

This will transfer all files with the .png extension. Notice how Samba can use wildcards to make operations so much easier. In fact, you can even use auto-completion many times - and I do. Retrieving files is just as easy. For example:

mget opensuse-112_d <enter>, will finished the filename opensuse-112_desktop.jpg and transfer a copy to the current machine.

Using mput instead of put verifies the transfer of each file before actually doing it.

This isn't even a drop in the bucket of the things one can do with smbclient or other Samba tools. A quick peruse of the MAN pages can give you an idea. At home behind my Internet firewall, smbclient saves me lots of effort.

[Mar 29, 2007] CIRT @ CIS @ Brown NetBIOS NULL Sessions: The Good, The Bad, and The Ugly by Paul Asadoorian

(Updated August 17, 2005)

I. The NULL Session Concept: The Good?

II. The Bad and The Ugly.

III. Using the Information.

IV. How to disable NetBIOS NULL Sessions.

V. Further Defenses.

VI. References and Further reading.

Note: Follow the link below to download a script to disable NULL sessions: Download Disable NULL Sessions Script


I. The NULL Session Concept: The Good?

NULL sessions take advantage of "features" in the SMB (Server Message Block) protocol that exist primarily for trust relationships. You can establish a NULL session with a Windows host by logging on with a NULL user name and password. Using these NULL connections allows you to gather the following information from the host:

NULL sessions exist in windows networking to allow:

NetBIOS NULL sessions are enabled by default in Windows NT and 2000. Windows XP and 2003 will allow anonymous enumeration of shares, but not SAM accounts.

II. The Bad and the Ugly

The NULL session vulnerability is fairly widespread, however the introduction of Windows XP and Windows 2003 has made it far less useful. For the most part if the appropriate ports are accessible a NULL session is possible.

Port Protocol Description

135

TCP Location Service (RPC endpoint mapping)
135 UDP Location Service (RPC endpoint mapping)
137 TCP NETBIOS Name Service
137 UDP NETBIOS Name Service
138 TCP NETBIOS Datagram Service
138 UDP NETBIOS Datagram Service
139 TCP NETBIOS Session Service
139 UDP NETBIOS Session Service
445 TCP SMB/CIFS

Figure 1

Port 139 or 445 TCP is required to be open in order for a NULL session to be successful (it needs to connect to IPC$ first). The other ports may be required, depending on the configuration, for services such as name resolution. There are many tools available to exploit NULL sessions, here are some examples:

Enum ( http://www.bindview.com/Services/RAZOR/Utilities/Windows/enum_readme.cfm )

enum is truly one of the best tools for exploiting the NULL session vulnerability. It is the "Swiss army knife" of NULL session hacking, allowing you to exploits every aspect of this flaw. Its true power lies in the ability to enumerate users, and then try to brute force the password using a supplied password list. Sample output is below (I usually run with the –S and –U flags as shown below):

C:\tools>enum -SU <IP Address>
server: <IP Address>
setting up session... success.
getting user list (pass 1, index 0)... success, got 5.
Administrator Guest IUSR_CHANNEL IWAM_CHANNEL victim_user
enumerating shares (pass 1)... got 4 shares, 0 left:
IPC$ c ADMIN$ C$
cleaning up... success.

From the above output we can see that the machine has one additional user aside from the default accounts, called "victim_user", and that none of the default accounts have been renamed. This is another great usage of NULL sessions, if the user has been conscientious and renamed the administrator account, we can see what it has been changed to. The guest account exists as well, which comes by default in most windows, and should be left disabled. It appears as though this machine is also running Microsoft IIS web server, from the IUSR_<machine name> account that exists. Moving on to the shares we see all of the default hidden administrative shares (denoted by the "$" character), as well as an unhidden share called "c". The ability to view hidden shares on the host is yet another great feature of NULL sessions.

