[Samba] samba without netbios
John H Terpstra
jht at samba.org
Wed Oct 26 16:08:49 GMT 2005
On Wednesday 26 October 2005 06:22, Gerald (Jerry) Carter wrote:
> John H Terpstra wrote:
> | OK - I'll try to answer this.
> | Originally Windows networking used only NetBIOS over TCP/IP.
> You said the 'N' word....I wonder if Chris will magically
No, Chris is sleeping at the wheel and his toaster has turned to charcoal. :-)
NetBIOS -- NetBIOS -- Wake up Chris! :-)
> | Browsing uses a complex interaction of name registration
> | and resolution involving UDP ports 137 and 138. Port 137
> | is the NetBIOS Name Server port, but it is also used to
> | handle all browsing operations. Browsing is the
> | ability to locate domains and machines over the network.
> Not completely true. The NetServerEnum commands are CIFS/SMB ops.
> (I know you just forgot this point). The browsing election
> and name resolution services are done via port 137 and 138
Agreed. I was trying to avoid writing another book. ;-/
> | On Windows 200X clients, when NetBIOS over TCP/IP is disabled,
> | and an attempt is made to join a domain, the client
> | automatically tries to use the combination of DNS, Kerberos,
> | LDAP and TCP port 445 services with the expectation that
> | Microsoft Active Directory is being used. In order to remain
> | backwards compatible, TCP port 139 can also be used.
> Do you have traces of this? When netbios is disabled, I've never
> seen any related traffic on port 139. That's kind of the point of
> disabling netbios services.
Dang, obviously if NetBIOS over TCP/IP is disabled, port 139 is disabled.
Sorry, it was the milk I drank - the cool-aide was OK.
> | The mechanisms behind TCP ports 139 and 445 are very
> | different. A connection made on port 445 must be able
> | to resolve the fully qualified hostname using the
> | protocols expected within ADS. That is, via DNS using
> | SRV records as well as A records.
> You're not limited to SRV and A records of course. You just
> need to resolve the name via DNS. Or just use an IP address.
> | Additionally, the client will try to use Kerberos information
> | to contact the DNS server and the LDAP server.
> This line is confusing, but I assume you mean looking up
> the KDC and directory servers via SRV records.
> | It expects to find SMB information in the Kerberos PAC
> | (a data blob inside the Kerberos ticket that is unique
> | to ADS's implementation).
> Geeze I know I sound like Chris now....but what is SMB
> information? Since this thread will undoubtedly be referred
> to later on and for the sake of clarification....
> You mean the users SID and group membership. that is
> really irrelevant to the SMB protocol. And is specific
> to MS's security model (again I know you know this, but
> not everyone does).
Thanks for stepping in to clarify this for the record.
> | With ADS browsing involves DNS, LDAP and Raw SMB traffic over
> | ports 445 and 139. The client expects all the information
> | that it wold obtain if it were a member of an ADS domain.
> Again, you need to be clear on whether you are talking about browsing
> the directory for the network. Directory browsing is just LDAP search
> requests. Network browsing still requires netbios.
> | Samba-3 can be a file and print server for Windows clients
> | that have NetBIOS disabled - but some things may break.
> Not true. If you set 'disable netbios = yes' and don't
> start nmbd, things should work just fine in a AD environment
> with "security = ads". if something doesn't work that should,
> it is a bug.
> | In short, NetBIOS-less SMB implies ADS. Samba-3 is not an
> | ADS server. Ergo, NO ADS for all practical purposes means
> | DOES NOT WORK.
> Sorry John. This is just wrong. Samba as a member server
> should be fine when you disable netbios. Unless I just
> don't understand what you are trying to say.
The desire by the person who asked the question is to run a Samba-3 server
without NetBIOS. The intent, as I understood the request, is to run Samba-3
as a Domain Controller without NetBIOS, and no MS ADS server.
To the Samba admin: Go on try it! That's the best advice. That way you will
see what works and what doesn't. Don't take anyone's advice - noone does
Patches! That what I want - documentation patches! I want to see the
contributions flood in again. Where are all the smart people who can help fix
the lousy documentation? Give it to me, let it roar.
Jerry, thanks for the clarification and for the correction.
- John T.
More information about the samba