------------------------- Week 11 Notes for NET2003 ------------------------- -Ian! D. Allen - idallen@idallen.ca - www.idallen.com Remember - knowing how to find out an answer is more important than memorizing the answer. Learn to fish! RTFM! (Read The Fine Manual) Keep up on your readings (Course Outline: average 5 hours/week homework). A good way to memorize the material is to take notes in class and then merge your notes with my published note summaries after class. You won't be able to Google search during tests and exams. * Abbreviation "ALN" = your "Advanced Linux Networking" text by R.W.Smith Free O'Reilly Safari eBook Resources (from an Algonquin network address): http://proquest.safaribooksonline.com/ Review: Week 10 notes =============================================================================== The latest Ubuntu Hardy Heron 8.04 Beta release is now available. You do not need to upgrade to that new version. I haven't tried it myself, either. I don't know how stable it is yet. The official release date is end of April. =============================================================================== Configuring SMB (Samba) - ALN Chapter 7 p.167 --------------- "Using Samba 3rd Edition" (from an authorized Safari network address): http://proquest.safaribooksonline.com/0596007698 Microsoft's SMB protocol is not an "Internet-style" protocol. It is not text-friendly, nor is it secure. Unlike Internet protocols such as SMTP, POP2, HTTP, etc., the SMB protocol is binary and you can't just "look at it" or type it from the keyboard. Unlike SSH or HTTPS, data is sent "in the clear" and can be snooped in transit. Do not expose SMB shares to access from the Internet. Q: T/F Like SMTP, you can use netcat to access the SMB protocol. Q: T/F Like SSH, SMB is an encrypted protocol. Q: What does Samba let a Linux system do? p.167,168 Q: What is the name of the main Samba config file? p.169 - Where is the main Samba config file on your system (absolute path)? Q: What is the syntax to define each share in the config file? p.169 Q: What is the purpose of the special [global] share? p.169,179,180 - What is the workgroup of the Samba service? p.170 - What is the name of the SysV start-up script for Samba? (If you're on a system where it's not called "samba", you can grep for "samba" in all the SysV start-up scripts to find the executable name - sometimes it's called "smb" or "smbd".) - Where does Debian/Ubuntu get additional samba configuration defaults? (Read the first few lines of the SysV start-up script to find out.) Q: Where do you look to find the additional Samba config file pathnames that are used when Samba is started? - What are the program names (and therefore man page names) of the two daemons started by the Samba start-up script? (Go look!) - In which run levels (if any) is the Samba service configured to start on your system? Q: What does the -D option mean to the above two programs? (RTFM) Q: T/F: Samba can authenticate its passwords against the Unix password file. p.171 Q: T/F: Samba passwords are always sent in cleartext. p.171 Q: T/F: Samba servers running encrypted passwords can accept connections from clients running cleartext passwords. p.171 Debian systems keep Samba config info under /var/lib/samba/ Q: How do I add a user to the Samba password file? p.172 Q: How can I restrict which hosts connect to my Samba server? p.172 (mnemonic - name similar to TCPwrappers /etc/hosts.allow) Skip: Becoming a NetBIOS Name Server p.172 Q: What is the most common use of a Samba server? p.179 - What is the syntax/format of a basic Samba file share? p.179 Note the crazy option synonyms that all do the same thing: read only = no writeable = yes write ok = yes Q: T/F You are not permitted to have blanks in SMB option keywords Q: What is the purpose of the special [homes] share? p.179 Q: Would it be useful to define multiple [homes] shares? p.180 - Is the [homes] share enabled and browsable on your system? Q: What is the purpose of the special [global] share? p.180,169 The "smbclient" Samba client program is useful for debugging Samba configurations on local and remote machines. (The remote machines will need to have the SMB ports open: 445 and possibly 137-139.) Some distributions suffix the Samba man pages with a version number. If "man smbclient" doesn't work, try to locate the page using "man -k smbclient". That should give the version number. Typing "smbclient" with no arguments will give you a summary of options. You can list the visible Samba shares on a system, local or remote: $ smbclient -L localhost Password: # just push RETURN - no password Anonymous login successful Domain=[NET2003] OS=[Unix] Server=[Samba 3.0.14a-Debian] Sharename Type Comment ... You can also login with a userid and workgroup, which will give you access to files owned by that user. (See below.) Q: What command-line program is used to connect to SMB shares? Once you have set a Samba password for an account as root using "smbpasswd", you can log in to see services and connect to various shares, including home directory shares (replace abcd0001 with any other existing user account name): # smbpasswd -a abcd0001 # must be run locally as root to add user New SMB password: ... # smbclient //localhost/abcd0001 -U abcd0001 Password: Domain=[WHATEVER] OS=[Unix] Server=[Samba 3.0.14a-Debian] smb: \> help ... smb: \> ls ... Q: What program changes your SMB password? Without the "-U" option to set your logon userid, smbclient defaults to using the userid in the Linux $USER