Hunt ( http://www.foundstone.com/resources/freetools/hunt.zip )

Part of the NT Forensic Toolkit from Foundstone, this tool makes it very easy to enumerate users and shares from a vulnerable windows host, and is the most accurate in my experience. Some sample output is below:

C:\tools>hunt \\<IP Address>
share = IPC$ - Remote IPC
share = c -
share = ADMIN$ - Remote Admin
share = C$ - Default share
User = Administrator, , , Built-in account for administering the computer/domain
Admin is <NetBIOS Name>\Administrator
User = Guest, , , Built-in account for guest access to the computer/domain
User = IUSR_<NetBIOS Name>, Internet Guest Account, Built-in account for anonymous access to Internet Information Services, Built-in account for anonymous access to Internet Information Services
User = IWAM_<NetBIOS Name>, Internet Guest Account, Built-in account for anonymous access to Internet Information Services out of process applications, Built-in account for anonymous access to Internet Information Services out of process applications
User = victim_user Victim Name, ,

Figure 3

Above we see the same information as enum presents represented in a slightly different format.

winfo ( http://ntsecurity.nu/toolbox/winfo/ )

This command line tool queries the host for most of the information made available by a NULL session (Including any trust relationships) and displays it to the screen. Sample output is below:

C:\>winfo 128.148.151.7 –n
winfo 1.5 - copyright (c) 1999-2001, Arne Vidstrom
- http://www.ntsecurity.nu/toolbox/winfo/

Trying to establish null session...
Null session established.

USER ACCOUNTS:

* Administrator
(This account is the built-in administrator account)

* Guest
(This account is the built-in guest account)

* victim_user

WORKSTATION TRUST ACCOUNTS:

INTERDOMAIN TRUST ACCOUNTS:

SERVER TRUST ACCOUNTS:

SHARES:

* IPC$

* drivec$

Figure 4

The output above shows the listing of users, similar to the other tools. winfo is unique in that it will also show the trust relationships this machine may have with other machines. Finally, it will list the shares it has made available.

Dumpsec ( http://www.systemtools.com/cgi-bin/download.pl?DumpAcl )

Formerly Dumpacl, This tool is similar to winfo, but has a GUI interface.

Built-in tools

You can use built-in tools to enumerate NULL sessions by executing the following command using the "net" utility that comes with Windows. Without NULL sessions when we attempt to list the shares on a remote windows computer we get the following error:

C:\tools>net view \\MY.SUB.NET.IP
System error 5 has occurred.

Access is denied.

Figure 5

By default we would not have permissions to list the shares. If we map the IPC$ share (Inter Process Communications) using our NULL username and password combinations we are successful:

C:\tools>net use \\MY.SUB.NET.IP\IPC$ "" /u:""
The command completed successfully.

Figure 6

Now we try to list the shares again with greater success:

C:\tools>net view \\MY.SUB.NET.IP
Shared resources at \\MY.SUB.NET.IP

Share name Type Used as Comment
-------------------------------------------------------

c Disk
The command completed successfully.

Figure 7

III. Using the Information

An attacker will use the information gained from NULL sessions and try to logon to the system, using various tools that will try different username and password combinations. Common attacks against University computers have shown that attackers will typically gain access to the system, install FTP servers, IRC bots, and DDOS tools, then copy the illegal (copyrighted and pirated) software up for distribution. The FTP server Serv-U FTP Server and the IRC bot iroffer are very common as well. This task is made easier by users who when prompted for an administrator password when installing NT/2000/XP leave it blank. Please set a password on every account on your machine, if not for the security of your machine, then for the security of all our machines.

A worm called "Zotob" that takes advantage of the MS05-039 vulnerability relies on NULL sessions to propagate. Follow the instructions in the next section to protect yourself (and of course apply all operating system patches).

IV. How to Disable NetBIOS NULL Sessions

Follow the link below to download a script to disable NULL sessions: Download Disable NULL sessions Script (Authored by Brown University Software Services)

Below are instructions on how to manually disable NetBIOS NULL sessions:

Windows XP Home Edition

Note: This also works in Windows 2000 and XP Professional.

