[Samba] samba without netbios

[John H Terpstra]

OK - I'll try to answer this.

Originally Windows networking used only NetBIOS over TCP/IP.

Browsing uses a complex interaction of name registration and resolution 
involving UDP ports 137 and 138. Port 137 is the NetBIOS Name Server port, 
but it is also used to handle all browsing operations. Browsing is the 
ability to locate domains and machines over the network.

A NetBIOS machine name must be resolved to its IP address. This can be done 
using WINS using NetBIOS unicast requeries over unicast UDP, or via NetBIOS 
broadcasts over UDP broadcast using port 137.

File and print sharing operations under NetBIOS over TCP/IP are performed over 
TCP port 139. Both ends of the NetBIOS over TCP/IP connection must know each 
others NetBIOS name. Name resolution is vital to NetBIOS over TCP/IP 
operation - WINS is your friend because it adds reliability and reduces 
network UDP traffic.

Windows 2000 introduces ADS!

Enter Windows 2000 with ADS, and the ability to disable NetBIOS over TCP/IP.
In its place Windows 200X uses DNS, Kerberos, LDAP, and Raw SMB over TCP/IP.
The DNS, Kerberos and LDAP services run over the standard well-known ports.
Raw SMB over TCP/IP uses TCP port 445.

On Windows 200X clients, when NetBIOS over TCP/IP is disabled, and an attempt 
is made to join a domain, the client automatically tries to use the 
combination of DNS, Kerberos, LDAP and TCP port 445 services with the 
expectation that Microsoft Active Directory is being used. In order to remain 
backwards compatible, TCP port 139 can also be used.

The mechanisms behind TCP ports 139 and 445 are very different. A connection 
made on port 445 must be able to resolve the fully qualified hostname using 
the protocols expected within ADS. That is, via DNS using SRV records as well 
as A records. Additionally, the client will try to use Kerberos information 
to contact the DNS server and the LDAP server. It expects to find SMB 
information in the Kerberos PAC (a data blob inside the Kerberos ticket that 
is unique to ADS's implementation).

With ADS browsing involves DNS, LDAP and Raw SMB traffic over ports 445 and 
139. The client expects all the information that it wold obtain if it were a 
member of an ADS domain.

Samba-3 supports port 445 and all operations necessary to be an ADS domain 
member server. It can not be an ADS server, and it can not be an ADS domain 
controller. That functionality is being added in the Samba-4 project.

What this means is, that if you disable NetBIOS over TCP/IP on your clients 
and on Samba-3, you will not be able to browse the network. Additionally, 
Samba can NOT be a domain controller. It can be a stand-alone server without 
NetBIOS over TCP/IP.

Samba-3 can be a file and print server for Windows clients that have NetBIOS 
disabled - but some things may break.

In short, NetBIOS-less SMB implies ADS. Samba-3 is not an ADS server. Ergo, NO 
ADS for all practical purposes means DOES NOT WORK.

On Tuesday 25 October 2005 07:12, William Burns wrote:
> >On Monday 24 October 2005 14:06, julius Junghans wrote:
> >>ive read a lot in the howto about netbios/ddns, but im still confused if
> >>its possible for samba to only use tcp/ip without netbios.
> >>are there any howtos for this topic that are not mentioned in the samba3
> >>howto?
>
> John H Terpstra wrote:
> >Please point me to the documentation (section and page number please) that
> > you have referred to and that is not clear to you. I need to know so I
> > can fix it.
>
> John:
> I don't know what Julius is looking at but...
> I'm looking into similar docs re: DFS not working on SAMBA servers that
> are referred to w/ fully.qualified.sub.domains... (even though a
> straight samba share WILL work under that name)
>
> I figure that all the info that Julius needs is in the docs...

I am not sufficiently tuned in to answer what Julius' needs are. I offer a 
speculative answer below.

> Here's how he might proceed to get where he wants to go.
>
> At the bottom of this section:
> http://us3.samba.org/samba/docs/Samba-Guide.pdf
> 13.3.1.2 Routed Networks - Page 480
>
> There's a pretty definitive sounding statement:
> > Note
> > The use of DNS is not an acceptable substitute
> > for WINS. DNS does not store specific
> > information regarding NetBIOS networking
> > particulars that get stored in the WINS
> > name resolution database and that Windows
> > clients require and depend on.
>
> That sounds like a "no".

