The Unofficial Samba HOWTO

Once you've installed Samba, you should become at least somewhat aware of a few of the tools at your disposal:

• findsmb - list info about machines that respond to SMB name queries on a subnet
• make_unicodemap - construct a unicode map file for Samba
• make_smbcodepage - construct a codepage file for Samba
• nmbd - NetBIOS name server to provide NetBIOS over IP naming services to clients
• nmblookup - NetBIOS over TCP/IP client used to lookup NetBIOS names
• rpcclient - Tool for executing client side MS-RPC functions
• smbcacls - Set or get ACLs on an NT file or directory names
• smbclient - ftp-like client to access SMB/CIFS resources on servers
• smbcontrol - Send messages to smbd, nmbd or winbindd processes
• smbd - Server to provide SMB/CIFS services to clients
• smbmnt - Helper utility for mounting SMB filesystems
• smbmount - Mount an smbfs filesystem
• smbpasswd - Change or create a user's SMB password
• smbspool - Send a print file to an SMB printer
• smbstatus - Report on current Samba connections
• smbtar - Shell script for backing up SMB/CIFS shares directly to UNIX tape drives
• testparm - Check an smb.conf configuration file's syntax
• testprns - Check printer name for validity with smbd
• wbinfo - Query information from winbind daemon
• winbindd - Name Service Switch daemon for resolving names from NT servers

2.3 Installing Samba

Extract the package and change into the /source subdirectory:

$ tar xzf samba-2.2.x.tar.gz
$ cd samba-2.2.x
$ cd source

If you're just starting out with Samba, you probably want to use:

$ ./configure --mandir=/usr/man

For the more experienced administrator, you might be interested in trying the following. Note that --with-cups requires you have /usr/lib/libcups.so already, and all ssl options require you have OpenSSL installed. If you know your system type (e.g., i386-slackware-linux) and you know what you're doing, you can add that to the end of the configure line to tell the linker (ld) where additional libraries can be found.

$ CFLAGS="-march=i386 -mcpu=i686" ./configure \
  --with-cups \
  --mandir=/usr/man \
  --with-msdfs \
  --with-smbwrapper \
  --with-quotas \
  --with-syslog

Either way, you need to make the files next:

$ make
# make install

You'll want to make sure that Samba's Well Known Ports are registered with your system. Most distributions already have done this for you; it doesn't hurt to check. Examine your /etc/services file for the following statements, adding them if necessary:

netbios-ns      137/udp     #NETBIOS Name Service
netbios-dgm     138/udp     #NETBIOS Datagram Service
netbios-ssn     139/tcp     #NETBIOS Session Service
microsoft-ds    445/udp     #Direct-Hosted Service
microsoft-ds    445/tcp     #Direct-Hosted Service

2.4 Configuring Samba

Samba's configuration file resides in /usr/local/samba/lib/smb.conf and by default doesn't exist; you'll need to create it with your favorite text editor. A good way to determine what the default values will be is to create an empty smb.conf file (touch smb.conf), run testparm against it, and grep for the value you're curious about. For those that just want to get started, here's a quick & dirty (although not secure) smb.conf to try out:

# This is /usr/local/samba/lib/smb.conf

[global]
   netbios name = BIGSERVER
   workgroup = WORKGROUP
   log level = 2
   log file = /usr/local/samba/var/samba.log
   security = share

[pub]
   path = /home/public
   browseable = yes
   guest ok = yes
   read only = no

You'll want to make sure that /home/public does indeed exist, and with the appropriate directory permissions to allow access for the above example.

2.5 Running Samba as a Daemon

When ready, launch Samba's smbd dameon with:

# /usr/local/samba/bin/smbd -D

Next, launch Samba's nmbd name dameon with:

# /usr/local/samba/bin/nmbd -D

2.6 Running Samba from inetd

If you'd rather run Samba from inetd, you could instead add the following to /etc/inetd.conf:

# This is /etc/inetd.conf

netbios-ssn	stream	tcp	nowait	root	/usr/local/samba/bin/smbd	smbd
netbios-ns	dgram	udp	wait	root	/usr/local/samba/bin/nmbd	nmbd

It's worth noting that Samba will ignore your /etc/hosts.allow and /etc/hosts.deny files by default.

Make sure to restart inetd:

# killall -HUP inetd

3. Troubleshooting

3.1 Troubleshooting the Server

You've configured your server and can't seem to get it working. Chances are you're uncertain how to proceed. But don't panic; there are some useful things you can do to determine where the problem is.

At a minimum, you should be running the latest stable version of Samba and have reviewed the steps outlined in /docs/textdocs/DIAGNOSIS.TXT in the source file. Don't be suprised if nobody answers your questions if you haven't followed the steps outlined in that document ;-)

You can verify that smbd is running by examining samba.log for something like:

[2002/10/31 14:54:21, 2] lib/interface.c:add_interface(81)
  added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0
[2002/10/31 14:54:21, 2] smbd/server.c:open_sockets(215)
  waiting for a connection

You can verify that nmbd is running by examining log.nmbd for something like:

[2002/10/31 14:57:31, 0] nmbd/nmbd.c:main(794)
  Netbios nameserver version 2.2.x started.
  Copyright Andrew Tridgell and the Samba Team 1994-2002
[2002/10/31 14:57:31, 1] lib/debug.c:debug_message(258)
  INFO: Debug class all level = 2 (pid 23684 from pid 23684)
[2002/10/31 14:57:31, 2] nmbd/nmbd.c:main(832)
  Becoming a daemon.
[2002/10/31 14:57:31, 2] lib/interface.c:add_interface(81)
  added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0
[2002/10/31 14:57:31, 2] nmbd/nmbd_subnetdb.c:make_subnet(192)
   making subnet name:192.168.1.1 Broadcast address:192.168.1.255 Subnet mask:255.255.255.0
[2002/10/31 14:57:31, 2] nmbd/nmbd_subnetdb.c:make_subnet(192)
  making subnet name:UNICAST_SUBNET Broadcast address:0.0.0.0 Subnet mask:0.0.0.0
[2002/10/31 14:57:31, 2] nmbd/nmbd_subnetdb.c:make_subnet(192)
  making subnet name:REMOTE_BROADCAST_SUBNET Broadcast address:0.0.0.0 Subnet mask:0.0.0.0

In addition, here are a few things you should check:

1. Is there a firewall running on the Samba server? Note that this happens more often than not! ;-)
2. Did you use SWAT, linuxconf, or some other GUI-based control panel to configure your smb.conf file? Try starting over from scratch using your favorite text editor first before you get fancy. Trust me, it's simpler, less can go wrong, and forces you to dive in and get your hands dirty ;-)
3. Are you using the default smb.conf file that came with the source? Use this only as a template and create a new, blank smb.conf file with only the minimum statements you need. I.e., if you end up sending your smb.conf file to someone for assistance, it looks bad if 90% of it is commented out from the original sample template, but then again, that's just me talking...
4. Did you turn on debugging to at least log level 3 and review the results?

