[Samba] samba without netbios

Gerald (Jerry) Carter jerry at samba.org
Wed Oct 26 12:22:26 GMT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

John H Terpstra wrote:
| OK - I'll try to answer this.
|
| Originally Windows networking used only NetBIOS over TCP/IP.

You said the 'N' word....I wonder if Chris will magically
appear.

| Browsing uses a complex interaction of name registration
| and resolution  involving UDP ports 137 and 138. Port 137
| is the NetBIOS Name Server port,  but it is also used to
| handle all browsing operations. Browsing is the
| ability to locate domains and machines over the network.

Not completely true. The NetServerEnum commands are CIFS/SMB ops.
(I know you just forgot this point).   The browsing election
and name resolution services are done via port 137 and 138
though.

| On Windows 200X clients, when NetBIOS over TCP/IP is disabled,
| and an attempt is made to join a domain, the client
| automatically tries to use the combination of DNS, Kerberos,
| LDAP and TCP port 445 services with the expectation that
| Microsoft Active Directory is being used. In order to remain
| backwards compatible, TCP port 139 can also be used.

Do you have traces of this?  When netbios is disabled, I've never
seen any related traffic on port 139.  That's kind of the point of
disabling netbios services.

| The mechanisms behind TCP ports 139 and 445 are very
| different. A connection made on port 445 must be able
| to resolve the fully qualified hostname using the
| protocols expected within ADS. That is, via DNS using
| SRV records as well as A records.

You're not limited to SRV and A records of course.  You just
need to resolve the name via DNS.  Or just use an IP address.

| Additionally, the client will try to use Kerberos information
| to contact the DNS server and the LDAP server.

This line is confusing, but I assume you mean looking up
the KDC and directory servers via SRV records.

| It expects to find SMB information in the Kerberos PAC
| (a data blob inside the Kerberos ticket that is unique
| to ADS's implementation).

Geeze I know I sound like Chris now....but what is SMB
information?  Since this thread will undoubtedly be referred
to later on and for the sake of clarification....

You mean the users SID and group membership.  that is
really irrelevant to the SMB protocol.  And is specific
to MS's security model (again I know you know this, but
not everyone does).

| With ADS browsing involves DNS, LDAP and Raw SMB traffic over
| ports 445 and 139. The client expects all the information
| that it wold obtain if it were a member of an ADS domain.

Again, you need to be clear on whether you are talking about browsing
the directory for the network.  Directory browsing is just LDAP search
requests.  Network browsing still requires netbios.

| Samba-3 can be a file and print server for Windows clients
| that have NetBIOS disabled - but some things may break.

Not true.  If you set 'disable netbios = yes' and don't
start nmbd, things should work just fine in a AD environment
with "security = ads".  if something doesn't work that should,
it is a bug.

| In short, NetBIOS-less SMB implies ADS. Samba-3 is not an
| ADS server. Ergo, NO ADS for all practical purposes means
| DOES NOT WORK.

Sorry John.  This is just wrong.  Samba as a member server
should be fine when you disable netbios.  Unless I just
don't understand what you are trying to say.





cheers, jerry
=====================================================================
Alleviating the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"There's an anonymous coward in all of us."               --anonymous
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDX3UBIR7qMdg1EfYRAprUAJ0UQiV+pAVQ4KeU7aDeVBS1feUhMQCeNQ6Q
27UH2h6idiYfdMJuaA+iSso=
=mpim
-----END PGP SIGNATURE-----


More information about the samba mailing list