environment variable. The smbclient interface is FTP-like - put and get work as you expect: smb: \> help get HELP get: [local name] get a file You can run single commands and save the output using the "-c" option of smbclient: $ smbclient //localhost/tmp -U abcd0001 -c "ls" >out Password: Domain=[SOMEHOST] OS=[Unix] Server=[Samba 3.0.10] $ cat out ... Remember that Samba *cannot* authenticate using your Unix password file. Windows has its own password authentication method and you can't change it to use any other. You *can* tell Samba to propagate Windows SMB password changes into the Unix password file via "unix password sync". You will find it challenging trying to configure legacy Windows machines to work in a mixed network of encrypted/non-encrypted SMB access or via Active Directory. See Also the O'Reilly text: Linux in a Windows World. ----------------------------------------------------------------------------- Configuring HTTP (Apache) - ALN Chapter 20 p. 527 ---------------- If you do take the risk of putting up a public web server, beware of your company's network connection getting "Slashdotted"! The ALS course textbook (published 2002) documents Apache Version 1, the version used by many existing service providers (e.g. facebook.com, 1and1,com, idallen.com, etc.). Newer web sites may use Apache Version 2 or 2.2, which has some different configuration details. Some of the programs and files changed to have a version number "2" added, e.g. "apache2" "apache2.conf". Even with version 2 installed, the man pages may still be named for the program without the suffix, e.g. you may need to ask for "man httpd" or "man apache" not "man httpd2" or "man apache2". Some Linux distributors simply replaced the exising Apache version 1 with version 2 without adding any version numbers to the files or man pages. Use "man -k" as needed. Q: How can you show whether your system is running Apache Version 1 or Version 2? (There are many ways to answer this.) We'll look at the common configuration options between Version 1 and Version 2: Q: What does a Web server do? p.528 Q: What common well-known port does an HTTP server listen on? p.528 Note that the transfer of information can be two-way (HTTP uploading). Q: T/F HTTP is bi-directional - you can send information back from the client to the web server. p.528 Q: T/F The Apache server also handles ftp:// and telnet:// URLs. p.528 Many systems come with documentation or Intranets in HTTP form. Having at least a "localhost" web browser can be useful. p.528 Q: What use would there be for a "localhost-only" HTTP server? p.528 Q: T/F: a single web server IP address can only host a single web site. p.529 Q: What are the trade-offs pro/con in running your own Web server, instead of outsourcing to a Web hosting service? p.529 You don't have to run Apache (300KB+) - you can run smaller servers. p.531 Q: T/F: all Unix web servers (e.g. thttpd) occupy about the same amount of memory as Apache. p.531 - What is the name of the SysV start-up script for Apache? (Hint: grep for "apache" in all the SysV start-up scripts) Some Linux distributors distribute an Apache start-up scripts that attempts to do the "right thing" for running either Apache Version 1 or Apache Version 2. This makes the newer start-up scripts rather complex! - In which SysV run levels (if any) is the Apache service configured to start on your system? Q: What are the usual names of the main Apache config file? p.532 - Where is the main Apache config file on your system (absolute path)? (The file contains a line saying "This is the main Apache server configuration file.") Version 2 Apache has split the configuration file up into different parts; look for other *.conf files in the directories under /etc/apache*/ Look for "Include" lines in the main configuration file. Q: How does the main Apache configuration file lead you to the location of other configuration files used by Apache? Q: What is the general syntax used in the Apache config files? p.533 Note the HTTP-like directive format used for multi-line directives Q: T/F Like Samba, Apache directives have the form: keyword = value - Looking in the config file, what is the path to the ServerRoot for your Debian system? What is the path to the DocumentRoot? Skip: Standalone vs. Super Server p.534 - How can you change what port the web server listens on? p.537 (The Port and BindAddress directives on p.537 only work for Apache v1 - Apache v2 uses "Listen" for both, e.g. "Listen 127.0.0.0:8080".) Q: How can you change in which directory HTML documents are stored (the root of the document tree)? p. 539 A great resource that documents in short form all the many configuration directives used by Apache is the "Directive Quick-Reference" link under: http://httpd.apache.org/docs/1.3/ http://httpd.apache.org/docs/2.2/ The search box is a quick way to look up config file directives. - The bottom of the Apache SysV start-up script has a shell "case" statement defining all the possible arguments you might type in addition to the usual "start" and "stop" arguments. What is the name of the argument that causes a cleaning of the cache files? # /etc/init.d/apache2 start # /etc/init.d/apache2 stop # /etc/init.d/apache2 ???? - Some Apache start-up scripts start the server directly. Some scripts call an Apache "controller" helper program that does the start-up work. Which method is used by your version of Ubuntu? (Go look!) - What is the purpose of the "env -i" command used in the Ubuntu SysV Apache start-up script?