Again, don't panic. The solution is there; you just have to do the work to determine the cause of the problem. If you're certain you've exhausted your options and have read and followed the steps in DIAGNOSIS.TXT, you can always post your question to one of the Samba mailing lists located at http://lists.samba.org. It also might not hurt to review Eric Raymond's excellent document, How to Ask Questions the Smart Way.

If you want to determine whether or not you are successfully able to communicate with Samba, you can easily perform a packet dump. For example, to determine whether or not you can query your server's nmbd WINS service, you could try the following: On the Samba box, run `tcpdump port 137 -n` and on the Windows box run `net view /domain:yourdomainname` from a command prompt. A successful query should look like this:

10:29:16.793821 windows-client.137 > samba-server.137: NBT UDP PACKET(137): QUERY; REQUEST; UNICAST
10:29:16.793876 samba-server.137 > windows-client.137: NBT UDP PACKET(137): QUERY; POSITIVE; RESPONSE; UNICAST (DF)

An indication that your Windows computer is not using Samba's nmbd WINS service would look like this:

10:29:29.756281 windows-client.137 > subnet-broadcast-address.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST

3.2 Troubleshooting the Client

This document is mainly about server-specific issues, but here are a few gotcha's that can happen to a Windows client:

• Is your Windows client on the same subnet as your Samba server?
• Does the WINS server your Windows client is using know about your Samba server? Better yet, is your Windows client configured to use the Samba server as its WINS server, and is the Samba server configured to run the WINS service via nmbd?
• Are you trying to see the shares via Network Neighborhood? This list is updated only once every fifteen minutes, and is not accurate. Use NET VIEW instead

3.2.1 Windows 95

Early versions of Windows 95 don't use encrypted passwords. Hopefully, this isn't your case. Your only choice is to tell the Samba server not to use encrypted passwords. Windows 95 OSR2 doesn't fall into this category.

3.2.2 Windows XP

Some common errors are:

• Windows XP: "System error 6118 has occurred. The list of servers for this workgroup is not currently available". You have enabled the Internet Connection Firewall (ICF), which disables SMB ports by default.
• Windows XP: "System error 53 has occurred. The network path was not found.". You have disabled NetBIOS over TCP/IP (NetBT), even if you are only using direct-hosted SMB over TCP/IP.
• Windows XP: "The Messenger service terminated with service-specific error 2270". Your computer name, username, and domain/workgroup name are not all set to unique (different) values.

4. Optimizing Samba Performance

Aside from the general common sense about system/network bottlenecks, there are some specific performance parameters which can affect Samba's performance.

4.1 Oplocks

Opportunistic locking essentially means that the client is allowed to download and cache the file on their hard drive while making changes; if a second client wants to access the file, the first client receives a break and must sync the file back to the server.  This can give significant performance gains in some cases; in others, some programs insist on syncing back the contents of the entire file for a single change.

If you're running anything less than Linux 2.4.19, which reportedly has kernel oplock-specific bug fixes in it, you should disable oplocks if you are accessing the same files from both Unix/Linux and SMB clients.

Regardless, oplocks should always be disabled if you are sharing a database file (e.g., Microsoft Access) between multiple clients, as any break the first client receives will result in the entire file needing to be sync'd (not just the single record), which will result in a noticable performance delay and, more likely, problems accessing the database in the first place. Notably, Microsoft Outlook's personal folders (*.pst) react very badly to oplocks. If in doubt, disable oplocks and tune your system from that point.

You can disable oplocks on a per-share basis with the following:

oplocks = False
level2oplocks = False

veto oplock files = /*.mdb/*.MDB/

4.2 Socket Options

Socket options allow you to control the networking layer of your connection with your SMB clients, which you can tune to optimal performance for your local network. Each local network is different, so there is no "hard and fast" rule for this, so you'll have to do some experimenting. Reading up on socket options in general might not be a bad idea as well (try man setsockopt). How effective can this be? A good example is using TCP_NODELAY, which reportedly doubles the read performance of Samba. A good starting point for tuning your smb.conf file might be:

socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192

A good way to determine what's best for you is to create a 100 MB dummy file in a Samba share, have a Windows client copy the file to their local desktop and then back again, timing both transactions. Stop Samba, modify the SO_RCVBUF and SO_SNDBUF by values of 1024 (add or subtract), restart Samba, and try again. You'll probably want to delete and recreate the test file just to prevent any caching your operating system might do. Chart out the results to find the optimal values for your system. To create a dummy test file, you could simply use:

dd if=/dev/zero of=testfile count=10240 bs=10240

4.3 Additional Tuning Options

Log Level is a useful parameter for debugging, but when it is set higher than 2 you'll no doubt suffer a large penalty in performance. This is mainly due to the amount of information being logged, along with the sync command sent after each log file operation.

Wide Links tends to cause a performance penalty when turned off.

Read Raw and Write Raw tend to help or hinder depending on the client. Experimentation with these options will possibly prove enlightening.

5. Running Samba as a Primary Domain Controller (PDC)

5.1 PDC Configuration

To run as a Primary Domain controller (PDC), you will need to add the following entries to your smb.conf file:

[global]
   admin users = root
   domain logons = yes
   domain master = yes
   logon drive = H:
   logon home = \\BIGSERVER\%u
   os level = 99
   preferred master = yes
   security = user
   wins support = yes

[homes]
   create mode = 0600
   directory mode = 0700
   path = %H
   read only = no
   valid users = %S

[netlogon]
   path = /home/netlogon

On the Samba server, add an entry for the NetBIOS machine name of the client that will be joining the domain to the /etc/passwd file. You'll want to use a unique group id (gid) as well. Note the addition of the dollar sign ($) to the NetBIOS machine name. For example, if your machine's name was "pc-lab13", the entry in the /etc/passwd file would be:

pc-lab13$:x:400:400:Workstation:/dev/null:/bin/false

Next, add an entry for the machine into your SMB password file. The -m switch tells smbpasswd to treat this account as a machine account. Note the lack of the dollar sign ($) here.

/usr/local/samba/bin/smbpasswd -m -a pc-lab13

And add another entry, if you haven't yet, for the only username that can join workstations to domains (at least, with the current version of Samba). Make sure to use a different password than the actual root account.

