Networking

MATTI PUSKA Networking

EVTEK UNIVERSITY

OF APPLIED SCIENCES

2006–2007

EVTEK UNIVERSITY OF APPLIED SCIENCES









Linux - Table of Contents



1 WMware Laboratory Environment 3



2 Networking 5

2.1 Connection to Local Area Network

2.2 IP Address Parameters

2.3 DNS Name Resolution

2.4 Runlevels and Processes

2.5 Communication Services

2.6 Iptables Firewall

2.7 Security Issues

2.8 Material



3 DNS Name Resolution 18

3.1 Domain Name System

3.2 DNS Server Redundancy



4 Apache Web Server 21



5 Mail Server 24



6 File Services for Windows Hosts Using Samba 26

6.1 UNIX and MS Windows File Services

6.2 Samba Services

6.3 Samba Server as Primary Domain Controller



List of Acronyms 32









VANHA MAANTIE 6 LINUX i

02650 ESPOO

matti.puska@evitech.fi TABLE OF CONTENTS MATTI PUSKA

EVTEK UNIVERSITY OF APPLIED SCIENCES









1 VMware Laboratory Environment



ESX Server



The Linux lab excercises are done using a virtual server. The student is sitting by an

ordinary Windows XP host, and using VMware Remote Console to access the Linux

environment. The target Linux is runnig as a single virtual server on the VMware

server, physically in the Evtek server farm (see Figure 1). For Samba file services, also

a few virtual MS Windows XP workstations are provided. Virtual Linux servers and

Windows hosts are connected by a virtual Ethernet switch. Only limited services are

offered from the VMware virtual hosts to the Evtek intranet and to the public Internet

(return traffic for VMware Remote Console, DNS name queries to the Evtek name

server, HTTP and FTP access to the cache server)



Single VMware Server

SCSI HD

Applic. Applic. Applic.

RH9 Discs Con-

sole

Linux Os Linux OS Win OS

OS



VMware Virtualization Layer



Intel Architecture



CPU Memory Disk NIC









Evtek intranet Internet



Firewall









VMware Remote Console





Figure 1: VMware lab enronment.









VANHA MAANTIE 6 LINUX 3

02650 ESPOO

matti.puska@evitech.fi LINUX NETWORKING MATTI PUSKA

EVTEK UNIVERSITY OF APPLIED SCIENCES









There are few fundamental differences, that you must take into account, when working

with the VMware virtual server:



• Linux Operating System and all applications are running on the virtual server. On

the local Win workstation, you are running VMware Remote Console, and only the

user interface, keystrokes and mouse movements are transmitted between the console

and the virtual server.



• The CD drive appears as an IDE drive, that you might mount on /mnt/cdrom. You

cannot physically access the CD drive, and you change the disk by unmounting the

drive and selecting the disc image in question. Only a limited set of choices is

available.



• All new software installations and changes in configuration files in the Linux server

are permanent for the duration of the course, but will be erased during the period

shift.



• Also few Windows XP workstations are available for testing, and you may run

Linux on one Remote Console and Windows on another. When you power off the

MS Win host, all changes will be erased. You may restart the host and keep changes,

for example when joining a Windows NT domain.



• When restarting a virtual host, use instead the normal

Ctrl+Alt+Del sequence, to omit the risk to restart your local Win workstation



• You must press and click the Remote Console to get focus on your

console window. To escape from the Remote Console, press Ctrl+Alt and you can

access other local windows or menus.



The following general rules, independent of the VMware environment, also apply:



• The IP subnet 10.42.42.0/24 is reserved for Linux and MS Win virtual hosts. By

default, they get their IP settings using DHCP. When assigning a fixed IP address on

a Linux host, pls use 10.42.42.100+host_number for the address (for example

10.42.42.106 for host 6).



• Only limited services to the Internet are available. For Web, you must set up your

browser to use cache2.evtek.fi:8000 as the proxy.









VANHA MAANTIE 6 LINUX 4

02650 ESPOO

matti.puska@evitech.fi LINUX NETWORKING MATTI PUSKA

EVTEK UNIVERSITY OF APPLIED SCIENCES









2 Networking







NET 4.0



2.1 Connection to Local Area Network



A host is connected to LAN (Local Area Network) through a Network Interface Card

(NIC). For Ethernet, 100BaseT or combined 100/1000BaseT NIC is used. Linux kernel

groups similar peripherals as abstract interfaces, which provide similar functions for

similar peripherals. Ethernet interfaces are called eth0, eth1 etc. in static order based on

configurations. For the test loopback interface lo is used (Figure 2). This can be used for

network service testing without a NIC. The IP address for the loopback is always

127.0.0.1:



[matti@linuxteacher root]$ ping -c 2 localhost

PING localhost.localdomain (127.0.0.1) 56(84) bytes of data.

64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=1 ttl=64

time=1.30 ms

64 bytes from localhost.localdomain (127.0.0.1): icmp_seq=2 ttl=64

time=0.094 ms



--- localhost.localdomain ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 1010ms

rtt min/avg/max/mdev = 0.094/0.699/1.305/0.606 ms





Kernel

Kernel

NET-4 networking

NET-4 networking





eth0

eth0 lo

lo



Driver

Driver

kernel









Local Area Network





Figure 2: Network Interface Card, driver and interface.



During installation, Linux tries to find NICs by reading and writing to those memory

addresses, which are normally used by LAN adapters (Autoprobing). Most (all?) Linux

distributions use modular kernel, and the relevant NIC module should be included when

compiling the kernel. The module configuration is governed by the /etc/modules.conf





VANHA MAANTIE 6 LINUX 5

02650 ESPOO

matti.puska@evitech.fi LINUX NETWORKING MATTI PUSKA

EVTEK UNIVERSITY OF APPLIED SCIENCES









file, and NIC details for unprobed card may be included here. The following example

includes kernel compilation details for SMC Ethernet adapter:



[matti@linuxteacher linux-2.4]$ su

Password:

[root@linuxteacher linux-2.4]# cd /usr/src/linux-2.4

[root@linuxteacher linux-2.4]# make config

...



Enable loadable module support (CONFIG_MODULES) [Y/n/?] y

*

* Ethernet (10 or 100Mbit)

*

Ethernet (10 or 100Mbit) (CONFIG_NET_ETHERNET) [Y/n/?] y

...

Western Digital/SMC cards (CONFIG_NET_VENDOR_SMC) [Y/n/?] y

WD80*3 support (CONFIG_WD80x3) [M/n/y/?] m

..

[root@linuxteacher linux-2.4]# exit







2.2 IP Address Parameters



An IP address is a 32 bit binary number, consisting of network part and host part. The

size of the network part is presented by the subnet mask, and packets outside the local

subnet are directed through the default gateway. IP address, subnet mask and default

gateway are presented in dotted decimal numbers. As shown in Figure 3, every IP host

must include configuration of IP address, subnet mask and default gateway.



192.168.2.66









LAN





.94 ... .69 .68 .67 Other

.65 IP networks

IP Router

IP Address: 192.168.2.94

Subnet Mask: 255.255.255.192

Default Gateway: 192.168.2.65 Subnet 192.168.2.64/26





Figure 3: IP address parameters.









