-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John H Terpstra wrote: | OK - I'll try to answer this. | | Originally Windows networking used only NetBIOS over TCP/IP.
You said the 'N' word....I wonder if Chris will magically appear. | Browsing uses a complex interaction of name registration | and resolution involving UDP ports 137 and 138. Port 137 | is the NetBIOS Name Server port, but it is also used to | handle all browsing operations. Browsing is the | ability to locate domains and machines over the network. Not completely true. The NetServerEnum commands are CIFS/SMB ops. (I know you just forgot this point). The browsing election and name resolution services are done via port 137 and 138 though. | On Windows 200X clients, when NetBIOS over TCP/IP is disabled, | and an attempt is made to join a domain, the client | automatically tries to use the combination of DNS, Kerberos, | LDAP and TCP port 445 services with the expectation that | Microsoft Active Directory is being used. In order to remain | backwards compatible, TCP port 139 can also be used. Do you have traces of this? When netbios is disabled, I've never seen any related traffic on port 139. That's kind of the point of disabling netbios services. | The mechanisms behind TCP ports 139 and 445 are very | different. A connection made on port 445 must be able | to resolve the fully qualified hostname using the | protocols expected within ADS. That is, via DNS using | SRV records as well as A records. You're not limited to SRV and A records of course. You just need to resolve the name via DNS. Or just use an IP address. | Additionally, the client will try to use Kerberos information | to contact the DNS server and the LDAP server. This line is confusing, but I assume you mean looking up the KDC and directory servers via SRV records. | It expects to find SMB information in the Kerberos PAC | (a data blob inside the Kerberos ticket that is unique | to ADS's implementation). Geeze I know I sound like Chris now....but what is SMB information? Since this thread will undoubtedly be referred to later on and for the sake of clarification.... You mean the users SID and group membership. that is really irrelevant to the SMB protocol. And is specific to MS's security model (again I know you know this, but not everyone does). | With ADS browsing involves DNS, LDAP and Raw SMB traffic over | ports 445 and 139. The client expects all the information | that it wold obtain if it were a member of an ADS domain. Again, you need to be clear on whether you are talking about browsing the directory for the network. Directory browsing is just LDAP search requests. Network browsing still requires netbios. | Samba-3 can be a file and print server for Windows clients | that have NetBIOS disabled - but some things may break. Not true. If you set 'disable netbios = yes' and don't start nmbd, things should work just fine in a AD environment with "security = ads". if something doesn't work that should, it is a bug. | In short, NetBIOS-less SMB implies ADS. Samba-3 is not an | ADS server. Ergo, NO ADS for all practical purposes means | DOES NOT WORK. Sorry John. This is just wrong. Samba as a member server should be fine when you disable netbios. Unless I just don't understand what you are trying to say. cheers, jerry ===================================================================== Alleviating the pain of Windows(tm) ------- http://www.samba.org GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc "There's an anonymous coward in all of us." --anonymous -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDX3UBIR7qMdg1EfYRAprUAJ0UQiV+pAVQ4KeU7aDeVBS1feUhMQCeNQ6Q 27UH2h6idiYfdMJuaA+iSso= =mpim -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
