Labels

new blog 2.0

2008/06/14

0x06. [LPIC-302] Working with CIFS, NetBIOS, and Active Directory

CIFS Integration
Candidates should be comfortable working with CIFS in a mixed environment

CIFS features and benefits
  • SMB/CIFS needs very little configuration to create a basic working system
  • Integrity and concurrency
  • Fault tolerance
  • Optimization for slow links
  • Security
  • Performance and scalability
  • Unicode
At least this is what Microsoft maintains.
In order to use remote CIFS shares from a Linux box, as always, you have a number of options. The first option would be smbclient, with help of which you can traverse the remote CIFS filesystem in an FTP-client style.
# smbclient //sambasrv/pub
Password:
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28]
smb: \> dir
. D 0 Tue Jun 3 00:47:55 2008
.. D 0 Sat May 31 22:50:16 2008
manual.html A 112237 Thu Sep 6 06:18:20 2007
00ZIE 0 Sat May 31 22:56:40 2008

55125 blocks of size 2097152. 52360 blocks available
smb: \> mkdir directory
smb: \> dir
. D 0 Mon Jun 16 00:56:08 2008
.. D 0 Sat May 31 22:50:16 2008
directory D 0 Mon Jun 16 00:56:08 2008
manual.html A 112237 Thu Sep 6 06:18:20 2007
00ZIE 0 Sat May 31 22:56:40 2008

55125 blocks of size 2097152. 52360 blocks available
smb: \> get 00ZIE
getting file \00ZIE of size 0 as 00ZIE (0.0 kb/s) (average 0.0 kb/s)
smb: \>
and so on...

The second option would be smbmount (which is exactly the same as mount -t smbfs, but at this stage we know that these options are deprecated and you should use mount -t cifs). Basically you can also mount remote CIFS filesystems.

# export PASSWD=qweasdzxc
# mount -t cifs -o user=oozie //ip.add.re.ss/pub /mnt/
# ls /mnt/
00ZIE directory manual.html
#
Following this, a line in /etc/fstab that says:
# /etc/fstab
# [...]
//ip.add.re.ss/pub /mnt cifs credentials=/etc/secret 0 0
# [...]
...will mount the share at startup!

NetBIOS and WINS
Candidates should be familiar with NetBIOS/WINS concepts and understand network browsing

NetBIOS - An API that allows client computers on the same network to communicate. It also lays out guidelines for computer names and their behaviour on a local network. NetBIOS names are registered at system startup.

WINS - is a MS implementation of NetBIOS Name Service (NBNS). WINS server provides name lookups on Windows networks.

On a network without a WINS server domain registration is performed by a UDP broadcast.

Local Master Browser - every NetBIOS enabled machine on a common broadcast domain (subnet) is a potential LMB. It is 'local' because the name registration is done with UDP broadcasts, that don't trespass subnets. A local master browser is elected based on stability criteria, like uptime. A PDC is typically acting as a LMB, but in addition to that it can become a Domain Master Browser. Samba can be configured for being a local master with "local master = yes".

Domain Master Browser - this is typicall a role of a PDC, which collects browse lists from Local Masters and merges it into a domain wide list. It also connects to its primary WINS server to collect DomainName <1b> entries reported by different PDCs.
Samba can be configured to be a domain master with "domain master = yes" in smb.conf.

Elections - a server becomes a DMB by elections. This procedure is detailed in a KB article from Microsoft.

The methods used by MS Windows to perform name lookup requests (name resolution) is determined by a configuration parameter called the NetBIOS node-type. There are four basic NetBIOS node types:
  • b-node (type 0x01): The Windows client will use only NetBIOS broadcast requests using UDP broadcast.

  • p-node (type 0x02): The Windows client will use point-to-point (NetBIOS unicast) requests using UDP unicast directed to a WINS server.

  • m-node (type 0x04): The Windows client will first use NetBIOS broadcast requests using UDP broadcast, then it will use (NetBIOS unicast) requests using UDP unicast directed to a WINS server.