Correct - DNS can not substitue for WINS or Broadcast UDP-based name 
resolution for NetBIOS over TCP/IP enabled configurations.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

> But, later in section
> "15.1 Joining a Domain: Windows 200x/XP Professional"
>
> at the bottom of page 495, there's this:
> > Where NetBIOS technology uses WINS as well as UDP broadcast
> > as key mechanisms for name resolution, Active Directory
> > servers register their services with the Microsoft Dynamic DNS
> > server. Windows clients must be able to query the correct DNS
> > server to find the services (like which machines are domain controllers
> > or which machines have the Netlogon service running).
>
> So, sometime you HAVE to use DNS....

For ADS DNS is essential.

> Later there's a note that you don't have to do this [DNS] if you're in a
> SAMBA domain.

Correct - You must use NetBIOS over TCP/IP.

> But... Does this mean I can disable Netbios/Netbeui?

Well, yes you can, but your network wil not be browseable and some SMB 
operations will fail.

> There's A direct answer to Julius' question in section
> "16.5 Questions and Answers"
> at the bottom of page 554
>
> > 6. Q: Is it possible to reduce network broadcast activity with
> > Samba-3?
> > A: Yes, there are two ways to do this. The first involves
> > use of WINS (See TOSHARG2, Chapter 9, Section 9.5, “WINS
> > — The Windows Inter-networking Name Server”); the alternate
> > method involves disabling the use of NetBIOS over TCP/IP. This
> > second method requires a correctly configured DNS server (see
> > TOSHARG2, Chapter 9, Section 9.3, “Discussion”)

WINS is part of NetBIOS over TCP/IP, DNS is integral to ADS. ADS reduces UDP 
broadcast traffic, but replaces what would have happened over UDP port 137 
with many times more traffic that now uses UDP/TCP ports 53 (DNS), TCP port 
88 (Kerberos), LDAP TCP ports 389 and 636, TCP port 139 and 445 (SMB) and TCP 
port 135 (MS DCE RPC).

So turning off NetBIOS does not reduce network traffic with Windows! It 
increases the overall traffic. Which is why the discussion about this gets 
rediculous.

> Plus the following note:
> > Note
> > Use of SMB without NetBIOS is possible only
> > on Windows 200x/XP Professional clients
> > and servers, as well as with Samba-3.

Correct. Outlined above.

> Personally, I find the answer to question 6 a little confusing because I
> *thought* that in Win'9x, disabling "NetBIOS over TCP/IP" meant that
> you'd get no SMB traffic on the TCP/IP side of that client. (It'd be all
> NetBEUI)

NetBEUI has nothing to do with TCP/IP - it is a totally separate protocol that 
uses NetBIOS over LLC.

When NetBIOS over TCP/IP on Windows 9x is disabled this stops the client from 
using any SMB over TCP/IP. Ergo, no ability to talk to Samba servers.

> This Win' 9x "NetBIOS over TCP/IP" config feature does not exist in Win'
> XP as such, but is provided by Win' XP's "TCP/IP NetBIOS Helper" in
> Control-Panel/Services which "Enables support for NetBIOS over TCP/IP
> (NetBT) service and NetBIOS name resolution"
> This service sometimes inexplicably gets turned off, causing the Win'XP
> client to fail to use DNS resolution to resolve SMB names.

Correct.

> But... it IS possible....

Right! And you CAN also shoot your foot off, but then your foot does not work 
too well any more.

> That brings us to this section
> http://tr.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetworkBrowsing.h
>tml#id2551944 which is not numbered in the html version ??? but in the PDF
> version has a section number:
> http://us3.samba.org/samba/docs/Samba3-HOWTO.pdf
> "9.3.2 TCP/IP without NetBIOS"

Remember, this chapter deals with Network browsing and name resolution. It 
does not deal with domain control or with SMB session services.

> On page 151 we learn:
> > Use of raw SMB over TCP/IP (No NetBIOS layer) can be done only with
> > Active Directory domains. Samba is not an Active Directory domain
> > controller:
> > ergo, it is not possible to run Samba as a domain controller and at
> > the same time not use NetBIOS.
>
> But, it should be possible to do this w/ a stand-alone SAMBA server.

Correct, see above. But note also that I did say that some SMB operations will 
fail, and thateffectively means that you can not use it.

