File Sharing Flashcards
Samba, NFS and FTP
Samba got its name from the SMB protocol, what does SMB SMB stand for?
Server Message Block
Which 3 Daemon services does Samba use?
smbd - Samba Daemon
nmbd - Netbios Daemon
winbind - Manages connections between Linux & Windows
What are the 5 Samba package names on Debian based distros?
cifs-utils - utilities to manage shares samba - server function samba-common - configs and docs smbclient - client connections winbind - winbind functions
What are the 5 Samba package names on Redhat based distros?
cifs-utils - utilities to manage shares samba - server function samba-common - configs and docs samba-client - client connections samba-winbind - winbind functions
Where is the samba documentation installed?
/usr/share/doc/samba* or
/usr/share/doc/samba-version
Where does Samba store the storage/DB files?
/var/lib/samba
Where does Samba write log messages?
/var/log/samba
Where is the main samba config file?
/etc/samba/smb.conf
Samba utility that mounts samba shares
mount.cifs
Samba utility that can be used to administer a samba server and remote servers
net
Samba utility that can lookup netbios info
nmblookup
Samba utility that is used to manage samba user databases
pdbedit
Samba utility that executes remote procedure call functions
rpcclient
Samba utility that displays or modifies Samba access control functions
smbcacs
Samba utility that connects, list shares or provides ftp like access to a share
smbclient
Samba utility that manages the smbd daemon
smbcontrol
Samba utility that mounts samba shares - an older tool that has been replaced by mount.cifs
smbmount
Samba utility that manages the samba smbpasswd or tdbsam database
smbpaswd
Samba utility that sends files to a samba printer share
smbspool
Samba utility that displays the status of the samba server connections
smbstatus
Samba utility that createss samba file sare backups
smbtar
Samba utility that tests the syntax of the sm.conf file
testparm
Samba utility that displays winbindd info
wbinfo
Samba utility that is used to configure Samba as an active directory domain controller
samba-tool
Samba directive that defines the workgroup name
workgroup
Samba directive that declares a comment describing the samba server
server string
Samba directive that defines a netbios name for the Samba server (typically only required on legacy windows networks)
netbios name
Samba directive that defines a Kerberos realm
realm
Samba directive that defines which interface(s) to provide the Samba service
interfaces
Samba directive that defines systems that are allowed to access the Samba service
hosts allow
Samba directive that defines systems that should be denied access to the Samba services
hosts deny
Samba directive that stops the nmbd daemon from launching
disable netbios
Samba directive that defines which port numbers to listen on
smb ports
Samba directive that defines enables wins support on a netbios network
wins support
Samba directive that defines the Samba log file
log file
Samba directive that defines the logging level
log level
Samba directive that defines the maximum Samba log size
max log size
0 = no limit
Samba directive that defines the security mode of the server (ads, domain, server,share or user)
security
Samba directive that defines the account database (ldapsam, smbpasswd or tdbsam)
passdb backend
Samba directive that defines if encryption is allowed or required
smb encrypt
Samba file section names are enclosed in square brackets [ ]. Which file section name sets the directives for all shares?
[global]
Samba file section names are enclosed in square brackets [ ]. Which file section name sets the directives for a new share called LPIC-Share?
[LPIC-Share]
Samba file section names are enclosed in square brackets [ ]. Which file section name sets the directives for user home directories?
[homes]
Samba file section names are enclosed in square brackets [ ]. Which file section name sets the directives for a Samba server acting as a domain Controller? (A samba server that is responding to security authentication requests.
[netlogin]
Samba file section names are enclosed in square brackets [ ]. Which file section name sets the directives for printer shares?
[printers]
Samba file section names are enclosed in square brackets [ ]. Which file section name sets the directives for roaming user profiles?
[profiles]
Samba configuration file directive that describes the samba share
comment
Samba configuration file directive that determines if the Samba share is listed as an available share
browseable
Samba configuration file directive that declares a list of authorised users for a share
valid users
Samba configuration file directive that declares a list of unauthorised users for a share
invalid users
Samba configuration file directive that declares the absolute directory for a share
path
Samba configuration file directive that defines whether a password will be required for a share or not.
public
public = no #password required
Samba configuration file directive that allows only guest connections to a share
guest only
Samba configuration file directive that sets a group name for users connecting to a share
group
Samba configuration file directive that defines whether a share is writable or not
writable
Samba configuration file directive that declares a list or users and/or groups that can write to a share
write list
Samba utility that tests thesmb.conf file for errors. You should run this after every edit of smb.conf.
testparm
What does this command do?
pdbedit -L
pdbedit is used to manage backend user databases. The -L option will list the users in the database.
