dyn netbios/ip map (right one)

Christopher R. Hertel crh at ubiqx.mn.org
Mon Oct 27 15:13:10 GMT 2003 

"michelegonella at libero.it" wrote:
> 
> Sorry for my previous dump post ;-)
> Thanks Chris,
> my problem is having an updated map of ip addresses of each host within the
> LAN because linux kernel ip stuff(iptables, ip command) deal with ip
> addresses whereas  in dhcp based networks host/ip binding has to be
> considered dynamic.

Note that NetBIOS name registration is also dynamic.  It's not difficult for
one node to steal another node's NetBIOS name.

> Thus identifying hosts by their netbios name is the best way of profiling
> the access to net resources (allowed ports, traffic bandwidth etc.).

The key word being "profiling".

What you are hoping to do (if I understand correctly) is map the NetBIOS
name to a policy of some sort, and also to the IP address.

> The environment must be as generic as possible; I played a little with
> nmblookup which works perfectly in a wild all broadcast network, and maybe
> also in a more complex subnetted wins served environment except for the
> traffic you generate depending on how often you poll clients, at the moment
> I do one broadcast to know the addresses and one unicast for each host to
> know the name.
>
> Nmbd came to my mind when I saw the log file and had a look at the source
> code, because I noticed that broadcast name requests are mapped in nmbd
> memory.
>
> So I thought that the job of knowing all clients addresses was already
> accomplished by nmbd and that there was no need of flooding the LAN with
> query/answers packets because I could have the netbios/ip pairs readily on
> my host just by running nmbd (my best compliments to developers for how the
> code is clear and well commented).

Mapping a NetBIOS name to an IP address is the job of the NBT Name Service.
It is only done in a few situations, however.
- When nmbd is running as a NBNS (aka. WINS server) it keeps track of the
  NetBIOS name to IP address mapping of all nodes that have registered with
  it.  If the nodes register with a different NBNS then the nmbd daemon will
  not know the mapping.
- A client that wishes to contact a specific NetBIOS name will send a query
  for name resolution.  The query may be broadcast or it may be directed at
  the NBNS, or both.

The NBT Name Service is, by necessity, a chatty system.  That's one reason
that Windows clients cache name resolutions.

> I did some tests using nmbd as wins server, and used the wins hook
> capability, but some problems arose;  samba wins can't get browse
> lists from MS wins servers (I didn't test it but I read it in the O'Really
> book) so using a client is the only solution for subnetted nets and
> also wins hook doesn't work with broadcasts; also wins.dat gives infos just
> about the clients who use nmbd as their own wins server.

Well, first thing... The Browse List has nothing to do with this.  The
Browse List is part of a separate service that uses NBT name resolution (in
an IP environment).  I don't know why you are thinking about the Browse
List.

Anyway, the rest is correct.  The NBNS (WINS server) will only get the
NetBIOS Name<-->IP mappings that are sent to it.  That's the way the system
is designed.  The whole point of the system is to allow a client to locate a
NetBIOS name that exists somewhere on an IP network.

> That's why I'm stuck at the moment; my guess is that in nmbd's memory there
> is an updated map of all clients in all subnets whichever MS-hybrid  name
> resolution method they use.

Nope.  Nmbd can't know about a mapping unless it is told, and it only keeps
track of that mapping if it is acting as an NBNS.

> But I am not sure about that and also I think samba developers have faced
> the problem of this passive/active discovery so many times....

No, not really.  There's no reason to care about NetBIOS names that are
mapped elsewhere.

> If necessary I can think of patching nmbd to dump the cliets map but it can
> be hard and maybe there is just asigle hacking point to get the best result.

Are you talking about trying to keep track of the clients that connect to
smbd?  That won't work either.  Clients do not need to provide their NetBIOS
name when connecting to a Samba server.  It's a fudge, but it's true.  Also,
how would you ensure that all of the Gateway users also connect to the
server?

> thanks again(also for the link which is great)

Thanks for the compliment.  :)

As for the rest, I understand what you are trying to do a bit better now.  I
would recommend something different.  You probably want to set policy based
on the user, rather than the client node's NetBIOS name.  You might want to
look
at something like NoCatAuth (nocat.net).  It's a bunch of Perl scripts that
run on a Linux system and block network access until the user logs in using
a username/password.  It's designed for managing wireless LANs, but it could
easily be modified to work in your envorinment.

Consider:  The user powers up their desktop machine.  Maybe they've got a
new machine, changed the NetBIOS name, or they're using someone else's
machine.  In any case, what they want is access to the outside world.  They
can't have it because the gateway has not recognized them.  They bring up a
web browser and try to connect to Yahoo or something.  Instead, they get a
local web page with a log-on request.  They log on (using a local table or
via RADIUS or some other option) and the iptables are automagically
updated.  Now they can pass traffic (all sorts of traffic, not just web).

Worth looking at anyway.

Chris -)-----

-- 
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/     -)-----   crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh at ubiqx.org

More information about the samba-technical mailing list