Difference between revisions of "Configuring JFileServer"

From FileSys.Org Wiki
Line 64: Line 64:
  
 
The <netBIOSSMB .../> setting configures the SMB file server to use the TCPIP socket based NetBIOS protocol. The default setting of <netBIOSSMB/> will enable the TCPIP NetBIOS interface using TCP port 139 and UDP ports 137 and 138. These settings can be overridden using the sessionPort="...", namingPort="..." and datagramPort="..." attributes. For example, if running the JFileServer on a linux or Mac system as a normal user the server will not be able to bind the privileged ports 137/138/139, so we may use the following configuration and use firewall rules to forward the network traffic to the unprivileged ports :-
 
The <netBIOSSMB .../> setting configures the SMB file server to use the TCPIP socket based NetBIOS protocol. The default setting of <netBIOSSMB/> will enable the TCPIP NetBIOS interface using TCP port 139 and UDP ports 137 and 138. These settings can be overridden using the sessionPort="...", namingPort="..." and datagramPort="..." attributes. For example, if running the JFileServer on a linux or Mac system as a normal user the server will not be able to bind the privileged ports 137/138/139, so we may use the following configuration and use firewall rules to forward the network traffic to the unprivileged ports :-
 +
 +
<netBIOSSMB sessionPort="1139" namingPort="1137" datagramPort="1138"/>
 +
 +
An optional platforms="..." attribute may be used for the NetBIOS SMB setting.
 +
 +
The <tcpipSMB> setting configures the SMB file server to use the native SMB socket based protocol. The default setting of <tcpipSMB/> will enable the native SMB interface using TCP port 445. This setting can be overridden using the port="..." attribute. For example, if running the JFileServer on a linux or Mac system as a normal user the server will not be able to bind the privileged port 445, so we may use the following configuration and use firewall rules to forward the network traffic to the unprivileged port :-
 +
 +
<tcpipSMB port="1445"/>
 +
 +
An optional platforms="..." attribute may be used for the TCPIP SMB setting.
 +
 +
The <hostAnnounce .../> setting is used to enable the TCPIP NetBIOS host announcer that periodically broadcasts the server details to the local network. This allows the server to show up in the local network list or workgroup.
 +
 +
The default host announcement is broadcast every minute, the announcement interval can be set using the optional interval="..." attribute.
 +
 +
=== The <authenticator> Configuration Section ===
 +
 +
The <authenticator type="..."> section configures how the SMB server handles user authentication. The optional type="..." attribute can have the values "enterprise" or "local", or it is possible to specify your own authenticator class. The enterprise authenticator setting provides the latest authentication methods such as NTLMv2 and Kerberos via the NTLMSSP and SPNEGO mechanisms. The local authenticator setting provides support for older LanMan and NTLMv1 authentication, these are considered to be insecure these days so it is recommended to use the "enterprise" setting.
 +
 +
For the "enterprise" setting the authenticator configuration has the following syntax :-
 +
 +
<authenticator type="enterprise">
 +
    <disableNTLM/>
 +
    <useSPNEGO/>
 +
    <disallowNTLMv1>
 +
               
 +
    <-- Kerberos related settings -->
 +
    <Realm>...</Realm>
 +
    <Password>...</Password>
 +
    <LoginEntry>...</LoginEntry>
 +
    <kerberosDebug/>
 +
</authenticator>
 +
 +
By default the Enterprise authenticator enables NTLM logons, either NTLMv1 or NTLMv2. To only allow the more secure NTLMv2 logons use the <disallowNTLMv1> configuration setting.
 +
 +
To enable Kerberos logons to the SMB file server the <Realm>, <Password> and <LoginEntry> values are required. The <Realm> setting should contain the Kerberos realm, usually the domain name in uppercase. The <Password> setting is used to access the server Kerberos setup. The <LoginEntry> setting specifies the Java JAAS login entry name to use for the SMB server service logon, the default value is FileServerSMB.
 +
 +
The <kerberosDebug/> setting is a convenience setting that enables various Java debug output levels by setting the required properties.
 +
 +
The <useSPNEGO/> setting enables the use of SPNEGO (Simple Protected NEGOtiation) as well as the default NTLMSSP. If you have enabled Kerberos logons then SPNEGO will be enabled automatically.
 +
 +
=== The <sessionDebug> Configuration Setting ===
 +
 +
The <sessionDebug flags="..."/> setting is used to enable SMB server debug output. The flags="..." value is a comma delimited list of debug output level names from the following list :-
 +
 +
{| class="wikitable"
 +
! style="text-align:left;"| Flag
 +
! Description
 +
|-
 +
|
 +
|
 +
|-

Revision as of 14:26, 23 December 2018

The JFileServer file server is configured using a simple XML file, the same configuration format is used by the Enterprise version of the file server.

The configuration is contained within the <fileserver> main section with various sub-sections to configure which file server protocols are enabled, configuration for each protocol, security and debug logging. Here's an overview of the XML configuration file :-

<fileserver>
    <server>...</server>
    <SMB>...</SMB>
    <FTP>...</FTP>
    <NFS>...</NFS>
    <shares>...</shares>
    <debug>...</debug>
    <security>...</security>
    <licence>...</licence>
</fileserver>

Environment variables may be used in attributes and values within the XML configuration using the syntax '${env-var-name}'.

Some configuration settings allow an optional platforms="..." attribute, this allows a configuration to be used on multiple platforms. If the current platform that the JFileServer is running on is not listed in the platforms="..." list then the setting will be ignored.

The available platform values are Windows, Linux, MacOSX and Solaris. The platforms value is a comma delimited list of valid platforms for the current setting.