VANHA MAANTIE 6 LINUX 6

02650 ESPOO

matti.puska@evitech.fi LINUX NETWORKING MATTI PUSKA

EVTEK UNIVERSITY OF APPLIED SCIENCES









Initial IP address parameters are configured during Linux installation. Parameters are

saved in configuration files, which are read when entering runlevel 1. The most

important IP configuration files are the following:



/etc/syscofig/network enabling networking, station

DNS name, default gateway

/etc/syscofig/network-scripts/ifcfg-eth0 interface and IP address

parameters.



Configuration files may be read or edited directly:



[matti@linuxteacher linux-2.4]$ more /etc/sysconfig/network-

scripts/ifcfg-eth0

DEVICE=eth0

BOOTPROTO=none

BROADCAST=10.42.42.255

IPADDR=10.42.42.111

NETMASK=255.255.255.0

NETWORK=10.42.42.0

GATEWAY=10.42.42.254

ONBOOT=yes



check_link_down () {

return 1;

}

TYPE=Ethernet

USERCTL=no

PEERDNS=no



UNIX/Linux also provides text based scripts for IP parameter listing and modifications.

These include for example the following:



• ifconfig makes the connection to the kernel to reach network elements

/sbin/ifconfig -a shows all interfaces

/sbin/ifconfig interface ip_address attaches the address with the

interface and activates the interface

man ifconfig gives additional information

• route adds or removes routing information to and from the routing table of

the kernel

/sbin/route shows the current routing table

/sbin/route add destination adds a row into the routing table

• netstat gives information about the network interfaces

/bin/netstat -r shows the routing table

/bin/netstat -i gives the interface statistics

/bin/netstat -ta displays all active TCP sockets

• /sbin/arp -a shows the address resolution cache









VANHA MAANTIE 6 LINUX 7

02650 ESPOO

matti.puska@evitech.fi LINUX NETWORKING MATTI PUSKA

EVTEK UNIVERSITY OF APPLIED SCIENCES









Linux also includes graphical applets for system configuration. We should, however,

be careful not to make any changes with the System Settings (Figure 4), because it uses

its own file format. The system administration must select between the Control-Panel

and file editing and other configuration tools, and use only one, not both. The Control-

Panel can be envoked from the RedHat menu (RedHat / System Settings / Network) or

from the Start Here icon on the desktop (Don't save the settings!).









Figure 4: Displaying IP address parameters with the graphical System Settings applet.



When any IP address parameter is altered, the network service must be restarted, before

any changes are taken into effect. Webmin provides a graphical front-end for this

operation also.





2.3 DNS Name Resolution



DNS system (Domain Name Service) resolves the IP addresses into hierarchical domain

names and back. A station can resolve the IP address of the target domain name in a

hierarchical manner:

• /etc/host.conf file states the search order and search targets

• normally, the address is first searched from the local /etc/hosts file









VANHA MAANTIE 6 LINUX 8

02650 ESPOO

matti.puska@evitech.fi LINUX NETWORKING MATTI PUSKA

EVTEK UNIVERSITY OF APPLIED SCIENCES









• if not found from the hosts file, a DNS query is send to the name server given in

the /etc/resolv.conf file

• the DNS name server can ask for the address from a root server or from the

name server that is responsible for the given zone

• the name server saves data into its cache and informs the client host about the

data.



Each administrative zone must have a DNS server. In Linux/UNIX this is the process

/usr/sbin/named-process. NT and Windows 2000 Server include a graphical DNS

server, compatible with the named-daemon.



Experimenting the DNS:



• try a ping test with a neighbour workstation IP address and with a DNS name.

• the station is added into the /etc/hosts file and the test is repeated. No booting is

needed

• a retrial with an alias name

• a trial with a name ftp.microsoft.com How is the name resolved? Try

host ftp.microsoft.com

• testing with the Evitech DNS name server keryx.evitech.fi



After changing the local /etc/hosts file, no booting into the runlevel 3 is needed.



DNS client configuration files include the following:

• /etc/syscofig/network the DNS name of the station

• /etc/host.conf order of name resolution

• /etc/resolv.conf name resolution parameters.



The /etc/hosts should include at least the Loopback IP and hostname (127.0.0.1

localhost) and the address and the name of the host itself. Each host is presented in its

own row, containing IP address, Fully Qualified Domain Name (FQDN) and nickname:

[matti@linuxteacher matti]$ more /etc/hosts

# Do not remove the following line, or various programs

# that require network functionality will fail.

127.0.0.1 localhost.localdomain localhost

10.42.42.111 linuxteacher.puska.fi linuxteacher







2.4 Runlevels and Processes



All applications on Linux are processes. Linux, being a multitasking operating system,

can run multiple processes simultaneously using time sharing. Linux multitasking runs

every process on a protected memory space, and the operating system can stop a badly

behaving process.









VANHA MAANTIE 6 LINUX 9

02650 ESPOO

matti.puska@evitech.fi LINUX NETWORKING MATTI PUSKA

EVTEK UNIVERSITY OF APPLIED SCIENCES









init is the first process. It reads the /etc/inittab and handles process starting during

Linux bootup. Linux booting takes place in phases call runlevels. According to the

UNIX philosophy, also runlevel configuration, runlevel numbers and the meaning of

runlevels may be altered. By default, RedHat Linux uses the following permanent

runlevels:



• Runlevel 1 is a single user state, which is meant only for maintenance purposes.



• Runlevel 2 is a multiuser state without NFS network file system



• Runlevel 3 is the full multiuser state with NFS and all other networking

services. Depending on the configuration, Linux boots either to runlevel 3 or 5.



• Runlevel 4 is user configurable, but not in use by default.



• Runlevel 5 adds graphical user interface to runlevel 3.



Also runlevel 0 (Halt), 6 (reboot) and S (Start) are present, but these are temporary. The

current runlevel may be listed using /sbin/runlevel command. Automatic process

starting and stopping during a runlevel change is configured in directories /etc/rc.d/rc?.d

according to the runlevel. Scripts starting with K are killed and the ones starting with S

are started, when the relevant runlevel is entered. The number after the K or S defines

the order. Normally the /etc/rc.d/rc?.d directories only include a reference to the actual

starting scripts, which reside at /etc/rc.d/init.d In most cases, a process may be started

manually by entering the process name and start-parameter. Often status returns the

service status:

[matti@linuxteacher matti]$ ps -ef | grep init

root 1 0 0 12:55 ? 00:00:06 init

matti 2153 2121 1 13:18 pts/1 00:00:00 grep init

[matti@linuxteacher matti]$ more /etc/inittab | grep rc.d

si::sysinit:/etc/rc.d/rc.sysinit

l0:0:wait:/etc/rc.d/rc 0

l1:1:wait:/etc/rc.d/rc 1

l2:2:wait:/etc/rc.d/rc 2

l3:3:wait:/etc/rc.d/rc 3

l4:4:wait:/etc/rc.d/rc 4

l5:5:wait:/etc/rc.d/rc 5

l6:6:wait:/etc/rc.d/rc 6

[matti@linuxteacher matti]$ ls /etc/rc.d/rc3.d

K01yum K45named K87portmap S10network S80postfix

K03rhnsd K50xinetd K91isdn S12syslog S90crond

K05saslauthd K72autofs K92iptables S17keytable S90xfs

K10cups K74nscd K95firstboot S20random S95anacron

K15gpm K74ntpd K96pcmcia S26apmd S95atd

K20nfs K75netfs S05kudzu S55sshd S99local

K24irda K86nfslock S06vmware-tools S56rawdevices

[matti@linuxteacher matti]$ file /etc/rc.d/rc3.d/S10network

/etc/rc.d/rc3.d/S10network: symbolic link to ../init.d/network









VANHA MAANTIE 6 LINUX 10

02650 ESPOO

matti.puska@evitech.fi LINUX NETWORKING MATTI PUSKA

EVTEK UNIVERSITY OF APPLIED SCIENCES







[matti@linuxteacher matti]$ ls /etc/rc.d/init.d/

anacron firstboot isdn named.rpmorig ntpd rhnsd

xfs

apmd functions kdcrotate netfs pcmcia saslauthd

xinetd

atd gpm keytable network portmap single

ypbind

autofs halt killall nfs postfix sshd

yum

crond iptables kudzu nfslock random syslog

cups irda named nscd rawdevices vmware-tools

[matti@linuxteacher matti]$ su -c '/etc/rc.d/init.d/crond restart'

Password:

Stopping crond: [ OK ]

Starting crond: [ OK ]

[matti@linuxteacher matti]$ su -c '/etc/rc.d/init.d/crond status'

Password:

crond (pid 2385) is running...



Instead of renaming the /etc/rc.d/rc?.d files, we can use the chkconfig application to list

and modify rc?.d entries. We can list, add, delete and modify entries with chkconfig

(man chkconfig). The chkconfig listing corresponds to rc?.d entries, as shown with the

find command:



[matti@linuxteacher matti]$ /sbin/chkconfig --list | grep named

named 0:off 1:off 2:off 3:off 4:off 5:off 6:off

[matti@linuxteacher matti]$ find /etc/rc.d -name 'named' -print

/etc/rc.d/init.d/named

/etc/rc.d/rc0.d/K45named

/etc/rc.d/rc1.d/K45named

/etc/rc.d/rc2.d/K45named

/etc/rc.d/rc3.d/K45named

/etc/rc.d/rc4.d/K45named

/etc/rc.d/rc5.d/K45named

/etc/rc.d/rc6.d/K45named



To modify the automatically started processes we use chkconfig with the --level option

by giving the level or levels, service name and desired status. For example, we may wan

to start the SNMPd on runlevels 3, 4 and 5:

[matti@linuxteacher matti]$ su

Password:

[root@linuxteacher matti]# /sbin/chkconfig --level 2345 named on

[root@linuxteacher matti]# /sbin/chkconfig --list | grep named

named 0:off 1:off 2:on 3:on 4:on 5:on 6:off



Sometimes it is safer to delete a service altogether from chkconfig, i.e. remove all

/etc/rc.d/rc?.d files. This is accomplished by chkconfig --del followed by the service

name. As shown this option still leaves the /etc/rc.d/init.d script, so the service may be

manually started if necessary:

[root@linuxteacher matti]# /sbin/chkconfig --del irda

[root@linuxteacher matti]# find /etc/rc.d -name '*irda' -print

/etc/rc.d/init.d/irda









VANHA MAANTIE 6 LINUX 11

02650 ESPOO

matti.puska@evitech.fi LINUX NETWORKING MATTI PUSKA

EVTEK UNIVERSITY OF APPLIED SCIENCES









All applications on Linux are processes. Communication services are handled by

daemons. xinetd Superserver listens to defined TCP/UDP ports and starts the relevant

service, when a request arrives. xinetd reads its configuration file /etc/xinetd.conf when

starting. Normally this file only includes a reference to the /etc/xinetd.d directory,

(*

which holds the actual configuration . For example, the TFTP (Trivial File Transfer

Protocol) configuration chain is the following:



[matti@linuxteacher matti]$ tail -2 /etc/xinetd.conf

includedir /etc/xinetd.d



[matti@linuxteacher matti]$ ls /etc/xinetd.d

chargen cups-lpd daytime-udp echo-udp servers sgi_fam time-

udp

chargen-udp daytime echo rsync services time

[matti@linuxteacher matti]$ more /etc/xinetd.d/cups-lpd

# default: off

# description: Allow applications using the legacy lpd protocol to

communicate w

ith CUPS

service printer

{

disable = yes

socket_type = stream

protocol = tcp

wait = no

user = lp

server = /usr/lib/cups/daemon/cups-lpd

}



For security reasons, only the superuser should have write permission to xinetd.conf (**:

[matti@linuxteacher matti]$ ls -l /etc | grep xinetd.conf

-rw-r--r-- 1 root root 289 Apr 16 2003 xinetd.conf







2.5 Communication Services



Modern communication services and distributed applications are based on Client/Server

model. Application program on the workstation is the client, which sends requests to

server according to user interventions. Server listens to a predefined port, receives the

request, examines user right, performs the requested operation and returns data to the

workstation. The client software then displays the data to user (Figure 5).









*) The tail command returns the end of the given file, by default the last 10 lines.



**) chmod xyz filename changes file permissions. The first number defines file owner permissions, the next number

defines permissions of the group of the owner and the third gives permissions of all other users. All three numbers

are presented in decimal sum of read (4), write (2) and execute (1).









VANHA MAANTIE 6 LINUX 12

02650 ESPOO

matti.puska@evitech.fi LINUX NETWORKING MATTI PUSKA

EVTEK UNIVERSITY OF APPLIED SCIENCES









Data

storage

Protocol





Client Network Server



Figure 5: Client/Server system.



Client/Server systems are open vendor or operating system independent realisations.

Often Linux is used on the Server, while user workstations are running Microsoft

Windows. On Linux, server processes are handled by daemons. A daemon is often

started automatically and it listens to a configured TCP/UDP port. When a request

arrives, the daemon forks by starting a new process for this session, while the original

continues listening for new requests.



Access control for Linux services is based on a combination of user authentication and

client host authentication. For example, Telnet service normally uses only user

authentication (*, so any user can open a Telnet session from any client host simply by

entering correct username and password. On the contrary, NFS authentication is only

based on client IP, and normally all safe hosts on the Intranet are allowed to mount

directories from the NFS file server. Sometimes user and client authentication is

combined.



tcpd Daemon Wrapper can handle service protection for services, which are started by

xinetd. By default RedHat uses tcpd, which should be configured with allowed and

denied client hosts and users. Tcpd configuration uses two files: /etc/hosts.allow and

/etc/hosts.deny The authentication process is the following:



1: hosts.allow is examined first. If the client hostname, address, server process

and username (if configured) matches with hosts.allow, the service is granted

without further examination.



2: Only if the data doesn't match with hosts.allow, the hosts.deny file will be

examined. If a match is found, the service will be denied.



3: If neither of the files matches with the client, service and user details, the

service is granted.



A nonexisting configuration file is treated as blanc, allowing or denying all connections.

*) Telnet sends username and password as cleartext, so it should be replaced with encrypted SSH.









