Notes for Week 13

  1. First, a picture, and some names and acronyms:
  2. Client can send SMBs to:

  3. Access rights (part of ACE) include

    There are many others.

    Samba does not grant more access than the UNIX host allows through permissions.

    UNIX "other" permissions map into the NT group EVERYONE.

  4. NetBIOS Names

  5. To enable printer sharing with CUPS, it would be necessary to
    ln -sf /usr/bin/smbspool /usr/lib/cups/backend/smb
  6. EXERCISES for Week 13:

    1. Add firewall rules to permit both TCP and UDP access to ports 137-139 and 445. Examine the tail of the system log file for samba-related entries.
    2. Add a user test by executing useradd test && smbpasswd -a test. The test user's Samba password should also be "test". Do not give the test user a UNIX password.
    3. Test samba by executing smbclient -U test -L your-IP-address, both from your PC and from another.
    4. Typical SMB Protocol Sequences (this assumes the client is 9x, but the general pattern is the same for later versions of Windows):

      1. On startup, clients send their NetBIOS names & IP addresses to WINS server (via UDP).
      2. If there is no WINS server, all NetBIOS name resolution is done by UDP broadcast (which isolates name resolution to the local sub-net).
      3. Workgroup computers hold an election every 11-15 minutes to determine who is LMB - it keeps a list of available services for browsing by other computers; election criteria include longest uptime, most senior protocol version; LMB provides list that appears when you open Network Neighborhood.
      4. Hosts announce their NetBIOS names periodically.
      5. LMB locates its DMB using WINS to provide domain-wide browse lists; propagation of changes can take more than an hour for remote subnets.
      6. Client requests a list of PDC / SDCs - sends a netlogon SMB to each of them; first to reply is the one used.
      7. Client sends negprot SMB to negotiate protocol variants with server (what client understands).
      8. Client sends sesssetupX SMB to logon and receive UID.
      9. Client sends tcon or tconX SMB to specify share it wants to connect to, and to receive TID.
      10. Client issues NetWkstaUserLogon to get name of logon script.
      11. Client connects to NetLogon share to retrieve logon script (and then disconnects).
      12. Client sends NetUserGetInfo to find home share name.
      13. Client connects to home share and gets profiles (and then disconnects).
      14. Client reconnects to NetLogon to get policies.
      15. Windows clients drop network mappings that have been idle for 10 minutes or longer; connections are reestablished using cached passwords.
      Protocol usage varies with dialect (ie., Windows version). Since XP, cached passwords are no longer used.
      Use wireshark to observe packets as Windows is booted on your partner's PC. How much traffic occurs on the SMB ports?
      Some advice on using wireshark:

      • Add yourself to the wireshark group. This will not appear to take effect until the next time you login; until then, you can issue the command newgrp wireshark to start a new shell as a member of the group. Be sure to exit when you are done.
      • Change the web browser command in "Edit/Preferences" from "mozilla %s" to seamonkey %s.
      • To start a capture, under "Capture/Options", check an interface and push the Start button.
      • To only capture SMB packets, use the capture filter port 137 or 138 or 139 or 445.
      • To capture those ports on only one host, preprend that filter with host ip-address and, and enclose the port part in parentheses.
      • Push the red button to stop capturing.
      • Click on a packet in the top frame to examine it.
      • Click on a right-pointing triangle in the middle frame to display details.

©2015, Kenneth R. Koehler. All Rights Reserved. This document may be freely reproduced provided that this copyright notice is included.

Please send comments or suggestions to the author.