> And then, a very interesting statement:
> > Where Samba is used as an Active Directory
> > domain member server (DMS) it is possible to configure Samba to not
> > use NetBIOS over TCP/IP.

Correct, as explained above, Samba-3 can be an ADS member and thus must 
support all the protocols ADS clients use as a domain member.

> This is interesting because I *thought* that I was concerned about
> replacing NetBIOS w/ DNS name resolution on my Win'XP clients.

Right! Only when Windows XP is an ADS domain member.

> Is this also about how SAMBA resolves names?

No.

> I hadn't given any thought to the possibility that SAMBA might need to
> resolve an IP from a PC name.., or even know the PC name at all...
> IS this a requirement? I mean, isn't the smbd process passive? Maybe
> not.....?

No. All SMB operation must know the identity of the server and the client for 
security reasons.

> > if NetBIOS over TCP/IP is disabled, it is
> > necessary to manually create appropriate DNS entries for the Samba DMS
> > because they will not be automatically generated either by Samba, or by
> > the ADS environment.

Right! Samba-3 acting as an ADS domain member may require that static entries 
be made for each of the names that may need to be capable of being resolved.

> Now, it seems like I've been told that: if I want to have a SAMBA server
> without NetBIOS (only DNS) name services enabled on the clients, my only
> hope is to get a SAMBA member server into my Active Directory domain.
> I'd expect to see the SRV records that I need to put into A.D. spelled
> out...
> Is that what's on page 152?

Correct.

> Instead, it looks like lots of stuff that an AD domain puts into DNS is
> listed.

Correct, this only works for all practical purposes with ADS.

> I don't get the idea that these are the few things that I need to ADD to
> an existing MS-DNS server in order to get my member server going.
> (Am I wrong?)

So long as you have ADS, correct.

> Then I'm supposed to double-check my work by looking on a DNS server
> named frodo for what provides LDAP service for
> "_ldap._tcp.dc._msdcs.quenya.org" ?
>
> Phew... That was supposed to convince me that SAMBA/AD domain membership
> is not for the faint-of-heart, right?
> Either that, or it was supposed to encourage me (w/ a wink) to take on
> the challenge of going straight to doing everything w/ a linux-based DNS
> server in place of MS-DNS.

Nope! You need to think in terms of how Microsoft implemented their networking 
technology. Your choice is NetBIOS over TCP/IP (aka NT4 style domains) or 
Active Directory. Only Samba-4 will offer the ability to not use NetBIOS over 
TCP/IP for a Samba-only domain controlled network.

> Which.... Might cause me to look at the section on DDNS, and DHCP, where
> I *think* Julius was looking....
> And I might be encouraged to tilt at the ISC vs. MS DNS windmill. (It
> would be cool, wouldn't it?)

Julius nees to disable use of port 445, if I recall correctly. He also must 
use NetBIOS names - not DNS domain names - to connect to his MS DFS server.
It is possible to use port 445 and DNS domain names only if his Samba server 
is an ADS domain member and DNS is correctly configured.

> But I, as a non-unix-wizard, should really be looking back at:
> http://us3.samba.org/samba/docs/Samba3-HOWTO.pdf
> "6.3 Domain Member Server"
> and
> "6.4 Samba ADS Domain Membership"
> on Page 107.
>
> > This is a rough guide to setting up Samba-3 with Kerberos authentication
> > against a Windows 200x KDC. A familiarity with Kerberos is assumed.

Correct - but only as an ADS domain member.

> Where I can bite the kerberos configuration bullet, and refer to a few
> microsoft documents to help me get a SAMBA server kerberized right into
> an AD domain.

Well, you can configure Samba-3 only as an ADS domain member. It can not be an 
ADS domain controller, nor can it be an ADS server.

> And then, when I've got that done, I can turn off NetBIOS over TCP/IP on
> my Win'XP clients.

Sure! So long as you have MS ADS!

> At least... I think that's the intent of the docs... If I was reading
> that right.

Correct! Samba-3 documentation guides the administrator in how to configure 
NT4-style domains and ADS domain member clients. Nowhere have I designed the 
documentation to guide administrators to do what is not supported.

Now, please send me documentation updates as your contribution to help others 
like yourself from getting sucked into the same whirlpool.


- John T.
-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, 2 Ed., ISBN: 0131882228
Samba-3 by Example, 2 Ed., ISBN: 0131882221X
Hardening Linux, ISBN: 0072254971
Other books in production.