VANHA MAANTIE 6 LINUX 13

02650 ESPOO

matti.puska@evitech.fi LINUX NETWORKING MATTI PUSKA

EVTEK UNIVERSITY OF APPLIED SCIENCES









Lines on configuration files are handled in order, and the search is stopped immediately

after a match. Both files use the same format, namely:

service_list: host_list [command] [#optional comment]



Service list includes a service or list of services in question, separated with spaces or

commas. Host list includes addresses or DNS names of client workstations, which is

compared with the client data. Command and comment are optional components, the

former giving a shell command.



The following patterns can be used in service and host lists:



. The next characters will be compared from a character string starting with a

period (.). For example, .evitech.fi includes all hosts on the Evitech domain.



. Successive numerical fields will be compared from an address ending with a

period. For example, 192.168.1. includes all hosts on this class C network.



@ A string starting with an at sign is handled as a NIS (Network Information

Service) Netgroup Name.



/ Definition n.n.n.n/m.m.m.m is interpreted as an address and a subnet mask, like

192.168.1.0/255.255.255.0 including all host on this class C network.



The following wildcards are usable on service and host lists:



ALL meaning all hosts or services

LOCAL meaning only hosts without a period on their domain name (like

linux00).

KNOWN meaning hosts with a known address or DNS name

UNKNOWN meaning hosts with an unknown address or DNS name

PARANOID meaning stations whose name doesn't match with the name given

by the DNS name resolution for their IP address

EXCEPT which is used to separate to lists.



If we want to offer all services to our own subnet, FTP service for our partner

organisation and deny access from all other workstations, we can list the allowed

services at hosts.allow and deny everything else at hosts.deny. The configuration will be

the following:









VANHA MAANTIE 6 LINUX 14

02650 ESPOO

matti.puska@evitech.fi LINUX NETWORKING MATTI PUSKA

EVTEK UNIVERSITY OF APPLIED SCIENCES







# etc/hosts.allow

ALL: 192.168.1.

ftpd: .stadia.fi EXCEPT cs.stadia.fi



# etc/hosts.deny

ALL: ALL



Tcpd only offers basic authentication. In addition, all server configuration and router

access lists on should be examined, as well as making sure, that only intended and

configured services are enabled.





2.6 Iptables Firewall



By default Red Hat 9 includes iptables packet filtering firewall. During installation,

high, medium or no protection will be selected, and additional services could be

exposed. After installation iptables may be configured by editing the

/etc/sysconfig/iptables configuration file, by iptables command or with the Webmin

application (Networking / Linux Firewall).



Iptables includes Packet filtering, packet alteration (mangling) and Network Address

Translation. After installation, when selecting the middle security level with minor

modifications, RH-Lokkit-0-50-INPUT packet filter rules for received and forwarded

packets should accept requests for SSH, HTTP and SMTP ports. Packets to and from

the Linux hosts are compared on the table line by line, and when the first match is found

the Action is taken (Do nothing, Accept, Drop, Userspace, Exit chain or Run chain).

The rules of the following Iptables listing mean the following:



• Packets carrying a TCP segment from any source to the HTTP, SSH and SMTP

server are accepted

• Packets carrying a TCP segment from any source to low order TCP ports and to

high order NFS, X11 and XFS ports are rejected with ICMP Port Unreachable

message

• Packets carrying aUDP datagram from any source to low order UDP ports and

to high order NFS port are rejected with ICMP Port Unreachable message

• If none of the above mentionned rules apply, the default policy (ACCEPT) is

followed



The simplest way to add a rule is to copy it from an existing one, alter only the

necessary parameters and place the new rule ot the right position. The most restricted

Accept rules should be placed first, then more general accepts and finally denials. If

there is an exception from a general rule, this should come first. After modification, the

existing rules should be flushed and replaced by the new ones.









VANHA MAANTIE 6 LINUX 15

02650 ESPOO

matti.puska@evitech.fi LINUX NETWORKING MATTI PUSKA

EVTEK UNIVERSITY OF APPLIED SCIENCES







[matti@linuxteacher root]$ su -c '/sbin/iptables -L'

Password:

Chain INPUT (policy ACCEPT)

target prot opt source destination

RH-Lokkit-0-50-INPUT all -- anywhere anywhere



Chain FORWARD (policy ACCEPT)

target prot opt source destination

RH-Lokkit-0-50-INPUT all -- anywhere anywhere



Chain OUTPUT (policy ACCEPT)

target prot opt source destination



Chain RH-Lokkit-0-50-INPUT (2 references)

target prot opt source destination

ACCEPT tcp -- anywhere anywhere tcp

dpt:http flags:SYN,RST,ACK/SYN

ACCEPT tcp -- anywhere anywhere tcp

dpt:ssh flags:SYN,RST,ACK/SYN

ACCEPT tcp -- anywhere anywhere tcp

dpt:smtp flags:SYN,RST,ACK/SYN

ACCEPT all -- anywhere anywhere

REJECT tcp -- anywhere anywhere tcp

dpts:0:1023 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable

REJECT tcp -- anywhere anywhere tcp

dpt:nfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable

REJECT udp -- anywhere anywhere udp

dpts:0:1023 reject-with icmp-port-unreachable

REJECT udp -- anywhere anywhere udp

dpt:nfs reject-with icmp-port-unreachable

REJECT tcp -- anywhere anywhere tcp

dpts:x11:6009 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable

REJECT tcp -- anywhere anywhere tcp

dpt:xfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable







2.7 Other Security Issues



Data security is a complex issue. One and only one aspect of data security is to ensure

physical and logical security on networks. Data security issues should be carefully

considered in all network planning and implementations, because existing LAN

technologies and central TCP/IP protocols were developed over 20 years ago, aiming at

a simple networking between few well configured and well managed hosts.



Maybe the first principle in network security is not to rely on users or anything a host

sends. Following this, we can draw at least the following conclusions:



• LANs are unsafe. With physical security, VLANs and router access control lists

the situation will be improved, but not cured.

• Anything send over a network can be captured. No services, which use plain

text authentication (Telnet, FTP, HTTP...) should be used. If however used,









VANHA MAANTIE 6 LINUX 16

02650 ESPOO

matti.puska@evitech.fi LINUX NETWORKING MATTI PUSKA

EVTEK UNIVERSITY OF APPLIED SCIENCES









bogus usernames and passwords should be used (like anonymous/E-Mail

address).

• All unused services should be disabled

• All services should be first disabled, then configured and tested one by one.

Only after thorough tests, an important service may be enabled.

• IP addresses can be spoofed. Never solely trust on an address send by the client.

Use IDENT and router access lists to discover address spoofing. Beware of

services, which solely depend on host authentication.

• DNS names can be spoofed. Be PARANOID: always check that the send and

the resolved hostname match and deny the service, if a mismatch is discovered.

• Usernames can be spoofed. Most Windows versions don't include a proper

mandatory user management, and a Windows user may pretend being root.

Never trust a user authentication of a foreign host.

• Do not give usable information for hackers. finger and who lists usernames, so

he/she only has to guess the password.

• Motivate, educate and enforce your users to use strong passwords. Never expose

a password or a password list.

• All interfaces to public networks should be protected.

• All traffic send over a public network should be encrypted.

