校园网跨网段共享文件Samba+SSH
Introduction
This tutorial contains screenshots for the English version of Windows 10. Separate instructions for older versions of Windows are also available:
To be able to mount a Windows share over SSH we will need
- Administrator access to the local computer, including the ability to elevate privileges. If you don't know what I am talking about then stop reading right here.
- One real or virtual network adapter, bound to the Client for Microsoft Networks driver.
Normally you should already have such an adapter, as otherwise you would not be able to mount any Windows shares. - One real or virtual network adapter, NOT bound to the Client for Microsoft Networks driver.
This part of the tutorial is split into the following steps:
- As most people do not have a spare real network adapter in their computer, we will add an extra virtual network adapter by installing the Microsoft KM-TEST Loopback Adapter.
- After that, the network adapter must be properly configured.
- Starting with Windows 10 update 1903, the Windows 10 feature "SMB 1.0" must be turned off.
- Furthermore, a few Windows system drivers need to be tweaked.
- Next, reboot Windows to verify that we've been able to grab port 445 and to see if the
lanmanserver
driver is up and running. - Finally, we launch a special OpenSSH session and mount our Nikhef home directory.
- For those wishing to undo the above steps follow the instructions at the bottom of this tutorial.
Windows 10 Upgrade woes
Multiple persons have reported problems after a major Windows 10 upgrade (e.g. from 1803 to 1809). This is due mostly to the disappearance of the Microsoft KM-TEST Loopback Adapter and of the portproxy rule. In order to recover after a Windows 10 upgrade, try
- Redo step 1 and reboot
- If the adapter is still not present, run devmgmt.msc management console application and
choose View->Show Hidden devices to see you can find the adapter again. If not, redo step 2. - Redo steps 3, 4 and 5.
1. Installing the Loopback Adapter
To install the Loopback adapter follow these steps:
- Start the Add Hardware Wizard by either going Start->Settings->Control Panel->Add Hardware or by starting a console window with elevated (Administrator) privileges. In the console window type
hdwwiz.exe
The Hardware Wizard will come up:
- Click Next to continue:
Select Install the hardware that I manually select from a list and click Next. - Now you'll see:
Select the entry Network adapters and click Next. - In the next screen
first select Microsoft from the list of Manufacturers and then select Microsoft KM-TEST Loopback Adapter from the list of Network Adapters. Finally, click Next once more. - Almost finished:
This is your last chance to abort, otherwise, click Next. - After a while you should see:
Click Finish to exit the Hardware Wizard.
You are now ready to configure your newly installed Loopback adapter. Even though Windows might not ask you to, reboot anyways (heey, it's a Microsoft OS ;-)).
From reports I've seen on the Internet a reboot is sometimes required for the loopback adapter to come up properly.
2. Configuring the Loopback Adapter
Now that your newly installed loopback adapter is up and running we must configure it properly:
- Go to the Network Connections Center:
- Choose the loopback adapter (usually it is named something like "Local Area Connection #3") and right-click on it:
- Choose Properties, after which a new window will appear
Make sure that- the entry Client for Microsoft Networks is NOT enabled, i.e. does not have a checkmark in front of it.
- the entry File and Printer sharing for Microsoft Networks is NOT enabled, i.e. does not have a checkmark in front of it.
- the entry Internet Protocol (TCP/IP) is enabled.
- Select the entry Internet Protocol (TCP/IP), then click on Properties.
- A new window will appear:
Select Use the following IP address and fill in the 'IP address' and 'Subnet mask' as above.
It is not necessary to fill in the 'Default gateway' or a 'DNS server'. - Click on Advanced to make the following window appear:
Deselect Automatic metric and fill in the value of 9999 as the 'Interface metric' as shown above. - Click on the WINS tab:
and select Disable NetBIOS over TCP/IP. - Click on OK.
- You are now back in the main 'TCP/IP Properties' screen. Click OK again.
- You are now back in the main 'Loopback Properties' screen. Click Close.