/usr/local/samba/bin/smbpasswd -a root

On the client computer, log in with an account that has Local Administrator rights. Then open up a command prompt and run:

net use * /d /y

which will delete all mapped drive connections. Next, right-click on the My Computer icon and choose Properties, then the Computer Name tab. Click the "Change" button, select Domain, and enter the name of the domain that you are going to join. You'll be prompted for a username/password pair; enter the username of "root" and the root smb password. If this works, you'll be welcomed to the domain!

If this doesn't work, try rebooting and increase the logging level on your Samba server to see which step you might be missing. Note that each workstation must have an entry in the DNS and/or in the file /etc/hosts (not /usr/local/samba/lib/lmhosts), or they won't be able to log in.

5.2 User Rights

It is critical that you understand the difference between a Windows Local User and a Windows Domain User.  The same goes for Local Groups and Domain Groups.  If you're not clear on the difference, it's time to hit the books and study for that MCSE again, as you'll have nothing but headaches.  In a nutshell, Local Users and Local Groups exist only on the workstation; they have nothing to do with the Samba server, which could care less about such things.  However, if you want to allow a Domain User to log in to a workstation and use, for example, the NET TIME command to set the workstation's clock, you'll need to make sure that the workstation knows that this is allowed behavior via the Group Policy Editor. To understand how to use the Group Policy Editor on Windows XP, see Microsoft's Technet article Q307882 on their website.

Again, if you don't know what any of this is, it's time to hit those MCSE books again; this is a tutorial on Samba concepts, not on Windows concepts ;-)

5.3 Windows XP Oddities

To force Windows XP Professional clients to accept Samba as a PDC, use the built-in XP Group Policy editor (gpedit.msc) and locate the Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options branch. Make sure to disable the following policies:

Domain Member: Digitally encrypt or sign secure channel data (always)
Domain Member: Digitally sign secure channel data (when possible)

Alternately, you can make the following change to the registry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"requiresignorseal"=dword:00000000
"signsecurechannel"=dword:00000000

To disable annoying Event Viewer notifications about "Automatic certificate enrollment for local system failed to contact the active directory" every eight hours, locate the Computer Configuration\Windows Settings\Security Settings\Public Key Policies branch and select "Do not enroll certificates automatically" under Autoenrollment Settings. Note that this policy won't be available until after the XP machine has joined the domain.

If you'd like to use Roaming Profiles with Windows XP clients that have Service Pack 1 or later installed, use the built-in XP Group Policy editor (gpedit.msc) and locate the Computer Configuration\Administrative Templates\System\User Profiles branch. This is described in Microsoft's Technet Q327462. Make sure to enable the following policy:

Do not check for user ownership of Roaming Profile Folders

Alternately, you can make the following change to the registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"CompatibleRUPSecurity"=dword:00000001

Alternately as well, you can make the following addition to your smb.conf file:

[profile]
   profile acls = yes

Windows XP Home Edition does not support logging into a Primary Domain Controller, so you'll have to use Windows XP Professional instead.

5.4 Roaming Profiles

If you'd like to enable roaming profiles for Windows 2000/XP, make the following changes to your smb.conf file. Note that if your clients use Windows XP with Service Pack 1 or later, you'll need to use profile acls which is described in the previous section (above).

[global]
   logon path = \\BIGSERVER\profile\%U

[profile]
   create mode = 0600
   directory mode = 0700
   path = /home/profile
   read only = no

5.5 Login Scripts

If you're running your Samba server to act as a Primary Domain Controller (PDC) for Windows clients, you can have a batch file execute upon login. This can be enabled by adding the following to your smb.conf file:

[global]
   logon script = %m.bat

See VARIABLE SUBSTITUTIONS in the man page for smb.conf for a full list of potential variables.  Common ones include the username of the current service (%u), the session username that the client wanted - not necessarily what they got (%U), the primary group name of the user (%g), and the NetBIOS name of the client computer (%m).

All login scripts must reside in the [netlogon] share (see Running Samba as a PDC) and should be formatted to be readable by your Windows clients (see Line Feeds CR/LF). Here's a sample script which I find to be quite useful:

@echo off
REM Synchronize the client's clock with the server.  Requires Power User rights, however
NET TIME \\SERVER /SET /YES

REM Map some drives
NET USE I: \\SERVER\INSTALL /YES
NET USE P: \\SERVER\HOMES /YES

REM Run Symantec Liveupdate (silently) for Antivirus definitions.
REM Does not require the user to have local adminstrator rights ;-)
IF EXIST "C:\Program Files\Symantec\LiveUpdate\Luall.exe" "C:\Program Files\Symantec\LiveUpdate\Luall.exe" -s

REM Run WinNT/2K/XP specific stuff
IF NOT "%OS%"=="Windows_NT" goto noxp

IF NOT EXIST "\\SERVER\%USERNAME%\xpbackup" mkdir "\\SERVER\%USERNAME%\xpbackup"
REM /c ignore errors
REM /h copy hidden & system files also
REM /r copy read-only files also
REM /y supress prompting
REM /d only copy newer files than target
XCOPY "%HOMEDRIVE%\%HOMEPATH%\My Documents\*.*" "\\SERVER\%USERNAME\xpbackup\My Documents\*.* /S /E /C /H /R /Y /D
IF ERRORLEVEL 5 GOTO diskerror
IF ERRORLEVEL 4 GOTO initerror
IF ERRORLEVEL 2 GOTO abort
IF ERRORLEVEL 1 GOTO nofiles
IF ERRORLEVEL 0 GOTO services

:diskerror
ECHO "Disk Error during copying"
:initerror
ECHO "Low Memory, invalid drive, or invalid command syntax"
:abort
ECHO "Control-C pressed"
:nofiles
ECHO "Nothing found to copy"


:services
REM Stop the protected storage service to disable password caching on web pages
NET STOP "Protected Storage"
NET START "Automatic Updates"

REM Back up the client's registry
REGEDIT /E P:\Registry.bak
REM Update (silently) the client's registry
REGEDIT /S "\\SERVERNAME\NETLOGON\Update.reg"

:noxp

5.6 Linefeeds (CR/LF)

Another issue to become aware of with login scripts is linefeeds. If you're working in a Linux/Windows mixed environment, you're bound to come across files that are littered with '^M' at the end of every line. This is the Windows command for 'newline', which uses a combination of CR/LF, whereas Linux uses just the single LF. To convert a text file from DOS to Linux, thereby removing the '^M' newline characters in the file, use the fromdos command:

fromdos <dosfile >linuxfile

To convert a text file from Linux to DOS, thus adding the '^M' newline characters so that the file can be read by your Windows clients, use todos:

todos <linuxfile >dosfile

Alternately, if you find you don't have the fromdos/todos utilities, you can try this simple trick:

cat dosfile | col -b > linuxfile

It's worth noting that if you're running into this problem in the first place, it means you're working on a file that is being edited in both your Linux and Windows environments. As such, you should probably read the section on Oplocks to prevent any data loss...