1. Set the Following Registry Key: HKLM/System/CurrentControlSet/Control/LSA/RestrictAnonymous=2

2. Reboot to make the changes take effect.

Windows XP Professional Edition and Windows Server 2003

1. Go to Administrative Tools --> Local Security Policy --> Local Policies --> Security Options. Make sure the following two policies are enabled:
Network Access: Do not allow anonymous enumeration of SAM accounts: Enabled (Default)
Network Access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled

This can also be accomplished using the following registry keys:
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=1 (This disallows enumeration of shares)
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=1 (Default, not allowing enumeration of user accounts)

2. Reboot to make the changes take effect.

Windows 2000

1. Go to --> Administrative Tools --> Local Security Settings --> Local Policies --> Security Options

2. Select "Additional restrictions of anonymous connections" in the Policy pane on the right

3. From the pull down menu labeled "Local policy setting", select: "No access without explicit anonymous permissions"

4. Click OK

5. The registry setting equivalent is: HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=2

6. Reboot to make the changes take effect.

Windows NT 4.0 (Service Pack 3 or later)

Set the Following Registry Key: HKLM/System/CurrentControlSet/Control/LSA/RestrictAnonymous=1

Samba

I am not certain how this works in the latest releases of Samba. Please email me with any feedback or experiences you could provide.

V. Further Defenses

While the above describes how to disable this vulnerability on the host, there are some things you can do on the network to help defend against NULL sessions:

Intrusion Detection

Most Intrusion Detection systems come with signatures to detect NULL session activity, although when run on the "inside" of your network will generate false positives if not configured correctly. Configuring the Snort ( www.snort.org ) NULL session detection rule ( http://www.snort.org/pub-bin/sigs.cgi?sid=530 ) to look at certain traffic proves to be very effective. For example, you may only want to look at NULL session attempts from the Internet to your internal network, and IDS rules should be configured accordingly.

Account Policy

All versions of Windows that are vulnerable to this attack provide some mechanism to set account policies. The Center for Internet Security has released benchmark standards for all Windows platforms that include recommended account policies (See http://www.cisecurity.org for more details and to download the benchmarks). They cover password expiration, password length, and account lockout policies, which should all be applied to your domain (or workstation if you are not part of a domain). These documents also outline some recommendations for audit policies, or logging of certain activity on your computer. You should enable logging of security events on your windows servers and workstations for accounting purposes. Account and auditing policies should be tailored to individual organizations needs. Having these in place will significantly decrease the risk of someone using NULL sessions to gain access to your machine.

VI. References and Further Reading

Web Sites:

rr.sans.org/win/null.php - "NULL sessions In NT/2000" - Perhaps the best description of why NULL sessions exist, and general NULL session facts includes a complete description of how NetBIOS NULL sessions are used in a Windows networking environment. By Joe Finamore.

www.giac.org/certified_professionals/practicals/gcih/0345.php - "Weak Passwords + NULL Session = Windows 2000 Exploit" -This paper outlines the dangers of NULL sessions and gives an example of incident that uses this vulnerability. By Michael S. Kriss.

www.hsc.fr/ressources/presentations/null_sessions/msrpc_null_sessions.pdf - "MSRPC NULL sessions - exploitation and protection" – A new way to exploit NULL sessions using MSRPC and named pipes. Lets you do more than just view users and shares.

www.softheap.com/security/session-access.html - "How is information enumerated through NULL session access, Remote Procedure Calls and IPC$?"

www.sygate.com/alerts/Netbios_Null_Attack.htm - "NetBIOS NULL Session Attack in XP"

www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/winxppro/proddocs/windows_security_differences.asp - Important differences between Windows NT 4.0 and Windows XP Professional

secinf.net/info/nt/wardoc.txt - "The Windows NT WARDOC: A Study in Remote NT Penetration"

www.sans.org/top20/#w3 - SANS/FBI Top 20 List, Windows Remote Access Services

Books:

"Hacking Exposed" or "Hacking Windows 2000 Exposed", Scambray & McClure, Chapter 4: Enumeration

Other Universities Descriptions of NetBIOS NULL Sessions:

www.cit.cornell.edu/computer/security/scanning/windows/nullsessions.html

rusecure.rutgers.edu/add_sec_meas/nullssn.php

security.uchicago.edu/windows/netbios/index.shtml

mit.edu/ist/topics/windows/server/winmitedu/security.html


Copyright 2002-2005

Authored by Paul Asadoorian, Brown University, June 17, 2002

Please send any questions/comments to [email protected]

Revision 1.0: November 14, 2002 – Added a significant amount of content.