User John has access to a Samba server (192.168.20.10) on his network. How can John check which shares are available on the server?
Use the smbclient command.
smbclient -L //192.168.20.10 -U John
Samba will use DNS, which port does DNS use?
53
Which port numbers does the Samba Netbios feature use?
137 - 139
137 - Netbios Name service
138 - Netbios datagram service
139 - Netbios session service
Which port does Samba use for end point resolution?
135
Which port is used for SMB over TCP?
445
User John has access to a Samba server (192.168.20.10) on his network. How can John access a shared named public and use ftp like commands while connected to the share?
use smbclient
smbclient //192.168.20.10/public -U John
User John has access to a Samba server (192.168.20.10) on his network. How can John access a shared named public as if it were a local directory?
John need to mount the share.
Create a mount point : mkdir /mnt/public
then mount the share: mount -t cifs -o username=John,noperm //192.168.20.10/public /mnt/public
The SMB protocol has two security levels what are they?
user level security and
share level security
share level doesn’t use usernames, just passwords to access a share - it is now deprecated.
user level - users authenticate with a username and a password.
Samba has 5 modes, what are they?
ads - Allows Samba server to join active Directory as a member
domain - User names and passwords are authenticated by the domain controller.
server - Usernames and passwords handled by remote (possibly Samba) server
share - only password used to access share
user - username and password handled by this Samba server
How would you setup Samba as an Active Directory member?
1 Install Samba and utilities
2 If domain controller is providing DNS, change resolv.conf
3 Setup NTP
4 Check domain controller name to IP resolution is correct - modify /etc/hosts if required
5 Modify smb,conf as required
6 Join the domain (e.g. net ads join -U Admin-user
7 Change nsswitch.conf to use winbind
8 Start the winbind service
How would you make all printers defined in /etc/cups/printers available via samba? hint: you’ll need 6 directives…
[printers] comment = All Printers on Server X path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes
User John has access to a Samba server (192.168.20.10) on his network which has a printer share “HP-Laserjet” availbale. How can John send his lpic-notes.txt file to the printer?
with the smbclient tool…
smbclient //192.168.20.10/HP-Laserjet -U John -c “print lpic-notes.txt”
Name 8 things you can do to troubleshoot Samba
1 run testparm 2 Check the Service is started and running 3 Check share with smbclient -L 4 Check the workgroup setting 5 Do some network diagnostics, ping, traceroute... 6 Review log files increase debug level 7 check smbstatus (if installed) 8 Review user/group settings
How can you break the log file into separate files for each client.
using the log file directive in smb.conf:
log file = /var/log/samba/log.%m
How can you increase and decrease the Samba log level on the fly?
Increase:
kill SIGUSR1 smbd-PID
Decrease
kill SIGUSR2 smbd-PID
- Where smbd-PID is the process ID of the smbd service.
What are the Samba Log levels high and low settings?
log level = 0 #off
log level = 1 #low
log level - 10 # highest
Which Samba utility command will display the netbios name for server 192.168.20.10?
nmblookup -A 192.168.20.10
Which Samba utility command will display the netbios name and hostname for server 192.168.20.10?
nmblookup -S 192.168.20.10
Which Samba utility command would you run to check if a user is in the local samba user database?
pdbedit -L or
pdbedit -L -u username
Which Samba utility command would you run to check if a user on a Samba server that is a member of an Active directory?
wbinfo -u (for user info)
wbinfo -g (for group info)
Which NFS Version supports UDP only, is 32 bit and has limited maximum file sizes and performance issues?
NFSv2, released in 1989, should avoid v2 now if possible.
Which NFS Version utilises “weak cache” to change files in memory, uses multiple ports including TCP and uses NVM Network Lock Manager to help prevent issues?
NFSv3, released in 1995, v3 is the version tested on the LPIC exam.
Which NFS Version introduces Kerberos Authentication,, consolidates multi-ports to a single port and features built-in file lcoking, better performance and security?