If you'd rather take care of things from the Windows side of the coin, you can simply use a text editor that can convert between DOS/Linux. My personal favorite is Jean-Pierre Menicucci's Editeur which includes syntax highlighting, although you're encouraged to look around for what fits your needs best.

6. Security and Samba

6.1 Restricting Client Access

If you run your samba server on a machine that has a valid IP address to the Internet, or an an untrusted LAN, you'll probably want to limit who can connect to your Samba shares. Assuming your server runs on 192.168.0.1, your netmask is 255.255.255.0 and you wish to deny access to a host in your network on 192.168.0.8, your smb.conf file should look like:

hosts allow = 192.168.0.0/255.255.255.0 127.0.0.1 EXCEPT 192.168.0.8
hosts deny = ALL

It's also useful to limit the interfaces on which Samba will run, if you have a multihomed (more than one IP address) server. A common mistake is to set the interfaces line to the specific IP address of the box, when it is actually the IP subnet that your interface is on that you want to use. Assuming your server runs on 192.168.0.1 and your netmask is 255.255.255.0, your smb.conf file should look like:

interfaces = 192.168.0.0/255.255.255.0 127.0.0.1
bind interfaces only = Yes

6.2 Shadows and Light

These are simple smb.conf configuration settings that make Samba a little more transparent to the watching eye.

# Encrypt all passwords stored in /usr/local/samba/private/smbpasswd
encrypt passwords = yes

# Prevent the administrative user from logging in
invalid users = root @wheel

# Files that have their Linux permissions set to prevent access shouldn't even appear
hide unreadable = yes

# Prevent browsing by default
browseable = no

# Don't allow access to any of the following files.
# Useful for preventing the spread of virus infections on your server
# should a Windows-connected client become infected.
# The last match bit prevents accessing files with a CLSID in its file extension
veto files = /*.exe/*.dll/*.com/*.vbs/*.{*}/

# Hide the following files; the client can still choose to alter their view settings to show hidden files.
hide files = /example.txt/*.bad/

6.3 Samba and firewalls (iptables)

Traditional NetBIOS traffic relies on three specific services: NetBIOS Name Service (port 137/udp), NetBIOS Datagram Service (port 138/udp), and NetBIOS Session Service (port 139/tcp).

Direct hosted "NetBIOS-less" SMB traffic uses ports 445/tcp and 445/udp, which has the advantage of removing dependence on WINS for name resolution. In this situation, a four-byte header precedes the SMB traffic. The first byte of this header is always 0x00, and the next three bytes are the length of the remaining data. Only Windows 2000 and Windows XP support the direct-hosted method. Samba does have the ability to accept connections on port 445, but it does not listen on this port when started with the -D option. Instead, it must be started from inetd (without the -D flag) and inetd must be configured to accept smb connections on port 445. Please be aware that this is a very new and untested feature, so your mileage may vary.

Using iptables, a simple (although not comprehensive) firewall section might look something like this:

iptables -A INPUT -p udp -s 192.168.0.0/24 --sport 137 -d 192.168.0.1/32 --dport 137 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.0.0/24 --sport 138 -d 192.168.0.1/32 --dport 138 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.0/24 --sport 1024:65535 -d 192.168.0.1/32 --dport 139 -j ACCEPT
iptables -A INPUT -j DROP
iptables -A OUTPUT -p udp -s 192.168.0.1/32 --sport 137 -d 192.168.0.0/24 --dport 137 -j ACCEPT
iptables -A OUTPUT -p udp -s 192.168.0.1/32 --sport 138 -d 192.168.0.0/24 --dport 138 -j ACCEPT
iptables -A OUTPUT -p tcp ! --syn -s 192.168.0.1/32 --sport 139 -d 192.168.0.0/24 --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -j DROP

As a sidenote, if you're running a 2.4.x Linux kernel and you're still using ipchains, you should consider upgrading to iptables which is considered a stateful firewall and a lot easier to configure. If you have an old ipchains or ipfwadm based firewall, you should be able to apply the same logical layout of the above script and adapt it to your needs.

6.4 Tunneling SMB through SSH

One method of encrypting SMB traffic over a network is to "tunnel" SMB through SSH using a method known as port forwarding. This is a frequently asked question by system administrators wishing to secure remote SMB traffic. While this is possible, it does have some serious drawbacks which we will touch on as well.

It's important to be aware that running SMB by itself without SSH over a 56k dialup line is still terribly slow to the point of frustration. If you don't have a high speed link or at least a lot of patience, you probably don't even want to deal with tunneling over SSH.

The other unfortunate bit of news is that due to a design limitation in the GUI API of Windows 9x/ME, you'll only be able to perform your tunneled work in a MS-DOS window. Once you step outside of this and attempt to interact with your remote server via the GUI, you'll find 30-60 second periods where the computer will pause/hang, after which it will complain that the path is invalid or unavailable. One possible explanation is the 16/32-bit nature of this type of Windows OS, however there has yet to be a confirmation of this by either Microsoft or the Samba team. Those using the 32-bit Windows 2000/XP systems will not have this limitation whatsoever.

That being said, the good news is that tunneling SMB through SSH is indeed possible. Name services, or anything relying on UDP, can't be forwarded via SSH due to a limitation in how SSH forwards ports (TCP only). So, we'll focus on port forwarding only TCP/port 139. Since UDP tunneling is not available under SSH, your first step involves adjusting the lack of WINS/broadcast name resolution.

Windows provides two different files, HOSTS and LMHOSTS. The former is for Hostname-to-IP Address resolution (similar to DNS), and the latter is for NetBIOS-name-to-IP Address resolution (similar to WINS). LMHOSTS originally stood for "LAN Manager". These files are provided as a "backup" in the case that DNS or WINS are not available. Since NetBIOS name resolution only works via UDP, which can't be tunnelled via SSH, the first step is to edit the LMHOSTS file:

REM Under WinNT/2k/XP, this is c:\windows\system32\drivers\etc\LMHOSTS
REM Under Win9x/ME, this is c:\windows\LMHOSTS

127.0.0.1     FAKENAME      #PRE

Where FAKENAME is a bogus NetBIOS name that you will use to refer to your Samba server. The #PRE statement tells Windows that this name should be cached into memory, otherwise it won't always be read. The LMHOSTS file will not be processed by Windows until you reboot or you issue the following command, which forces a reload of the NetBIOS name cache (note the uppercase-R):

nbtstat -R

Configure your client's SSH program to forward port 139/tcp on the localhost to port 139/tcp on the server, and then connect via SSH. Once done, open up a MS-DOS window and issue these commands:

NET VIEW \\127.0.0.1
NET VIEW \\FAKENAME

Viola! Both commands work, and you can confirm the encryption with a packet filter.