The <server> configuration section is used to enable or disable which file server protocols are available. The syntax has changed from the JLAN configuration as each protocol now has an enable="true|false" attribute, this makes it easier to use an environment variable to control whether a particular file server protocol is enabled.

The <servers> configuration section has the following syntax :-

<servers>
    <SMB enable="true|false">
    <FTP enable="true|false">
    <NFS enable="true|false">
 </servers>

SMB Server Configuration

The <SMB> configuration section is used to configure the SMB protocol server that allows a drive or mount to be mapped to the JFileServer file server which can then be accessed as if it were a local drive on the client system.

The <SMB> configuration section has the following syntax :-

<SMB>
    <host>
        <broadcast>...</broadcast>
        <smbdialects>...</smbdialects>
        <comment>...</comment>
        <netBIOSSMB .../>
        <tcpipSMB .../>
        <hostAnnounce .../>
    </host>
    <authenticator ...>
        ...
    </authenticator>
    <sessionDebug .../>
 </SMB>

Note: The JLAN XML configuration has <Win32NetBIOS/> and <Win32Announce/> configuration options, these are currently ignored by JFileServer as the Win32 NetBIOS legacy code has been moved out into a seperate add-on project. With most clients using native SMB connections on port 445, and SMB2/SMB3 connections requiring native SMB connections, there are only a small number of special cases where the Win32 NetBIOS interface is of use.

The <host> Configuration Section

The <host> sub-section contains the main networking and protocol configuration settings.

The <broadcast> setting specifies the network broadcast mask that is required to send broadcast datagrams, used by the NetBIOS protocol and host announcement. JFileServer now accepts the setting of 'AUTO' where the broadcast mask will be determined automatically. In some cases this may not work, you will then need to specify the broadcast mask. For eample if your network addresses are in the 192.168.1.x/8 range the broadcast mask would be 192.168.1.255.

The <smbdialects> setting configures which SMB dialects the file server will negotiate with a client. The value should be a comma delimited list of dialect names. The high level dialect names available are SMB1 for the standard server, plus SMB2 and SMB3 for the Enterprise server.

The <comment> setting provides a comment that is visible to clients when displaying the server properties.

The <netBIOSSMB .../> setting configures the SMB file server to use the TCPIP socket based NetBIOS protocol. The default setting of <netBIOSSMB/> will enable the TCPIP NetBIOS interface using TCP port 139 and UDP ports 137 and 138. These settings can be overridden using the sessionPort="...", namingPort="..." and datagramPort="..." attributes. For example, if running the JFileServer on a linux or Mac system as a normal user the server will not be able to bind the privileged ports 137/138/139, so we may use the following configuration and use firewall rules to forward the network traffic to the unprivileged ports :-

<netBIOSSMB sessionPort="1139" namingPort="1137" datagramPort="1138"/>

An optional platforms="..." attribute may be used for the NetBIOS SMB setting.

The <tcpipSMB> setting configures the SMB file server to use the native SMB socket based protocol. The default setting of <tcpipSMB/> will enable the native SMB interface using TCP port 445. This setting can be overridden using the port="..." attribute. For example, if running the JFileServer on a linux or Mac system as a normal user the server will not be able to bind the privileged port 445, so we may use the following configuration and use firewall rules to forward the network traffic to the unprivileged port :-

<tcpipSMB port="1445"/>

An optional platforms="..." attribute may be used for the TCPIP SMB setting.

The <hostAnnounce .../> setting is used to enable the TCPIP NetBIOS host announcer that periodically broadcasts the server details to the local network. This allows the server to show up in the local network list or workgroup.

The default host announcement is broadcast every minute, the announcement interval can be set using the optional interval="..." attribute.

The <authenticator> Configuration Section

The <authenticator type="..."> section configures how the SMB server handles user authentication. The optional type="..." attribute can have the values "enterprise" or "local", or it is possible to specify your own authenticator class. The enterprise authenticator setting provides the latest authentication methods such as NTLMv2 and Kerberos via the NTLMSSP and SPNEGO mechanisms. The local authenticator setting provides support for older LanMan and NTLMv1 authentication, these are considered to be insecure these days so it is recommended to use the "enterprise" setting.

For the "enterprise" setting the authenticator configuration has the following syntax :-

<authenticator type="enterprise">
    <disableNTLM/>
    <useSPNEGO/>
    <disallowNTLMv1>
               
    <-- Kerberos related settings -->
    <Realm>...</Realm>
    <Password>...</Password>
    <LoginEntry>...</LoginEntry>
    <kerberosDebug/>
</authenticator>

By default the Enterprise authenticator enables NTLM logons, either NTLMv1 or NTLMv2. To only allow the more secure NTLMv2 logons use the <disallowNTLMv1> configuration setting.

To enable Kerberos logons to the SMB file server the <Realm>, <Password> and <LoginEntry> values are required. The <Realm> setting should contain the Kerberos realm, usually the domain name in uppercase. The <Password> setting is used to access the server Kerberos setup. The <LoginEntry> setting specifies the Java JAAS login entry name to use for the SMB server service logon, the default value is FileServerSMB.

The <kerberosDebug/> setting is a convenience setting that enables various Java debug output levels by setting the required properties.

The <useSPNEGO/> setting enables the use of SPNEGO (Simple Protected NEGOtiation) as well as the default NTLMSSP. If you have enabled Kerberos logons then SPNEGO will be enabled automatically.

The <sessionDebug> Configuration Setting

The <sessionDebug flags="..."/> setting is used to enable SMB server debug output. The flags="..." value is a comma delimited list of debug output level names from the following list :-

Flag Description