SMBCIFS and Samba | FreeBSD 6 Unleashed

SMB/CIFS and Samba

SMB, dating back to documents published in 1985 by IBM and later further expanded by Microsoft and Intel, is a generalized system for sharing all kinds of system resources over a local network. Such resources include files, printers, serial ports, and software abstractions such as named pipes. It's a protocol that operates in a client/server fashion, even if Windows file sharing on the surface appears to be a peer-to-peer structure. SMB is a fundamental part of many operating systems, including MS-DOS, Windows, OS/2, and Linuxalthough the primary uses for SMB today are in Windows and promulgated by Microsoft.

SMB and CIFS commands can be sent over network protocols such as IPX, NetBEUI, Banyan VINES, and DECnet. These protocols operate at the "network" level of the stack, the same level as IP (as you saw in Chapter 22, "Principles of TCP/IP Networking"), and SMB is therefore not limited to TCP/IP transport. However, the most commonly used transport for SMB is NetBIOS (Network Basic Input/Output System, described in RFCs 1001 and 1002) traveling over IP, operating with both TCP and UDP components. This is the protocol used in Windows file sharing.

Browsing

An advantage that SMB has over protocols such as NFS is that it supports automatic server discovery, or browsing. In Windows, if you open the Network Neighborhood or My Network Places window, it will display the names of all the available SMB servers on the local network. This list is built up dynamically, with each machine sending out periodic broadcast packets looking for the "master browser" of the network (a computer with a definitive list of local and remote SMB hosts) and announcing its own presence. Every other machine on the network builds its "browse list" from those broadcasts.

The name of each machine, as it appears in the network browser window (as shown in Figure 34.1), is its NetBIOS name, a designation that Windows allows to be up to 15 characters long. Although Windows makes you input a NetBIOS name in uppercase, it shows up in the network browser window with only the first letter capitalized. Under other operating systems (such as FreeBSD), the NetBIOS name is the same as the machine's hostname, truncated to 15 characters if necessary.

Figure 34.1. The Windows network browser window, showing a FreeBSD machine running Samba.

NetBIOS names are handled by a form of name service, somewhat like DNS names, but mapping the displayed NetBIOS machine names to particular machines based on other criteria as well as the IP address (because NetBIOS isn't restricted to IP). Samba's name server component is separate from the actual SMB data server.

One drawback to NetBIOS is that it operates only on a LAN; NetBIOS packets are broadcast-based and therefore aren't forwarded by routers. The Windows Internet Name Service (WINS) protocol exists to link Windows sharing zones on different networks, thus mitigating this issue somewhat. A VPN can also allow you to access Windows shares over the Internet, though high-latency WAN links can make this kind of traffic all but unusable without acceleration technologies deployed at the network level.

Security, Workgroups, and Domains

Access to SMB shares is controlled at various levels. The topmost level restricts access based on host IP address or by password authentication from viewing any of the file server's contents. Beneath that, each individual share (a directory, printer, or other resource) has its own access permissions and optional host/password restrictions as well. Finally, within a share, individual files are subject to access permissions based on the authenticated user or host that has gained access to the share.

User authentication with passwords can be handled in a distributed way (by each individual sharing host) or in a centralized way (by a central network logon server). This is the difference between "workgroups" and "domains" in Windows. A workgroup is a collection of machines that agree to appear in one another's network browser windows, and each individually handles its own authentication and security. A domain is a group of machines whose security duties are handled by a central server to which all member machines must be subscribed.

Samba provides the ability to restrict access on all these levels, as well as to act itself as a "master browser" (in workgroup context) or as a domain controller (the central logon authority in a domain environment). You will see how this is done shortly. Furthermore, newer versions of Samba are designed to act as complete replacements for Microsoft's Active Directory; instructions for how this is accomplished can be found at the Samba website, though that level of detail is beyond the scope of this chapter.

File and Print Sharing with Macintosh Clients Using Appletalk

Macintosh client systems present a different kind of challenge to the file server administrator. Modern Mac OS X systems can access NFS, SMB/CIFS, AppleShare/IP, or AppleTalk shares, but legacy Mac OS machines are restricted only to AppleTalk. Even the most modern Macs, understandably, are happiest using their own native protocols; a Mac using Windows-style file sharing can result in "meta-files" being left all over the server wherever the Mac has browsed. For this reason, you might consider adding support for AppleTalk shares to your FreeBSD machine.

The software package that provides AppleTalk functionality to UNIX platforms, called netatalk, is available in the ports or packages. To install AppleTalk support, build netatalk from the ports at /usr/ports/net/netatalk. You'll also have to enable the NETATALK option in your kernel configuration. See Chapter 18, "Kernel Configuration," for information on building a custom kernel.

The netatalk port installs a number of configuration filesone for each necessary daemonalong with .dist (or distribution) reference copies. Its daemons run in the default installed configuration; you can change some of the config files to tweak their behavior. Every Macintosh on the network will see the machine in its AppleShare zone in the Chooser (or in the Network volume in the Mac OS X Finder).

See the official netatalk website at http://netatalk.sourceforge.net/ for fuller descriptions of the various tools in the netatalk package and links to other documentation.