7. Appendix

7.1 Some Useful Definitions

• SMB (Server Message Block) - SMB is a file sharing protocol, that uses a computer name and numerical type to create a NetBIOS name. Developed in 1983 by IBM and The Open Group, and reimplemented by Microsoft.
• CIFS (Common Internet Filesystem) - Around 1996, Microsoft apparently decided that SMB needed the word "Internet" in it, so they changed it to CIFS. The change is essentially cosmetic marketing hype, however there are those who would disagree.
• DCE/RPC (Distributed Computing Environment / Remote Procedure Calls) - Developed by Apollo/HP and The Open Group and reimplemented by Microsoft as MSRPC
• IPC (Inter-process Communication) - A method to communicate specific information between programs.
• NetBIOS - Network Basic Input/Output System. This is a standard which was originally developed for IBM by Sytek in 1983. To exaggerate the analogy a bit, it can help to think of this in comparison your computer's BIOS -- it controlls the essential functions of your input/output hardware -- whereas NetBIOS controlls the essential functions of your input/output traffic via the network. Again, this is a bit of an exaggeration but it should help that paradigm shift. What is important to realize is that NetBIOS is a transport standard, not a protocol. Unfortunately, even technically brilliant people tend to interchange NetBIOS with terms like NetBEUI without a second thought; this will cause no end (and no doubt) of confusion.
• NetBEUI -IBM first introduced the "NetBIOS Extended User Interface" (NetBEUI) in 1985 as an extension to the NetBIOS standard. Unlike NetBIOS, NetBEUI is a protocol, not a standard. It is also not routable, so traffic on one side of a router will be unable to communicate with the other side. Understanding NetBEUI is not essential to deciphering SMB; however it helps to point out that it is not the same as NetBIOS and to improve your score in trivia at parties. NetBEUI was originally referred to by Microsoft as "NBF", or "The Windows NT NetBEUI Frame protocol driver". It is not often heard from these days.
• NBT - "NetBIOS over TCP", or "NetBT". Allows the continued use of NetBIOS traffic proxied over TCP/IP. As a result, NetBIOS names are made equivilant to IP addresses and NetBIOS name types are conceptually equivilant to TCP/IP ports. This is how file and printer sharing are accomplished in Windows 95/98/ME. They traditionally rely on three ports: NetBIOS Name Service (nbname) via UDP port 137, NetBIOS Datagram Service (nbdatagram) via UDP port 138, and NetBIOS Session Service (nbsession) via TCP port 139. All name resolution is done via WINS, NetBIOS broadcasts, and DNS. NetBIOS over TCP is documented in RFC 1001 (Concepts and methods) and RFC 1002 (Detailed specifications).
• "Direct-Hosted" TCP - This is the new Microsoft marketing term used to describe a new method of file and printer sharing in Windows 2000/XP, which uses only TCP and UDP port 445. All name resolution is done via DNS. Note that by default, Windows 2000/XP use both NBT and Direct Hosted traffic (you can disable this in the WINS properties tab). If a client supports both direct-hosted and NBT, both methods are tried and the first type to respond is used. In direct-hosted traffic, a 4-byte header precedes the SMB traffic. The first byte is always 0x00, and the remaining three bytes are the length of the remaining data. So, if you simply switch off NBT support in favor of direct-hosted tcp, it simply removes one route by which the SMB server can be contacted.

7.2 SMB Methodology

Traditionally, SMB uses UDP port 137 (NetBIOS name service, or netbios-ns), UDP port 138 (NetBIOS datagram service, or netbios-dgm), and TCP port 139 (NetBIOS session service, or netbios-ssn). Anyone looking at their network with a good packet sniffer will be amazed at the amount of traffic generated by just opening up a single file!

In general, SMB sessions are established in the following order:

1. TCP Connection - establish 3-way handshake (connection) to port 139 or 445.
2. NetBIOS Session Request - using the following "Calling Names":
• The local machine's NetBIOS name plus the 16th character 0x00
• The server's NetBIOS name plus the 16th character 0x20
3. SMB Negotiate Protocol - determine the protocol dialect to use, which will be one of the following:
• PC Network Program 1.0 (Core) - share level security mode only
• Microsoft Networks 1.03 (Core Plus) - share level security mode only
• Lanman1.0 (LAN Manager 1.0) - uses Challenge/Response Authentication
• Lanman2.1 (LAN Manager 2.1) - uses Challenge/Response Authentication
• NT LM 0.12 (NT LM 0.12) - uses Challenge/Response Authentication
4. SMB Session Startup. Passwords are encrypted (or not) according to one of the following methods:
• Null (no encryption)
• Cleartext (no encryption)
• LM and NTLM
• NTLM
• NTLMv2
5. SMB Tree Connect
• Connect to a share name (e.g., \\servername\share)
• Connect to a service type (e.g., IPC$ named pipe)

A good way to examine this process in depth is to try out SecurityFriday's SWB program, which allows you to enables the SMB(CIFS) session setup without depending on the version and the registry setting of your Windows machines.