3. Disabling the "SMB 1.0" Windows feature
Starting with Windows 10 update 1903 we need to disable the Windows feature SMB 1.0:
- Go to the Control Panel->Programs->Programs and Features and select Turn Windows features on or off
- A list of features pops up:
Scroll down and deselect the feature SMB 1.0/CIFS File Sharing support - Now close this control panel item.
(Thanks to Michael Uhlenberg for pointing this out)
4. Tweaking the 'LanmanServer' driver
Now we first need to tweak a Windows system driver to overcome the thing that Microsoft broke. The root cause of the problem is that we need to access the file share using TCP port 445. However, when Windows 10 boots this port is grabbed by the system lanmanserver
driver for all interfaces. By delaying the startup of the lanmanserver
driver and by installing a portproxy
rule we can circumvent this. This section explains how to do this:
- Start a console window with elevated (Administrator) privileges.
- First, we disable the automatic starting of the
lanmanserver
driver:
sc config lanmanserver start= delayed-auto
NOTE the space after the
start=
! Also, ifstart= delayed-auto
does not work then trystart= demand
- Make sure the
IpHlpSvc
driver is running at startup, as otherwise the portproxy rules are not executed:
sc config iphlpsvc start= auto
NOTE the space after the
start=
!
Thanks to Michael Uhlenberg for pointing out this important driver. - Next we add a
portproxy
rule to reroute TCP port 445 to a port of our choosing. For this tutorial, I choose 44445:netsh interface portproxy add v4tov4 listenaddress=10.255.255.1 listenport=445
connectaddress=10.255.255.1 connectport=44445IMPORTANT NOTES:
- The
listenaddress
is the address of the Loopback adapter configured in the section earlier - The
connectaddress
must be identical to thelistenaddress
- Using
listenaddress=127.0.0.1
does not work. Believe me, I've tried.
- The
If all went well you should see something like
The portproxy
rule is persistent, so there should be no need to repeat this step after a reboot.
5. Reboot and verify
Of course, now that we have disabled the automatic startup of the 'LanmanServer' driver we have to reboot Windows before proceeding.
- Verify that the
portproxy
was applied successfully by checking the open ports on the system. Type in the command consolenetstat -an | find ":445 "
You should see something like:
If you see only '0.0.0.0:445
' instead then the 'portproxy' rule was not applied correctly. Verify that the right 'portproxy' rule was usednetsh interface portproxy show v4tov4
and verify that the
IpHlpSvc
driver is running at Windows startup usingsc query iphlpsvc
Another reason for the 'port grabbing' to fail could be the
LanmanWorkstation
driver running at Windows startup. If so, try giving it the same treatment asLanmanServer
. However, on the Windows 10 installations I tested this driver was running at system startup without causing any problems. - After Windows comes up and you have logged in, check the status of the 'lanmanserver' driver. Open a command console (no privilege elevation is required) and type
sc query lanmanserver
The 'LanmanServer' driver should be in the state Running. If it is not, then follow these steps to create a task using the Task Schedule to start it at system startup.
On Windows 10 things are slightly different compared to Windows 7 and 8; it seems that Microsoft has read my tutorial and decided to provide a way to use local shares again ;-) !
6. Putting it all together
Now that we have configured both our loopback adapter we can put it all together by launching a special OpenSSH connection and mounting our Nikhef home directory as a Windows share:
- Launch an OpenSSH session with some special port-forwarding rules and login on
login2.nikhef.nl
as normal. Open a Command console or terminal and type:ssh -v -N -n -L 10.255.255.1:44445:beuk.nikhef.nl:445 <Your-nikhef-userid>@login2.nikhef.nl
Yes, there are lots of colons in that
-L
option but you need them all. - The first time you start the command with the special port forwarding rules, you will be (probably) be prompted by the Windows Defender Firewall that it has blocked some features:
Allow access to at least Public networks by ticking the checkbox, then click on Allow access as otherwise the port-forwarding will not work. - Make sure port-forwarding is working properly by checking the (verbose) log:
Make sure the linedebug1: Local connections to 10.255.255.1:44445 forwarded to remote address beuk.nikhef.nl:445
is present before continuing.