NFSv4, released in 2000 and refreshed in 2015.
What is RPC?
Remote Procedure Call protocol. It allows programs to be ignorant of network details but still request services from another system.
The filesystem an NFS server offers is called either an…
export or a share
NFS daemon or kernel service that maps user and group ids?
idmapd (alias rpc.idmapd) - based on settings in idmapd.conf - not used in NFSv3 and lower.
NFS daemon or kernel service that starts the NLM protocol service
locks (alias rpc.lockd) - not used in NFSv4
NFS daemon or kernel service that handles NFS client mount requests on te NFS server side
mountd (alias rpc.mountd)
NFS daemon or kernel service that handles user level NFS file access and data streaming
nfsd (alias rpc.nfsd) not used/required in NFSv4
NFS daemon or kernel service that maps RPC services to port - need to be running on both client and server
portmapper (rpcbind)
NFS daemon or kernel service that manages NFS quotas
rquotad (alias rpc.rquotad)
NFS daemon or kernel service that provides NSM (Network Status Monitor and is used with lockd to provide NLM file locking
statd (alias rpc.statd)
Which directory is the NFS documentation typically installed in?
/usr/share/doc/nfs*/
NFS packages for Redhat based distros
nfs-utils
nfs-utils-lib
rpcbind
portmap
NFS Packages for Debian based distros
nfs-kernel-server
nfs-common
rpcbind
portmap
NFS - Main Export file also known as server export table
/etc/exports
NFS - Directory with extra config files (files with .exports extension)
/etc/exports.d/
NFS - mount config file used on NFS clients
/etc/nfsmount.conf
NFS - primary nfs config files (for both Redhat and Debian based distros)
/etc/sysconfig/nfs
/etc/default/nfs-kernel-server
/etc/default/nfs-common
NFS file that contains current exports and clients using them - maintained by the kernel
/proc/fs/nfs/exports
NFS file that contains current exports and clients using them - not maintained by the kernel
/var/lib/nfs/xtab
NFS file that contains a list of current exports for client systems - on the server only
/var/lib/nfs/etab
NFS file tat contains a list of current exports and the client systems that currently have them mounted
/var/lib/nfs/rmtab
NFS export directive that ensures clients can’t write to the share
ro
read-only
NFS export directive that ensures clients can write to a share
rw
read-write
NFS export directive that doesn’t check the write cache has been written to disk before reading data
async
NFS export directive that checks the buffer has been written to disk before reading data
sync
NFS export directive that treats ALL users as anonymous
all_squash
NFS export directive that maps client root accounts to unprivileged accounts
root_squash
NFS export directive that allows client root users to access export as root
no_root_squash
NFS export directive that identifies filesystem export by UUID
fsid
NFS export directive that assigns a specified GID to anonymous group clients
anongid
NFS export directive that assigns a specified UID to anonymous user clients
anonuid
NFS export directive that enables subtree checking so permissions are checked on higher level directories
subtree_check
NFS export directive that ensures permission on higher level directories arenot checked
No_subtree_check
NFS utility that manages and displays information concerning shares
exportfs
NFS utility that mounts a NFS export on a NFS client
mount.nfs
NFS utility that displays client per mount stats
mountstats
e.g.
mountstats /path/to/mounted/nfsshare
NFS utility that displays client per mount IO stats
nfsiostat
NFS utility that displays NFs client and server activity stats
nfsstats
NFS utility that displays rpc service information
rpcinfo
NFS utility that displays NFS server information, can be used remotely
showmount
NFS utility that unmounts an NFS export
umount.nfs
What command would you run to display a list of all registered RPC programs
rpcinfo -p
exportfs command to export all shares
exportfs -a
exportfs command to unexport all shares
exportfs -u
exportfs command to ignore /etc/exports and use the command line
exportfs -i
exportfs command to export share with command line options
exportfs -o
exportfs command to refresh shares in /etc/exports
exportfs -r
or
exportfs -ra
exportfs command to provide verbose info
exportfs -v
what is this doing?
exportfs 192.168.20.10:/srv/nfsshare1
Exporting the share “nfsshare1” on the server 192.168.20.10
How can you display NFS shares with all the associated options (ro,rw,sync,async etc..)
exportfs -v for localhost or
or
exportfs -v 192.168.20.10 or
cat /var/lib/nfs/etab
What does an nfs mount definition look like in fstab? force use of version 3.
