UNIX System Administration Handbook - Evi Nemeth [456]
See Chapter 17 for more information about NFS.
CIFS: the Common Internet File System
CIFS is based on protocols that were formerly referred to as Server Message Block or SMB. SMB was an extension that Microsoft added to DOS in its early days to allow disk I/O to be redirected to a system known as NetBIOS (Network Basic Input/Output System). Designed by IBM and Sytec, NetBIOS was a crude interface between the network and an application.
In the modern world, SMB packets are carried in an extension of NetBIOS known as NBT, NetBIOS over TCP. While this all sounds very convoluted, the result is that these protocols have become widespread and are available on platforms ranging from MVS and VMS to our friends UNIX and Windows. Everybody dance now.
Samba: CIFS for UNIX
Samba is an enormously popular software package, available under the GNU public license, that implements CIFS on UNIX hosts. It was originally created by Andrew Tridgell, an Australian, who reverse engineered the SMB protocol from another system and published the resulting code in 1992.
Today, Samba is well supported and actively under development to expand its functionality. It provides a stable, industrial-strength mechanism for integrating Windows machines into a UNIX network. The real beauty of it is that you only need to install one package on the UNIX machine; no additional software is needed on the Windows side.2
CIFS provides five basic services:
• File sharing
• Network printing
• Authentication and authorization
• Name resolution
• Service announcement (file server and printer “browsing”)
Most of Samba’s functionality is implemented by two daemons: smbd and nmbd. smbd implements file and print services, as well as authentication and authorization. nmbd provides the other major CIFS components, name resolution and service announcement.
Unlike NFS, which is deeply intertwined with the kernel, Samba requires no kernel modifications and runs entirely as a user process. It binds to the sockets used for
NBT requests and waits for a client to request access to a resource. Once the request has been made and authenticated, smbd forks an instance of itself that runs as the user who is making the requests. As a result, all normal UNIX file access permissions (including group permissions) are obeyed. The only special functionality that smbd adds on top of this is a file locking service that provides client PCs with the locking semantics they are accustomed to.
Installing and configuring Samba
Samba is currently shipped with both Red Hat and FreeBSD (in /usr/ports), but you’ll need to download and install it for Solaris or HP-UX. It’s available on the web from www.samba.org.
On all systems, you’ll need to edit the smb.conf file to tell Samba how it should behave. In this file, you can specify the directories and printers that should be shared, their access rights, and Samba’s general operational parameters. All of the options are documented in the smb.conf man page, which you’ll definitely need to consult when integrating Samba into a network on which Microsoft file sharing is already in use.
It’s important to be aware of the security implications of sharing files or resources across a network. Samba allows fine-grained control over security, but it only works if you actually use it. For a typical site, you need to do two things to ensure a basic level of security:
• In the smb.conf file, the hosts allow clause controls which clients may access the resources shared by Samba. Make sure that it contains only the IP addresses (or address ranges) that it should.
• You must block access from the Internet to the CIFS TCP ports using a packet-filtering firewall. These are TCP ports 137 through 139. More