• Security is a serious matter. Pay enough attention, allocate enough resources and

time for security issues. Imagine the worst that can happen, then multiply this

with 100 and you'll get the propable scenario.





2.8 Material



Linux Ethernet-Howto

The Linux Networking Overview HOWTO

NET-3-HOWTO

Kirch Olaf: The Linux Network Administrator's Guide

man ifconfig

man netstat

man arp

man ping

man traceroute

man hosts.allow

man init

man chkconfig

man xinetd

man xinetd.conf

man iptables









VANHA MAANTIE 6 LINUX 17

02650 ESPOO

matti.puska@evitech.fi LINUX NETWORKING MATTI PUSKA

EVTEK UNIVERSITY OF APPLIED SCIENCES









3 DNS Name Resolution







ISC BIND

3.1 Domain Name System



When you surf in the Internet, you enter the target URL containing the domain name of

the Web server in question. DNS system resolves the IP address of the target server and

packets containing your HTTP request will be routed to the right destination, and finally

you will get a response. When you send E-Mail, your mail server finds the server

responsible of the target organisation using DNS name resolution and sends SMTP

message, containing your mail. As shown in the previous chapter, client authentication

can be based on the domain name of the client host, and the DNS server must resolve

the domain name for the given IP address.



Domain Name System is a hierarchical Client/Server system, which resolves domain

name to IP address dependencies. A Fully Qualified Domain Name (FQDN) consists

of the following components, separated with dots:



• Top-Level domain holds a country country code (fi, se, de...) or organisation

type (com, edu, net...). Top-Level domains are governed by ICANN (Internet

Corporation for Assigned Names and Numbers) and handled by root servers.



• Site is a unique identifier within the top level domain (like evitech.fi). It

identifies the organisation. Site identifiers are governed by national authorities

(Communications Regulatory Authority in Finland), which grant the identifier to

companies and public organisations.



• The user organisation may decide to divide its namespace into groups (like

edu1.evitech.fi). Use of groups is optional. The organisation is responsible of

the uniqueness of group and local names within their namespace. User

organisation should also provide DNS name resolution for their public servers

and services.



• The lowest hierarchy level is local, identifying an individual host with (like

linux01.edu1.evitech.fi) or without a group (www.evitech.fi). A local is not

mandatory for a domain name, but if not in use, an aliasname should be

configured to point the site.top-level_domain to an IP address.









VANHA MAANTIE 6 LINUX 18

02650 ESPOO

matti.puska@evitech.fi LINUX NETWORKING MATTI PUSKA

EVTEK UNIVERSITY OF APPLIED SCIENCES









DNS name resolution operates in phases (Figure 6). When a user enters a FQDN as a

part of an URL (Universal Resource Locator), the workstation normally first consults

the local hosts file. If the FQDN is not found, the workstation sends a resolution request

to the DNS server, which is configured on the station. Now it is the responsibility of this

server to find the target IP, either locally from the configuration files or cache, or by

resending the request to the DNS server on the next hierarchy level. If not before, the

DNS root server knows the name server, which is responsible of the top-level domain in

question, that knows the name server of the site, which knows either the target host or

the name server of the group. Finally the response travels to the originating name

server, which puts a copy on its cache for future use and returns the target IP to the

workstation.



Root DNS Server DNS Server

Our DNS Server for redhat.com

DNS Cache









/etc/hosts

ftp ftp.redhat.com



Target IP?

/etc/hosts

What is IP for ftp.redhat.com?

Name server for redhat.com?

Name server is ns3.redhat.com

IP for ftp.redhat.com?

IP is 208.178.165.228

IP is 208.178.165.228





Figure 6: Operation of DNS name resolution.



Besides the domain name to IP address resolution (with A records), DNS also takes care

of the following resolution services:



• NS records for information about DNS name server responsibilities.



• DNS name to IP address resolution using reverse lookups (PTR records).

Reverse resolution is needed by host authentication. Because the FQDN

hierarchy starts at the end of the name, the reverse lookup name reverses the IP

address (like 1.168.192.rev for the 192.168.1.0 network).









VANHA MAANTIE 6 LINUX 19

02650 ESPOO

matti.puska@evitech.fi LINUX NETWORKING MATTI PUSKA

EVTEK UNIVERSITY OF APPLIED SCIENCES









• Finding the E-mail server for a site.top-level_domain or group.site.top-

level_domain, using the DNS MX record.



• Finding information about the responsible person (RP) and location (LO) of the

DNS server.



DNS name resolution responsibilities are based on zones. Every zone has a single

primary DNS server, which knows all hosts, aliases and services of that zone. To

guarantee service availability, one or more secondary servers are used for redundancy.

The master database resides on the primary server, which copies the data periodically to

secondaries. DNS servers must also know the DNS servers on the next hierarcy level.



DNS queries and responses are small, and DNS generates small network traffic.

Normally DNS doesn't need optimization according to traffic patterns, but according to

reliability. Often the secondary DNS server is handled by the Internet Service Provider

or business partners who backup their DNS services crosswise.





3.2 DNS Server Redundancy



DNS name resolution is vital to all Internet and Intranet hosts, so normally it should not

be left to be dependent on availability of a single server. Better is to use two or more

servers, which preferably are accessible separately by workstations. For local clients,

both servers are configured on workstations, which first attempt to use the resolution

service of the first server. If a reply is not received, the client automatically tries to

contact the second server and so on (Figure 7). Remote clients access DNS data through

remote DNS servers, so both the primary and secondary must be listed on the next

hierarchy level DNS server. Redundant DNS servers do not have to be on the same

domain, but the primary server periodically copies the zone data to the secondaries.









VANHA MAANTIE 6 LINUX 20

02650 ESPOO

matti.puska@evitech.fi LINUX NETWORKING MATTI PUSKA

EVTEK UNIVERSITY OF APPLIED SCIENCES





Primary DNS Secondary DNS





Original Copy of the

config config



ns1 ns2









Resolver Zone puska.fi





DNS Servers:

ns1, ns2

Figure 7: DNS Server Redundancy.









VANHA MAANTIE 6 LINUX 21

02650 ESPOO

matti.puska@evitech.fi LINUX NETWORKING MATTI PUSKA

EVTEK UNIVERSITY OF APPLIED SCIENCES









4 Apache Web Server





Apache HTTP Server





The rapid growth of the Internet is largely based on Web services. Before the

introduction of HTTP, HTML and graphical Mosaic browser in late 1980's and early

1990's, the Internet was mostly an academic playground used for file transfer, E-mail

messaging and remote terminal sessions. After browser users came companies, and the

growth of Web sites brought more users.



As shown in Figure 8, a simple Web system consists of the following components:



• Browser on a workstation forms the user interface and client application. User

clicks a link or enters a URL for a document, the workstation resolves DNS

name to IP address and IP to MAC address dependencies and the browser sends

a request to the destination server. After receiving a reply, the browser displays a

web page.



• Web server listens to requests from clients, performs access control, sends data

and logs the transaction. The web server may append the document with small

scripts, perform indexing and return search results to questions stated by the

user.



• Web documents are stored in the server. The page structure is described with

HTML language (Hypertext Markup Language), which may include references

to external files, like .gif and .jpg figures, .avi and.wav sounds and .class Java

classes. Also attachement files are stored on the server. HTML document only

describes the document structure, but properties and setting of the desktop and

the browser have their effect on the appearance of the page.