7.3 A Simple Script for starting/stopping Samba

If you want to easily start and stop your smbd/nmbd daemons with a minimum of fuss, you can use the following script. Note that any active clients won't like you for it, especially if they're running Microsoft Access on an open networked file ;-)

#!/bin/sh
# Start/stop/restart samba

samba_start() {
   if [ -x /usr/local/samba/bin/smbd -a -x /usr/local/samba/bin/nmbd -a -r /usr/local/samba/etc/smb.conf ]; then
     echo "Starting: /usr/local/samba/bin/smbd -D"
     /usr/local/samba/bin/smbd -D
     echo "Starting: /usr/local/samba/bin/nmbd -D"
     /usr/local/samba/bin/nmbd -D
   else
     echo "Error: Cannot start Samba"
   fi
}

samba_stop() {
   echo "Stopping smbd nmbd"
   killall smbd nmbd
}

samba_restart() {
   samba_stop
   sleep 2
   samba_start
}

case "$1" in
'start')
   samba_start
   ;;
'stop')
   samba_stop
   ;;
'restart')
   samba_restart
   ;;
*)
   echo "usage $0 start|stop|restart"
esac

7.4 Logging Windows Events

This technically isn't related to Samba, but it does involve some significant Windows/Linux integration and it's quite nifty (and therefore somewhat relevant). Often, it's desirable to have Windows NT/2000/XP send Event Log messages to Linux via syslogd. One such free and simple tool is evtsys from Purdue University (Source and binaries available at https://engineering.purdue.edu/ECN/Resources/Documents/UNIX/evtsys/). Essentially, it installs itself as a Windows service and simply forwards all Event Log traffic to a designated server's syslog daemon. Here's a sample output from syslog:

Nov 13 15:33:23 pc-lab14 Norton AntiVirus: N/A: Download of virus definition file from LiveUpdate server failed.
Nov 13 15:35:20 pc-lab16 Service Control Manager: N/A: The Parallel port driver service failed to start
Nov 13 15:35:41 pc-lab13 MsiInstaller: N/A: Microsoft Office 2000 -- Installation successfull.
Nov 13 15:44:43 pc-lab12 Norton AntiVirus: N/A: Symantec AntiVirus Realtime Protection Loaded.
Nov 13 15:45:23 pc-lab14 Cdrom: N/A: The device, \Device\CdRom0, has a bad block.
Nov 13 15:46:03 pc-lab12 Norton AntiVirus: N/A: Virus Found! Virus name: W32.Badtrans.B@mm in File: info.DOC.scr

7.5 Recording Workstation Logons/Logoffs

This question comes up quite a lot. To establish logging via utmp (which allows you to run `w` or `who` from the shell), make sure to compile Samba using:

$ ./configure --with-utmp

Next, add the following directive to your smb.conf file:

utmp = yes

The system will then record activities via utmp:

$ who
fred    smb/7    Dec 10 08:50
sally   smb/1    Dec 10 08:48
sam     smb/2    Dec 10 08:48
$ w
 08:48:06 up 323 days, 23:13, 3 users, load average: 0.00, 0.03, 0.01

USER	TTY	FROM	LOGIN@	IDLE	JCPU	PCPU	WHAT
fred	smb/1	192.168.1.12	08:45	0.00s	0.03s	0.01s	/usr/local/samba/bin/smbd -D
sally	smb/2	192.168.1.15	08:48	0.00s	1:16	0.01s	/usr/local/samba/bin/smbd -D
sam	smb/3	192.168.1.18	08:48	0.00s	1:16	0.01s	/usr/local/samba/bin/smbd -D

Your second option for determining who's logged on is to just use the built-in smbstatus command:

$ smbstatus -b
Samba version 2.2.7

PID	Username	Machine	Time logged in
-------------------------------------------------------------------
11902	fred	pc-lab12	Tue Dec 10 08:49:45 2002
11906	sally	pc-lab15	Tue Dec 10 08:50:02 2002
11896	sam	pc-lab18	Tue Dec 10 08:48:05 2002

Your third option is simple: just grep the logfiles for netlogon events. Make the following changes to your smb.conf:

log level = 1
log file = /somepath/%m.log

Then you can track each individual machine's activity. For logon and logoff events, you want to (respectively) grep for:

pc-lab14 connect to service netlogon as user david
pc-lab14 closed connection to service netlogon

7.6 Samba SSL

Configuring Samba for SSL is (currently) beyond the scope of this document. For those wanting to experiment with this feature, you'll need to download and install the OpenSSL package. OpenSSL provides Secure Sockets Layer (SSL) and Transport Layer Security (TLS) abilities to Linux. SSL, developed by Netscape Communications, is a protocol that adds encryption and authentication to TCP/IP. TLS is an open-standard replacement for SSL from the Internet Engineering Task Force. Specifically, OpenSSL is a "toolkit" that includes libssl.a (the SSLv2, SSLv3, and TLSv1 raw code), libcrypto.a (general encryption routines for encryption ciphers (libdes, RC4/2, Blowfish, IDEA), Message Digests (MD5/2, SHA0/2, MDC2), Public Keys (RSA, DSA, Diffie-Hellman), X.509v3 certificates (encrypting/decrypting via private key), and various other encodings & routines), and openssl (a command line tool that can be used to access OpenSSL routines).

$ tar xzf openssl-0.9.x
$ cd openssl-0.9.x
$ ./config shared -DSSL_FORBID_ENULL
$ make
$ make test
# make install

Samba will fail to compile if it can't find the ssl libraries. Update your /etc/ld.so.conf file to include /usr/local/ssl/lib and rerun `ldconfig`.

When compiling Samba, you'll need to make sure your configure line includes the following additions:

$ ./configure --with-ssl

7.7 Sample smb.conf

This is a slightly modified version of Samba's default sample configuration file.

################################################################
# smb.conf                                                     #
#                                                              #
# This is the main Samba configuration file.  You should read  #
# the smb.conf(5) manual page in order to understand the       #
# options listed here.  Samba has a huge number of             #
# configurable options (perhaps too many!) most of which are   #
# not shown in this example.                                   #
#                                                              #
# Any line which starts with a ; (semi-colon) or a # (hash) is #
# a comment and is ignored.  In this example we will use a     #
# hash mark (#) for commentry and a ; for parts of the config  #
# file that you may wish to enable.                            #
#                                                              #
# NOTE: Whenever you modify this file you should run the       #
# command `testparm` to check that you have not made any basic #
# syntax errors.                                               #
################################################################

################################################################
# Global Settings                                              #
################################################################

[global]

################################################################
# workgroup = NT-Domain-Name or Workgroup-Name, eg: REDHAT4    #
################################################################
   workgroup = MYGROUP

################################################################
# server string is the equivalent of the NT Description field  #
################################################################
   server string = Samba Server

################################################################
# This option is important for security. It allows you to      #
# restrict connections to machines which are on your local     #
# network. The following example restricts access to two C     #
# class networks and the loopback interface. For more examples #
# of the syntax see the smb.conf man page                      #
################################################################

;   hosts allow = 192.168.1. 192.168.2. 127.