  • h-node (type 0x08): The Windows client will use (NetBIOS unicast) requests using UDP unicast directed to a WINS server, then it will use NetBIOS broadcast requests using UDP broadcast.


Samba as a WINS server
Configuring Samba to be a WINS is fortunately very easy. The process of doing so requires only two arguments added to the [global] section. Those are:
        wins support = yes
name resolve order = wins lmhosts hosts bcast
where hosts denotes the generic way of how Unix goes about DNS resolution according to /etc/nsswitch.conf. Samba will try to resolve names in the order specified by the second option. In this case, it will look into wins in the first place, then into lmhosts file, will performs a DNS lookup and will try to resolve name based on broadcast information.

WINS replication is a process of copying updated resolution data from one server to another. Refer here for a full explanation from Microsoft. It is not supported by Samba 3.

Samba Tools
  • smbtree - gathers information about the domains/workgroups available on the network and prints them out in a form of a tree.
  • findsmb - a perl script that collects information about machines on a subnet that respond to SMB queries
  • smbclient - a powerful tool to list and browse resources on SMB clients
lmhosts file - in its structure very similar to /etc/hosts, this file maps IP addresses to NetBIOS names.

Integrating with Active Directory
Candidates should be able to integrate Linux servers into an environment where Active Directory is present

Getting a Linux machine on the domain.
You need to tweak two files. As always smb.conf to change "security = ads" and krb5.conf.
Edit your /etc/krb5.conf file and add your realm there. My one looks like this:
--- krb5.conf ---
[realms]
AD.CORP.COM = {
kdc = dc1.corp.com
}

[libdefaults]
default_realm = AD.CORP.COM
forwardable = true

[domain_realm]
corp.com = AD.CORP.COM

[appdefaults]
ticket_lifetime = 90000
renew_lifetime = 608400
max_renewable_life = 608400

# [...]
--- krb5.conf ---
Then perform the following to get a valid krb5 ticket from the domain controller:
$ kinit oozie@AD.CORP.COM
Password for oozie@AD.CORP.COM:
$
Now in order to join your machine onto domain do:
$ sudo net ads join
Joined 'HOSTNAME' to realm 'AD.CORP.COM'
$ sudo net ads testjoin
Join is OK
You need to perform this as root or sudo the operations, because secrets.tdb has to be accessible.

Groups and Users
Once you are authenticated and on the domain you can manage users and groups.
# GROUPS
$ net ads group

$

# USERS
$ net ads user
[list of users follows]
$ net ads user info oozie
[groups that oozie is a member of follow]
$ net ads delete username
[removes user from AD]
$ net ads user add username
[adds username to AD]
$ net ads user rename user
[renames a user]

# HOST
$ net ads status
[shows info about your workstation]

# PRINTERS
$ net ads printer search
[dumps info about all the printers in AD]
$ net ads printer info printerName serverName
[info about a particular printer]
$
/*** Work in progress
  • Knowledge of the DNS requirements for Active Directory
  • DNS
  • LDAP
  • smbcalcs
***/

Working with Windows Clients / know your enemy
Clients should be able to interact with remote Windows clients, and configure Windows workstations to access file and print services from Linux servers

net.exe
Windows' NET command helps you manage all kinds of network resources.

net view - browses and lists NetBIOS enabled computers.
net view \\workstation - shows browsable shares available on a workstation
net time \\workstation - returns the time on a remote computer.
net use [drive letter] [\\server\share] - maps a share to a virtual drive.
net use /delete [drive letter] - disconnects from a share

rdesktop
rdesktop is an opensource RDP client.

References:
http://www.meteck.org/cifs.htmhttp://www.samba.org/
http://en.wikipedia.org/wiki/Windows_Internet_Name_Service
http://support.microsoft.com/kb/188001

1 comment:

Anonymous said...

I want to quote your post in my blog. It can?
And you et an account on Twitter?