• TCP/IP network transports requests and replies. HTTP protocol is used

between the Web client and the server, and HTTP messages are transported

using connection oriented reliable TCP.



• The browser stores a local copy of the documents on RAM and disc cache.

When the user rerequests for the same document, the browser checks that the

copy is up-to-date and returns the local copy.









VANHA MAANTIE 6 LINUX 22

02650 ESPOO

matti.puska@evitech.fi LINUX NETWORKING MATTI PUSKA

EVTEK UNIVERSITY OF APPLIED SCIENCES









• Multiple workstations may use a common Proxy server, which makes requests

on behalf of the clients and stores copies on a common cache, which serves

multiple clients.



WWW

Cache server

Proxy WWW

material









Cache

HTTP/TCP/IP









Browser



Figure 8: Components of a simple Web system.



HTTP messages are requests or replies. An HTTP request include the method (GET,

Conditional GET, HEAD, POST), target URI (Universal Resource Identifier), protocol

version and a standard message, including host and browser details (Figure 9). The

server returns a reply, which includes protocol version, request status and a standard

message, which again includes information about server platform, server software,

document metadata and the body of the document, if applicable.



When installing and configuring a Web server, we must consider at least the following

details:



• Which server program (Apache of course) and which version (latest/most

stable/best known/consistent)? Is customization needed?

• Which user account will be used by the HTTP daemon? Of which group?

• How will the daemon be started? How many daemons? Multithreading? Do we

have to limit the daemon resources?

• Where to store the Web material? How is the material prepared? How to transfer

it safety to the server? Need for dynamic pages? Need to integrate the Web

server with databases or other systems?

• How are we using the log info? What details should be logged? Where? Access

rights?

• To whom are we providing services? Is differentiation needed? Or

authentication? How?

• Which TCP port (standard/non-standard)? Which interface? Need to offer

services for multiple organisations?









VANHA MAANTIE 6 LINUX 23

02650 ESPOO

matti.puska@evitech.fi LINUX NETWORKING MATTI PUSKA

EVTEK UNIVERSITY OF APPLIED SCIENCES









• How are we going to use error messages? Who is reading them? Which format

is the most effective?

• What safety level is needed? How to achieve it? How to ensure it?

• What performance is needed? How to achieve it? How to measure it?









Figure 9: HTTP/1.1 request send by a Netscape 4.6 browser.









VANHA MAANTIE 6 LINUX 24

02650 ESPOO

matti.puska@evitech.fi LINUX NETWORKING MATTI PUSKA

EVTEK UNIVERSITY OF APPLIED SCIENCES









5 Mail Server









E-Mail messenging is one of the most often used Internet/Intranet services. This

client/server system has strong dependencies with DNS name resolution. An E-Mail

messaging system, based on Internet standards, consists of Message Transfer Agents

(MTAs) and Message User Agents (MUAs). User composes and sends messages using

an MUA. MTA receives the message, sends it to other MTAs and stores incoming user

messages, until the user deletes them.



An example of sending a single E-Mail message is shown in Figure 10. On our

example, the sender is sitting on a UNIX terminal, but the receiver is using a Windows

workstation to read her mail. The operation is the following:



• Sender is composing the message using an MUA application, like pine. MUA

sends the message to local MTA (for example sendmail) using SMTP or local

delivery. The SMTP message is structured text, containing a header and a data

field. The SMTP header contains title names and fields, separated with a colon

(:).



• Sender's E-Mail Server reads the receiver information and decides if remote

delivery is needed. To find the mail server of the receiver, it sends MX and A

queries to DNS name server. The name server first returns the domain name of

the receiving mail server, then the IP address.



• Sender's mail server sends the message using SMTP. The message will be put

into one or more TCP segments, which are carried in IP packets. If possible, the

SMTP message is send directly from the sender's mail server to the receiving

server.



• MTA on the recieving server (for example qmail) receives the mail message,

determines this is a local delivery and stores the message on configured mail

storage, using MTA specific format.



• The message is kept on mail storage until the target user is taking an action to

read her mail. In our example, the receiver is sitting by a Windows PC and using

Netscape Messenger for E-Mailing. The mail application may use POP3 (Post

Office Protocol) or IMAP4 (Internet Mail Access Protocol) for retrieving mail.









VANHA MAANTIE 6 LINUX 25

02650 ESPOO

matti.puska@evitech.fi LINUX NETWORKING MATTI PUSKA

EVTEK UNIVERSITY OF APPLIED SCIENCES









Her Messenger is configured for IMAP4, which gives better possibilities to

handle messages and attachement files.



• With an IMAP client, the receiver may keep messages on the server and only

download selected files to workstation. If the receiver deletes the message and

compacts her mailbox, the message file will be deleted.



Receiver’s

Sender’s E-Mail Server

E-Mail Server DNS

Name Server

MTA IMAPd

MUA MTA named







Intranet Intranet

Terminal Internet



SMTP Workstation

DNS

SMTP

IMAP4



Fig 10: E-Mail components and protocols.



If a mail server cannot deliver or store a message, it will bounce an error message to the

sender and keep retrying. Retry timers use escallating periods, like 400, 1 600, 3 600,

6 400, 10 000... seconds, the largest being several days.



E-Mail messages are structured text documents, and sending text messages generate

extremely low bandwidth (*. Nowadays more and more larger and larger attachements

are used, increasing the bandwidth usage of SMTP. IMAP access protocol addresses

this issue in low bandwidth links (like modem, ISDN, GSM data and GPRS

connections), providing the user with wide possibilities to select document

downloading. My personal view is, that it is simplest and most relilable to keep mail

messages and attachements in the mail server and only retrieve a copy for reading.









*) If I send and receive 50 mail messages a day, with an average of 500 characters including the header, each

message will be 4000 bits (with 8 bit coding), and the total information will be 200 kbit. Averaging this for business

hours makes 200 kbit/(8*60*60) = 7 bit/s for a user. Extraporating this value with 1 000 users we get total of 7 kbit/s

loading, i.e. 0,4 % of the E1 capacity, during business hours.









VANHA MAANTIE 6 LINUX 26

02650 ESPOO

matti.puska@evitech.fi LINUX NETWORKING MATTI PUSKA

EVTEK UNIVERSITY OF APPLIED SCIENCES









6 File Services for Windows Hosts Using Samba









Opening Windows to a Wider World





6.1 UNIX and MS Windows File Services



File services are essential on a corporate LAN. It means, that users may access common

folders and files independently of their workstation. Files are stored on one or multiple

dedicated servers, that are backed up periodically. Shared directories (or folders, as MS

calls them) have access rights, that control who can access the information resources

and in what ways. Single Sign-on provides common user authentication between

multiple servers.



Linux, as other UNIX variants, uses the TCP/IP protocol stack and offers NFS

(Network File System) for distributed file services. Also FTP and TFTP file sharing is

offered, but these are targeted to limited use. Microsoft Windows hosts may use

multiple protocols, although TCP/IP is the dominant one, and use SMB (Server

Message Block) application protocol for file and print services. Another alternative is

Novell NetWare, that runs a special NetWare NOS on the server and NetWare client on

workstations. Linux distributions include Samba, that mimics a MS Windows Server

and offers many Windows NT Server and 200x Server features for Win hosts.