192.168.20.10:/srv/nfsshare1 /mnt/nfsshare1 nfs intr,nfsvers=3,tcp 0 0
What are the two built in methods of security in NFS
user level share options in /etc/exports and
AUTH_SYS or AUTH_UNIX uid and gid file permissions
What 6 things can we do to improve NFSv3 security?
1 Use TCP (UDP is easier to spoof)
2 Limit wildcard use in export definitions
3 Use root_squash
4 consider all_squash
5 Manage access to ports
6 Use TCP wrappers (hosts.allow and hosts.deny)
What can we do to troubleshoot NFS issues?
1 Check /etc/exports
2 Verify Daemons are running
3 Review NFS ports
4 Check server exports (exportfs -v showmount -e)
5 Basic network diagnostics (ping, traceroute…)
6 Review log file (/var/log/messages |grep nfs)
7 check available exports on the server: showmount -e [server]
9 check NFS export option exportfs -v
Which ports are used in FTP passive mode
Ports 20 and 21
Which ports are used in FTP active mode
unknown, these ports a negotiated between the client and server when establishing the connection
Name the 3 ftp servers mentioned on the LPIC exam
vsftpd
pure-FTPd
proFTPD
There are 2 command linux command line ftp clients, what are they?
ftp - standard basic ftp client
lftp - refined ftp client
vsftpd package name
vsftpd
sudo apt-get install vsftpd
vsftpd document location
/usr/share/doc/vsftpd-version or
/usr/share/doc/vsftpd
vsftpd config file location
/etc/vsftpd.conf or
/etc/vsftpd/vsftpd.conf
vsftpd config directive to allow anonymous users to create directories
anon_mkdir_write_enable
Default - No
vsftpd config directive to permit anonymous users to rename and delete files
anon_other_write_enable
Default - No
vsftpd config directive to specify the directory an anonymous user changes into on login
anon_root
Default - Directory in /etc/passwd for FTP user
vsftpd config directive to allow anonymous users to see and download world readable file
anon_world_readable_only
Default - Yes
vsftpd config directive to allow anonymous users to upload files
anon_upload_enable
Default - No
vsftpd config directive to allow anonymous user access to the FTP server
anonymous_enable
Default - Yes
vsftpd config directive to change ownership of anonymous users uploaded files
chown_uploads
Default - No
Define username with chown_username
vsftpd config directive to change the owner of all anonymously uploaded files
chown_username
enable with chown_uploads, set username with chown_username
vsftpd config directive to chroot local users
chroot_local_user
Default - No
vsftpd config directive to define a list of users to be placed in chroot
chroot_list_enable
chroot_list_file
vsftpd config directive to set the default ftp account
ftp_username
Default - ftp
vsftpd config directive to run in either standalone mod or via initialisation service
listen
listen_ipv6
vsftpd config directive to allow local users to login via ftp
local_enable
Default - No
vsftpd config directive to log all ftp queries
log_ftp_protocol
Default - No
vsftpd config directive to check a file for a list of valid/invalid users
userlist_enable
userlist_file
vsftpd config directive to allow ftp users access to commands that modify the filesystem
write_enable
Default - No
How would you check if the vsftpd service supports tcp wrappers
Get the full path
which fsftpd
then check if the binary uses the libwrap library
ldd /usr/sbin/vsftpd |grep libwrap
How would you install pure-ftpd in Debian and Redhat?
Debian: apt-get install pure-ftpd Redhat check epel repo is enabled yum -enablerep=epel info pure-ftpd yum -enablerep=epel install pure-ftpd
pure-ftpd command line option to listen only for ipv4
- 4
- -ipv4only
pure-ftpd command line option to listen for only ipv6
- 6
- -ipv6only
pure-ftpd command line option to chroot all users
- A
- -chrooteveryone
pure-ftpd command line option to set the max number of client connections
- c
- -maxclientsnumber
pure-ftpd command line option to set the max number of clients per IP
- C
- -macclientsperip
pure-ftpd command line option to allow anonymous users
- e
- -anonymously
pure-ftpd command line option to disallow anonymous users
- E
- -noanonymous
pure-ftpd command line option to start the service in the background.
- B
- -daemonize