################################################################
# If you want to automatically load your printer list rather   #
# than setting them up individually then you'll need this      #
################################################################
   load printers = yes

################################################################
# you may wish to override the location of the printcap file   #
################################################################
;   printcap name = /etc/printcap

################################################################
# on SystemV system setting printcap name to lpstat should     #
# allow you to automatically obtain a printer list from the    #
# SystemV spool system                                         #
################################################################

;   printcap name = lpstat

################################################################
# It should not be necessary to specify the print system type  #
# unless it is non-standard. Currently supported print systems #
# include: bsd, sysv, plp, lprng, aix, hpux, qnx               #
################################################################
;   printing = bsd

################################################################
# Uncomment this if you want a guest account, you must add     #
# this to /etc/passwd otherwise the user "nobody" is used      #
################################################################

;  guest account = pcguest

################################################################
# this tells Samba to use a separate log file for each machine #
# that connects                                                #
################################################################
   log file = /usr/local/samba/var/log.%m

################################################################
# Put a capping on the size of the log files (in Kb).          #
################################################################
   max log size = 50

################################################################
# Security mode. Most people will want user level security.    #
# See security_level.txt for details.                          #
################################################################
   security = user

################################################################
# Use password server option only with security = server       #
# The argument list may include:                               #
# password server = PDC_Name [BDC_Name] [Next_BDC_Name]        #
# or to auto-locate the domain controller/s                    #
#   password server = *                                        #
################################################################
;   password server = 

################################################################
# Note: Do NOT use the now deprecated option of "domain        #
# controller".  This option is no longer implemented.          #
################################################################

################################################################
# You may wish to use password encryption. Please read         # 
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba         #
# documentation.  Do not enable this option unless you have    #
# read those documents                                         #
################################################################

;  encrypt passwords = yes

################################################################
# Using the following line enables you to customise your       #
# configuration on a per machine basis. The %m gets replaced   #
# with the netbios name of the machine that is connecting.     #
# Note: Consider carefully the location in the configuration   #
# file of this line.  The included file is read at that point. #
################################################################
;   include = /usr/local/samba/lib/smb.conf.%m

################################################################
# Most people will find that this option gives better          #
# performance.  See speed.txt and the manual pages for details #
# You may want to add the following on a Linux system:         #
# SO_RCVBUF=8192 SO_SNDBUF=8192                                #
################################################################
   socket options = TCP_NODELAY 

################################################################
# Configure Samba to use multiple interfaces                   #
#                                                              #
# If you have multiple network interfaces then you must list   #
# them here. See the man page for details.                     #
################################################################
;   interfaces = 192.168.12.2/24 192.168.13.2/24 

################################################################
# Browser Control Options                                      #
#                                                              #
# set local master to no if you don't want Samba to become a   #
# master browser on your network. Otherwise the normal         #
# election rules apply                                         #
################################################################
;   local master = no

################################################################
# OS Level determines the precedence of this server in master  #
# browser elections.                                           #
################################################################
os level = 99

################################################################
# Domain Master specifies Samba to be the Domain Master        #
# Browser. This allows Samba to collate browse lists between   #
# subnets. Don't use this if you already have a Windows NT     #
# domain controller doing this job.                            #
################################################################
;   domain master = yes 

################################################################
# Preferred Master causes Samba to force a local browser       #
# election on startup and gives it a slightly higher chance of #
# winning the election                                         #
################################################################
;   preferred master = yes

################################################################
# Enable this if you want Samba to be a domain logon server    # 
# for Windows95/98/ME workstations.                            #
################################################################
;   domain logons = yes

################################################################
# If you enable domain logons then you may want a per-machine  #
# or per user logon script.                                    #
################################################################

################################################################
# Run a specific logon batch file per workstation (machine)    #
################################################################
;   logon script = %m.bat

################################################################
# run a specific logon batch file per username                 #
################################################################

;   logon script = %U.bat

################################################################
# Where to store roving profiles                               #
# %L substitutes for this servers netbios name, %U is username #
# You must uncomment the [Profiles] share below                #
################################################################
;   logon path = \\%L\Profiles\%U

################################################################
# Windows Internet Name Service (WINS)                         #
#                                                              #
# WINS Support - Tells the NMBD component of Samba to enable   #
# it's WINS Server                                             #
################################################################

;   wins support = yes

################################################################
# WINS Server - Tells the NMBD components of Samba to be a     #
# WINS Client.  Note: Samba can be either a WINS Server, or a  #
# WINS Client, but NOT both.                                   #
################################################################
;   wins server = w.x.y.z

################################################################
# WINS Proxy - Tells Samba to answer name resolution queries   #
# on behalf of a non WINS capable client, for this to work     #
# there must be at least one WINS Server on the network.    #
# The default is NO.                                           #
################################################################
;   wins proxy = yes

################################################################
# DNS Proxy - tells Samba whether or not to try to resolve     #
# NetBIOS names via DNS nslookups.  The built-in default for   #
# versions 1.9.17 is yes, this has been changed in version     #
# 1.9.18 to no.                                                #
################################################################
dns proxy = no 

################################################################
# Share Definitions                                            #
################################################################

[homes]
   comment = Home Directories
   browseable = no
   writable = yes

################################################################
# Un-comment the following and create the netlogon directory   #
# for Domain Logons                                            #
################################################################
; [netlogon]
;   comment = Network Logon Service
;   path = /usr/local/samba/lib/netlogon
;   guest ok = yes
;   writable = no
;   share modes = no

################################################################
# Un-comment the following to provide a specific roving        #
# profile share the default is to use the user's home          #
# directory                                                    #
################################################################
;[Profiles]
;    path = /usr/local/samba/profiles
;    browseable = no
;    guest ok = yes

################################################################
# NOTE: If you have a BSD-style print system there is no need  #
# to specifically define each individual printer.              #
# Set public = yes to allow user 'guest account' to print      #
################################################################
[printers]
   comment = All Printers
   path = /usr/spool/samba
   browseable = no
   guest ok = no
   writable = no
   printable = yes

################################################################
# This one is useful for people to share files                 #
################################################################
;[tmp]
;   comment = Temporary file space
;   path = /tmp
;   read only = no
;   public = yes

################################################################
# A publicly accessible directory, but read only, except for   #
# people in the "staff" group                                  #
################################################################
;[public]
;   comment = Public Stuff
;   path = /home/samba
;   public = yes
;   writable = yes
;   printable = no
;   write list = @staff

################################################################
# Other Examples                                               #
#                                                              #
# A private printer, usable only by fred. Spool data will be   #
# placed in fred's home directory. Note that fred must have    #
# write access to the spool directory, wherever it is.         #
################################################################
;[fredsprn]
;   comment = Fred's Printer
;   valid users = fred
;   path = /homes/fred
;   printer = freds_printer
;   public = no
;   writable = no
;   printable = yes

################################################################
# A private directory, usable only by fred. Note that fred     #
# requires write access to the directory.                      #
################################################################
;[fredsdir]
;   comment = Fred's Service
;   path = /usr/somewhere/private
;   valid users = fred
;   public = no
;   writable = yes
;   printable = no