There are, however, many fundamental differences between a Linux and a MS

Windows host. From the point of view of file services, the most important are the

following:



• Newer Windows hosts use NTFS file system, that allows long file names (up to

254 characters) and includes fine grade access rights (Read/Write/Read &

Excecute,/Modify/Full Control) with inheritance for given users and groups.

Linux normally uses ext2 file system with up to 1023 character file names, and

access control is based on read, write and execute rights for the owner, group

and everyone.



• Full Windows filenames end with a period and a three letter extension, and

spaces are allowed in the name (although not supported by some Microsoft

applications, like net commands!). Windows doesn't make a difference between

a lowercase and an uppercase letter. Logical drives are expressed in drive letters







VANHA MAANTIE 6 LINUX 27

02650 ESPOO

matti.puska@evitech.fi LINUX NETWORKING MATTI PUSKA

EVTEK UNIVERSITY OF APPLIED SCIENCES









(a: for the discette drive). Linux doesn't allow a space on the file name, it

identifies different file types with complex magic number system, a period is

just a character on the file name, and file names are case sensitive.



• Windows hosts may use Microsoft NetBEUI (NetBIOS over LLC), TCP/IP or

Novell IPX protocol stacks, while Linux uses only TCP/IP.



• Windows hosts may use either 15+1 character flat NetBIOS hostnames

(Computer Names) or hierarchical DNS names for host and service

identifications. The NetBIOS name includes only capital letters, and a shared

resource is identified with a server and a share name, using backslashes for

separation (\\SERVER\SHARE). Linux uses only DNS names, that are resolved

to IP addresses. A slash (/) is used for separator, and a resource identification

may include multiple hierarchical levels (like

http://www.evtek.fi/technology/programmes/inftech/majors/data/index.html).



• If NetBIOS names are used, IP address to NetBIOS name resolution is handled

either by broadcasting or by a WINS Server (Windows Inter-networking Name

Server), or by a combination of these two methods. Windows hosts also keep a

local cached copy of the computer name to IP address resolutions.



• All Windows servers register to a Local Master Browser, that offers a list of

servers. Win hosts may browse the network (My Network Place) by ackquiring

the list from the server. Registering and unregistering is based on periodic

broadcasts every 12 - 15 minutes. Linux hosts may use either DNS names for

service identification or a NIS (Network Information Services) system for

central service cataloque.



• Windows file and print services are offered by the SMB protocol on the

application layer. This uses both UDP transport on ports 137 and 138, and TCP

on port 445. Linux NFS is based on UDP, and it uses a well-known UDP port

2049.



• Windows stores usernames and hashed password equivalents on SAM. For

backward compatibility two equivalents are used, one for the old LAN Manager,

another for NT and newer systems. Linux uses /etc/passwd text file for

usernames and /etc/shadow for encrypted passwords. The encryption methods

are different (of course the Linux encryption is much safer, especially when

compared with the old LAN Manager password equivalent). With PAM

(Pluggable Authentication Modules), also external Kerberos or LDAP

authentication may be used by a Linux host.









VANHA MAANTIE 6 LINUX 28

02650 ESPOO

matti.puska@evitech.fi LINUX NETWORKING MATTI PUSKA

EVTEK UNIVERSITY OF APPLIED SCIENCES









• Newer Windows hosts always use Challenge/Response method for

authentication, and the password is never send over the network. Some unsafe

Linux services (Telnet, HTTP etc) send the clear text password over the wire,

and the use and the method of password encryption is dependent on the service

in question.



• A Windows server may use either Share or User Level Security. The Server

informs the security mode and the client acts accordingly. On the Share mode,

each share may be protected with a common password, and the client only sends

the password , but once for each share. The User mode is based on user

authentication, and both username and password are send, only once. The native

Linux NFS is only based on client authentication!



• Multiple User Level Security Windows servers may be grouped in an NT

Domain, that has a common SAM, i.e. usernames, passwords and security

parameters. In large networks, NT Domain hierarchy is based on trust

relationships (with older NT servers) or Active Directory trees and forests (with

the newer Win 200x servers). Multiple Linux hosts may use a common Kerberos

authentication server.



• On each NT Domain, there is a single Primary Domain Controller and zero, one

or more Backup Domain Controllers. The PDC holds the master copy, and

BDCs get a local copy from the Primary. Maintenance of consistent SAM data

between multiple servers on an NT domain is based on replication, a proprietory

and poorly documented Microsoft solution. All Domain Controllers offer

NETLOGON share.



• On an NT Domain, also Windows clients need to be Domain Members

(Computer Account, i.e. netbiosname$ user account). Linux service control is

based on either client or user authentication, or on a combination of these two.



When acting as a file server for Windows hosts, a Linux Samba host (and the system

administrator) must adopt to the applicaple Windows methods and rules. Although

Samba v.3 includes many new features, it is not a Windows server, and it still has some

limitations. A modern Samba server may act as a PDC on an NT Domain, but it cannot

participate on MS replication or act as an AD Domain Controller.





6.2 Samba Services



When installed, started, configured and tested, a Samba server may share defined

directories to given Windows users (Figure 11). Share mode security should be avoided,

so users log on the server with their UNIX username and a separate Samba password









VANHA MAANTIE 6 LINUX 29

02650 ESPOO

matti.puska@evitech.fi LINUX NETWORKING MATTI PUSKA

EVTEK UNIVERSITY OF APPLIED SCIENCES









and browse or map shared resources. If drive mapping is done automatically with a

logon script, file services are invisible to user.



FILESERVER

smbd /home/project

nmbd





TCP/IP



project on 'FILESERVER* (V:)



matti

c: net use v: \\FILESERVER\PROJECT



Figure 11: Samba File Share for Windows users.







6.3 Samba as a Primary Domain Controller



Some Dull Theory First



Windows NT and 200x servers may be grouped as NT Domains. Within a domain,

similar user rights apply, and a user is authenticated only once and gets access to all

services regardless of their location (Single Sign-On). NETLOGON service is always

needed for domain controller operation. During logon, the server may automatically

download a logon script, which is executed in the Windows workstation. User

preferences may be stored on the server, and, if used, roaming profile provides similar

desktop for a user, regardless of the logon station.



Every NT Domain has a single Primary Domain Controller (PDC) and zero, one or

more Backup Domain Controllers (BDC). The PDC holds the master SAM database,

i.e. usernames, passwords and groups, and PDC replicates the SAM data to BDCs.

Because the user data will be the same, any domain controller may perform user

authentication.



A group of Windows hosts, either a Workgroup or an NT Domain, has a Master

Browser Server, that holds list of computer names (NetBIOS names) of the group

members. The Master Browser Server is elected when a computer with high enough

role joins a group, and all computers register themselves to the Master Browser Server.