- Go to Start->Run and type \\10.255.255.1\user\<Your-nikhef-userid>
- In the Console window you should now see a line
debug1: Connection to port 44445 forwarding to beuk.nikhef.nl:445 requested.
as in the following screenshot:
If this is present then you can decrease the debug logging of the OpenSSH session by removing the-v
option from the command line:ssh -N -n -L 10.255.255.1:44445:beuk.nikhef.nl:445 <Your-nikhef-userid>@login2.nikhef.nl
Note If you carefully inspect the above screenshot then you will notice that I am using the (built-in) OpenSSH Authentication Agent in combination with an SSH public/private keypair to avoid having to type in my Nikhef password every time.
- You will be prompted to authenticate yourself:
For the Username, fill in the domain NIKHEF\ followed by your Nikhef-Windows userid.
For the Password, fill in your Nikhef-Windows password, which might be different from the password you use to log in onlogin2.nikhef.nl
and press OK. - You should now see your Nikhef home directory in Windows Explorer!
Congratulations!
Mapping a network drive
To make life even easier it might be handy to map a network drive to your Nikhef home directory:
- Start Windows Explorer and choose Tools->Map Network Drive.
- In the next screen, fill in:
- Choose an available drive letter.
- Do NOT click on Browse but type in as the Folder name: \\10.255.255.1\user\<Your-nikhef-userid>
- Enable the checkbox in front of Connect using different credentials.
- Now click on Finish.
- In the next screen, fill in your Nikhef-Windows userid:
For the User name, fill in the domain NIKHEF\ followed by your Nikhef-Windows userid.
For the Password, fill in your Nikhef-Windows password, which might be different from the password you use to log in onlogin.nikhef.nl
and press OK. - In the next screen, click on Finish to complete the network drive mapping.
- You should now see a new drive letter appear in the Folders tree-list in Windows Explorer. Click on it to verify that you are indeed viewing your Nikhef home directory.
7. Control+Z! Undo! Undo!
For those wishing to undo the CIFS-over-SSH trick follow these steps:
- Start a console window with elevated (Administrator) privileges.
- Restore the automatic startup of the
lanmanserver
driver by typingsc config lanmanserver start= auto
NOTE the space after the
start=
! - Remove the
portproxy
rule by typingnetsh interface portproxy delete v4tov4 listenaddress=10.255.255.1 listenport=445
- Remove the firewall rule to allow SSH to do portforwarding from 10.255.255.1:
- Go to the Windows Control Panel
- Select System and Security, then Windows Defender Firewall
- Select Allowed apps, and scroll down in the list to SSH, Telnet and Rlogin client and deselect the permissions
Then press OK
- Start a
Device Manager
by typingdevmgmt.msc
Expand the 'Network Adapters', right-click on Loopback adapter and select Uninstall.
- If necessary, use the 'Task Scheduler' from the 'Administrative Tasks' menu to delete the task 'Start LanmanServer driver'
That's all, folks!reprint:https://www.nikhef.nl/~janjust/CifsOverSSH/Win10Loopback.html#Install
Comments to Jan Just Keijser | lastmod = 26/01/2021 14:42
校园网跨网段共享文件Samba+SSH的更多相关文章
- 极路由设置共享磁盘密码、跨网访问samba服务
极路由插上移动硬盘后会自动建立samba服务器,但我们没法去配置哪些盘符需要密码,这样只要在同一个wifi下的电脑都能去访问这些东西了,比较弱智.另外我还想再公司中去读写这个移动硬盘. 设置密码 首先 ...
- SQL Server 跨网段(跨机房)FTP复制
一.本文所涉及的内容(Contents) 本文所涉及的内容(Contents) 背景(Contexts) 搭建过程(Process) 注意事项(Attention) 参考文献(References) ...
- SQL Server 跨网段(跨机房)复制
一.本文所涉及的内容(Contents) 本文所涉及的内容(Contents) 背景(Contexts) 解决方案(Solution) 搭建过程(Process) 注意事项(Attention) 参考 ...
- hadooop 配置多网卡 提供跨网段服务
http://hortonworks.com/blog/multihoming-on-hadoop-yarn-clusters/ https://hadoop.apache.org/docs/r2.6 ...