################################################################
# a service which has a different directory for each machine   #
# that connects this allows you to tailor configurations to    #
# incoming machines. You could also use the %U option to       #
# tailor it by user name.  The %m gets replaced with the       #
# machine name that is connecting.                             #
################################################################
;[pchome]
;  comment = PC Directories
;  path = /usr/pc/%m
;  public = no
;  writable = yes

################################################################
# A publicly accessible directory, read/write to all users.    #
# Note that all files created in the directory by users will   #
# be owned by the default user, so any user with access can    #
# delete any other user's files. Obviously this directory must #
# be writable by the default user. Another user could of       #
# course be specified, in which case all files would be owned  #
# by that user instead.                                        #
################################################################
;[public]
;   path = /usr/somewhere/else/public
;   public = yes
;   only guest = yes
;   writable = yes
;   printable = no

################################################################
# The following two entries demonstrate how to share a         #
# directory so that two users can place files there that will  #
# be owned by the specific users. In this setup, the directory #
# should be writable by both users and should have the         #
# sticky bit set on it to prevent abuse. Obviously this could  #
# be extended to as many users as required.                    #
################################################################
;[myshare]
;   comment = Mary's and Fred's stuff
;   path = /usr/somewhere/shared
;   valid users = mary fred
;   public = no
;   writable = yes
;   printable = no
;   create mask = 0765



7.8 Additional Resources

• Documentation from the Samba source (local copy)
• Andrew Tridgell's interview with the Financial Review October 2002
• Just what is SMB? by Richard Sharpe
• Using Samba as a PDC, Linux Magazine February 2002
• Understanding the Network Neighborhood, Linux Magazine May 2001
• The Story of Samba: Linux's Stealth Weapon, Linux Magazine September 1999
• Samba - Opening Windows Everywhere, Linux Magazine May 1999
• SMB HOWTO, The Linux Documentation Project
• RFC 1088 - Standard for the transmission of IP datagrams over NetBIOS networks
• Implementing CIFS - The Common Internet File System
• Microsoft's description of some of the protocols, from the days of Windows NT 3.5

8. Epilogue

"What's fundamentally wrong is that nobody ever had any taste when they did it. Microsoft has been very much into making the user interface look good, but internally it's just a complete mess. And even people who program for Microsoft and who have had years of experience, just don't know how it works internally. Worse, nobody dares change it. Nobody dares to fix bugs because it's such a mess that fixing one bug might just break a hundred programs that depend on that bug. And Microsoft isn't interested in anyone fixing bugs—they're interested in making money. They don't have anybody who takes pride in Windows 95 as an operating system.

People inside Microsoft know it's a bad operating system and they still continue obviously working on it because they want to get the next version out because they want to have all these new features to sell more copies of the system.

The problem with that is that over time, when you have this kind of approach, and because nobody understands it, because nobody REALLY fixes bugs (other than when they're really obvious), the end result is really messy. You can't trust it because under certain circumstances it just spontaneously reboots or just halts in the middle of something that shouldn't be strange. Normally it works fine and then once in a blue moon for some completely unknown reason, it's dead, and nobody knows why. Not Microsoft, not the experienced user and certainly not the completely clueless user who probably sits there shivering thinking "What did I do wrong?" when they didn't do anything wrong at all.

That's what's really irritating to me."

 -- Linus Torvalds, from an interview with BOOT Magazine, Sept 1998

You can send me PGP encrypted mail using the following key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.1 (GNU/Linux)

mQGiBD33mg0RBACWcGyAOhP6dD2EJM94/oVBwXx2VRejPyOXsCzfhxYvO358+doG
CyvahWlNeK55IPLrdZhpPgqrOk5G2QzM5vLL3qJzQhGBDx3Di2Ge3mRMzz11LQIq
0EOHkYOE2i01xEFbUCYXK4+MERYr4dKE7hqsZ744yZ0p8zs2EL+4g1lQiwCg8DVN
4zGYUgo57i20Tba3s6HEvfcD/2H2eguBSeyYZmaztdBQkKs41aHb8LqpkcgFWYw6
oS3kf9lNVQxm5TgksBQZP9WXzXmwe1fI/5OKlmLGfIEB3y2oP8WOGkHHbLTqaS8E
+sfWNFBAuYT0PvljydaehnkMc+9alQkIgEq9ljZBhh6fuoa17bQxvak4iJrOmUAb
l+MSA/9/UsgvcSlBNX0NdVlHcBH2EOTewuEOaZddAcz8fy4gC8FJMAStEtr5YPQW
oGZjhZKiE54uIaqBjVRF8w8OM1ihr0pBUt8qdHo+d7bGBoeC8YGrMHism89yuC9n
ViVos02TnX0newKlW2NXoKIHhTcjBujC1W40Ryqb3ex37kdWdLQ0RGF2aWQgTGVj
aG55ciAoSXMgSXQgTm90IE5pZnR5PykgPGRhdmlkQGxlY2hueXIuY29tPohfBBMR
AgAfBQI995oNBQkDwmcABAsHAwIDFQIDAxYCAQIeAQIXgAAKCRDnkTrZvDPvWvSX
AKDc2GvZ+9Zrvbo0xsv+tEfu3TvBTwCfX5aXd759ogFQBHVukgZy+vxoYTa5AQ0E
PfeaDxAEAM7EGxL8jAxUozdWwP4K6+03KcY7bPe/gHUaYPU9Yo2eYjnNa6kja+tx
XZ9kPiEawTfvosMYg0q71PU/lNWsDGATkwD4ddiv/AL1n1gBId3R5y5d6Qmdq4rD
4hQw/14nQ+aDoYnPIsCc+6mnjdSp9JbRfTB++N7rMSdUMQbCcNFHAAMFA/9MDDnc
Dv2PkLsiSyCbqcyxbVpedEThfgVesqIixEnhPVpXb87h8J28jn10MgiklQwwigJn
2yoSTYo85QH7qSOnZ7Vw8fgQqq5ZTKQS/egk9aghtJho+B3pNvmubzOh7ZR4XLhS
90IBzD+LLDBgFVFXYD0x8fWaBUpJYI+ZaR0O8YhMBBgRAgAMBQI995oPBQkDwmcA
AAoJEOeROtm8M+9asS8AoLRKABeOJv5SJEUzFbsIn0u3fIwDAKChK7K27Hs44YHC
qEfS9WTnQfQf4A==
=AoTT
-----END PGP PUBLIC KEY BLOCK-----