When browsing the network (My Network Place), the Master Browser Server returns

the browse list to the browse client. Also browsing service is secured by Backup









VANHA MAANTIE 6 LINUX 30

02650 ESPOO

matti.puska@evitech.fi LINUX NETWORKING MATTI PUSKA

EVTEK UNIVERSITY OF APPLIED SCIENCES









Browser Servers. Browser election, registering and unregistering to the browse list is

dependent on timers, so the browse list is not necessary up-to-date at all times.



Version 3 Samba server may act as a Primary Domain Controller. As a PDC, the

Samba server should have the Master Browser Server role of the domain as well. To

become the Master Browser, it must report high enough OS level. Domain usernames

and passwords must be kept on a tdbsam database, not on a simple smbpasswd file.

Samba server cannot participate PDC-BDC replication, nor Win 200x Active Directory.



Every Windows host on a domain needs a computer account on the domain controller.

This is seen as a username of the NetBIOS name of the computer amended with a dollar

sign ($). While a UNIX user account is always needed for a Samba username, an entry

on the /etc/passwd file, and other password and group files, is needed. These may be

created manually in beforehand, or automatically with an add machine script. To

change local Windows workstation settings, you must log on to the host as a local

administrator level account. To join an NT domain, you must supply an admin user

account and password on the domain controller.





Configuration Steps for PDC



At this point of the excercise, you should have the Samba server acting as a Stand

Alone server on a workgroup, and users authenticated from the smbpasswd password

file. Also the shared folders are created, shared and secured.



To promote the Samba server as the PDC of a domain, the following steps should be

taken:



• create the netlogon folder and netlogon share



• edit the Samba configuration file to:

- use a unique group name, but different from the previous workgroup name

- use tdbsam database for user credentials

- supply the add machine script, that adds a UNIX account for the computer

account, preferably with a safe shell and home directory

- enable user domain logons

- act as the Master Browser Server for the domain and to report high enough

Operating System value to be elected as the Master Browser Server

- force Master Browser Server election when booting up (Preferred Master)

- process MasterBrowserAnnouncements (Domain Master), to ensure that the

Master Browser Server has a complete browse list of all servers on the

domain

- include information about the admin user account, that is used to add a

computer on the domain







VANHA MAANTIE 6 LINUX 31

02650 ESPOO

matti.puska@evitech.fi LINUX NETWORKING MATTI PUSKA

EVTEK UNIVERSITY OF APPLIED SCIENCES









- after editing, you may check the configuration file syntax and details with

testparm



• convert Samba passwords to tdb database, for example by adding users (you may

check the tdb usernames and details with pdbedit -Lv)



• adding a Samba password also for the admin user root



• restarting the smbd service for the configuration changes to take effect (check the

smbd log to make sure the daemon started normally)



• join the workstation to the domain



• restart the Windows workstation, as suggested by Windows, and logon as a domain

account.









VANHA MAANTIE 6 LINUX 32

02650 ESPOO

matti.puska@evitech.fi LINUX NETWORKING MATTI PUSKA

EVTEK UNIVERSITY OF APPLIED SCIENCES









List of Acronyms



1

10BaseT 10 Mbit/s Baseband Ethernet on twisted pairs wire

100BaseT 100 Mbit/s Baseband Fast Ethernet on twisted pairs wire



A

ACL Access Control List, a sequentical list for access control

AD Active Directory, Microsoft directory system for Windows 200x servers

ARP Address Resolution Protocol, protocol to resolve IP to MAC address

dependencies



B

BDC Backup Domain Controller, a server on a Windows NT domain that holds a

copy of the user database

BIND Berkeley Internet Name Daemon, popular DNS server software for UNIX



D

DMZ Demilitarized Zone, a gray zone on a firewall between the protected internal

and unprotected external networks

DNS Domain Name System, address resolution between domain names and IP

addresses. Works both ways

DoS Denial of Service, a form of data security attack



E

eth0 Ethernet interface 0, first Ethernet interface on a UNIX host



F

FQDN Fully Qualified Domain Name, full DNS name of a host

FTP File Transfer Protocol



H

HTML Hypertext Markup Language, language to describe structure of Web pages

HTTP Hypertext Transfer Protocol



I

ICANN Internet Corporation for Assigned Names and Numbers, the organisation who

governs names and numbers used in the Internet

IETF Internet Engineering Task Force, organisation which controls and cordinates

development of Internet RFCs

IMAP4 Internet Mail Access Protocol 4, new protocol to retrieve E-mail messages

and attachements from the mail server to a workstation







VANHA MAANTIE 6 LINUX 32

02650 ESPOO

matti.puska@evitech.fi LIST OF ACRONYMS MATTI PUSKA

EVTEK UNIVERSITY OF APPLIED SCIENCES









IP Internet Protocol

IPX Internet Packet Exchange, network layer protocol from Novell

IRC Internet Relayed Chat, a protocol for two-way text chat

IRQ Interrupt Request, address to distinquish interrupts from different peripherals

ISC Internet Software Consortium, a consortium to develop free software



L

LAN Local Area Network, a high bandwidth network for computers and computer

peripherals

lo Loopback interface



M

MAC Media Access Control, data link layer standard

man manual, manual page for a UNIX command

MTA Message Transfer Agent, software component that transfers E-Mail messages

between MTAs

MTU Maximum Transfer Unit, largest packet size of an interface

MUA Message User Agent, software component for users to compose, send and

read E-Mail messages



N

NET-4 Version 4 networking functions for Linux

NetBEUI NetBIOS Extended User Interface, proprietory Microsoft unroutable protocol

stack

NetBIOS Logical interface for distributed redirected network services

NFS Network File Services, file transfer protocol for UNIX based distributed file

system

NIC Network Interface Card, Ethernet network adapter

NTFS NT File System, file system used in modern Microsoft Windows hosts

NTP Network Time Protocol, protocol to distribute time from a server



P

PDC Primary Domain Controller, the server on a Windows NT domain that holds

the master user database

Pid Process Identifier, identifier number for a process

POP3 Post Office Protocol 3, protocol to retrieve E-mail messages and attachements

from the mail server to a workstation



R

RAM Random Access Memory, physical memory on a computer

RFC Request for Comment, Internet standard

RTP Realtime Transport Protocol, an application protocol for sending real time

voice, video and data conferencing data on packets









VANHA MAANTIE 6 LINUX 33

02650 ESPOO

matti.puska@evitech.fi LIST OF ACRONYMS MATTI PUSKA

EVTEK UNIVERSITY OF APPLIED SCIENCES









S

SCSI Small Computer System Interface, a parallel system interface for hard drives

and other system components

SMB Server Message Block, application layer protocol for file and print services

on Windows networks

SMTP Simple Mail Transfer Protocol, mail protocol between Internet E-mail servers



T

TCP Transport Control Protocol, connection oriented transport protocol

TCP/IP Transmission Control Protocol/Internet Protocol, set of standard protocols

used in the Internet

Telnet Teletype Networking, a protocol for unprotected remote terminal sessions

TFTP Trivial File Transfer Protocol, simple protocol for automatic file download

from server to devices

TTL Time to Live, a field on an IP packet, that makes it possible to discard lost IP

packets



W

WWW World Wide Web, distributed multimedia system that is used from a Web

Browser









VANHA MAANTIE 6 LINUX 34

02650 ESPOO

matti.puska@evitech.fi LIST OF ACRONYMS MATTI PUSKA