- elasticsearch 跨网段组集群
elasticsearch 是非常流行的全文搜索引擎,但网上的教程多是初次使用,并没有一些高级用法demo.这次遇到需要跨网段组网问题,自己摸索了文档很久,发现确实可行,于是着手做了个实验,最终实验成 ...
- 如何使用UDP进行跨网段广播
广播域首先我们来了解一下广播域的概念.广播域是网络中能接收任一台主机发出的广播帧的所有主机集合.也就是说,如果广播域内的其中一台主机发出一个广播帧,同一广播域内所有的其它主机都可以收到该广播帧.广播域 ...
- SQL Server跨网段(跨机房)FTP复制
SQL Server跨网段(跨机房)FTP复制 2013-09-24 17:53 by 听风吹雨, 273 阅读, 0 评论, 收藏, 编辑 一. 背景 搭建SQL Server复制的时候,如果网络环 ...
- 如何使用UDP进行跨网段广播(转)
源:http://blog.chinaunix.net/uid-22670933-id-3716646.html 广播域首先我们来了解一下广播域的概念.广播域是网络中能接收任一台主机发出的广播帧的所有 ...
- 如何使用UDP进行跨网段广播(转)
源:如何使用UDP进行跨网段广播 广播域首先我们来了解一下广播域的概念.广播域是网络中能接收任一台主机发出的广播帧的所有主机集合.也就是说,如果广播域内的其中一台主机发出一个广播帧,同一广播域内所有的 ...
随机推荐
- 如何在vscode 背景配置一个动态小女孩
D:\Microsoft VS Code\resources\app\out\vs\code\electron-browser\workbench <!-- Copyright (C) Micr ...
- 安装pystaller
安装命令 # -i指定下载地址,此处采用清华大学镜像 pip install -i https://pypi.tuna.tsinghua.edu.cn/simple some-package pyin ...
- 揭开Vue异步组件的神秘面纱
简介 在大型应用里,有些组件可能一开始并不显示,只有在特定条件下才会渲染,那么这种情况下该组件的资源其实不需要一开始就加载,完全可以在需要的时候再去请求,这也可以减少页面首次加载的资源体积,要在Vue ...
- 阿里云体验有奖:使用PolarDB-X与Flink搭建实时数据大屏
体验简介 场景将提供一台配置了CentOS 8.5操作系统的ECS实例(云服务器).通过本教程的操作带您体验如何使用PolarDB-X与Flink搭建一个实时数据链路,模拟阿里巴巴双十一GMV大屏. ...
- python基础教程:__call__用法
__call__可以使得方法变成可被调用对象:(PS:python中的方法和普通函数有点区别:方法的第一个参数是类实例) 允许一个类的实例像函数一样被调用.实质上说,这意味着 x() 与 x.call ...
- java反序列化漏洞专项
背景条件:java的框架,java的应用程序,使用序列化,反序列化操作非常多.在漏洞挖掘中,代码审计中,安全研究中,反序列化漏洞是个重点项,不可忽视.尤其是java应用程序的rce,10个里面有7个是 ...
- ReentrantLock 公平锁源码 第1篇
ReentrantLock 1 这篇还是接着ReentrantLock的公平锁,没看过第0篇的可以先去看上一篇https://www.cnblogs.com/sunankang/p/16456342. ...
- dolphinscheduler简单任务定义及复杂的跨节点传参
dolphinscheduler简单任务定义及跨节点传参 转载请注明出处 https://www.cnblogs.com/funnyzpc/p/16395094.html 写在前面 dolphinsc ...
- 可落地的DDD(7)-战术设计上的一些误区
背景 几年前我总结过DDD战术设计的一些落地经验可落地的DDD(5)-战术设计,和一次关于聚合根的激烈讨论最近两年有些新的落地体验,回过头来发现,当初对这些概念的理解还是没有深入,这篇文章重新阐述下. ...
- 聊聊 C++ 中的几种智能指针 (上)
一:背景 我们知道 C++ 是手工管理内存的分配和释放,对应的操作符就是 new/delete 和 new[] / delete[], 这给了程序员极大的自由度也给了我们极高的门槛,弄不好就得内存泄露 ...