Revision 1.1 January 3, 2003 – Updated for Windows XP Home Edition

Revision 1.3 August 16, 2005 – Updated for Windows 2003, MS05-039 worm, general clean-up and fixed all broken links.

[Feb 20, 2007] Possible way of fighting network worms that use exploits on ports 136-139

See: http://support.microsoft.com/support/kb/articles/Q204/2/79.ASP
NetBIOS-free SMB protocol on port 445 in Windows 2000-XP

Jay Ts jay at toltec.metran.cx
Wed Aug 29 21:52:52 GMT 2001

Chris Hertel wrote:
> Yes, we know.  Have known for over a year.
> I think it was Tridge who convinced Microsoft to use port 445. 

Cool.  So can I assume that it will be no problem to add support for it?
And are plans for such in process?

- Jay Ts

------------------------------------------
> > Hi,
> > 
> > Yesterday a friend forwarded to me this URL at Microsoft:
> > 
> > http://support.microsoft.com/support/kb/articles/Q204/2/79.ASP
> > 
> > It is about support in Windows 2000/XP for running SMB for
> > file and printer sharing over port 445, with no overhead of
> > NetBIOS.
> > 
> > The question of course is, are the Samba Team aware of this,
> > and can it be supported in future versions of Samba?
> > 
> > The webpage says it is possible to set up a Win 2000/XP network to
> > only use the new protocol, and shut out SMB/NetBIOS networking on
> > ports 137-139 entirely.
> > 
> > - Jay Ts

Basic Networking Windows to Linux Fedora by Mark Rais, Senior Editor ReallyLinux.com and author of "Linux for the Rest of Us" 2nd Edition.

(ReallyLinux.com) This article is for all of those readers asking for a very basic overview of networking Windows and Linux PCs. You may also benefit from my article: From Windows to Linux.

Can a Windows system and a Linux system talk together harmoniously? After all, there is a lot of work and personal data left on Windows PCs that many want to keep! So this question of networking the two systems is both reasonable and vital.

... ...

Therefore, basic Windows file sharing can be done with relative ease if your Linux flavor includes the Samba tools. Of course, it also requires a little work on the Windows PC since any good communication comes from two sides!

The goal then, regardless which Linux flavor you're using, is to:

  1. Ensure that Samba tools are included and available
  2. Configure the PC network cards and settings
  3. Configure the Windows PC to allow workgroup sharing
  4. Configure Samba tools to recognize the Windows PC

I include details for each of these steps in the article. Implementing the steps above is somewhat unique across every major flavor I've used. Some flavors will require you to select Samba tools at the very beginning of the installation process. Other flavors include the full Samba suite of tools as part of the package, ready to go. It depends so much on your flavor that I can't provide specific guidance without writing another fifty pages on the subject. I plan to release an indepth SAMBA article here in the future.

However, what I can share with you now are steps needed to implement Samba using Fedora as a tutorial or guide. These steps are for making a basic WindowsXP Home Edition available to Linux.

My assumption is that before you begin, you've already familiarized yourself with the Post-Installation Configuration article, and that you have the two PCs connected properly with a network hub and cables.

OSFaq.com: How to install a Linux File/Print Server on your Windows Network [with Samba]
(Oct 15, 2000, 16:00 UTC) (558 reads) (0 talkbacks) (Posted by mhall)
"In this article, We will cover how to setup and configure a Linux File/Print Server on your Windows network."

Recommended Links

Google matched content

Softpanorama Recommended

Top articles

Sites

Samba (software) - Wikipedia, the free encyclopedia

Learn Linux, 302 (Mixed environments) Configure Samba -- a very good tutorial from IBM

Microsoft

NetBIOS - Wikipedia, the free encyclopedia

O'Reilly Samba Book, the second edition

SAMBA Developers Guide

SMB HOWTO

Samba-3 by Example Practical Exercises in Successful Samba Deployment

Index of -samba-docs-man

Jelmer Vernooij - Publications

SAMBA Web Pages


Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D


Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to to buy a cup of coffee for authors of this site

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: December 25, 1998