So If you have done your openvpn config on a per client. You can restrict in this config the things users can do. Ex.: Client 1 can only see a specific host. Client 2 has full access to the fileserver and the net behind it. Group one is distributed with Client 1. Group two is distributed with Client 2. The second part is with Samba. Only the IP-Range that is distributed with Client 2 can logon and work with files. Then set the samba groups according to your needs and you are up and running.
Ex. OPENVPN config with logon to Samba 3 Server: Server: local your.server.i.p port 1194 proto udp dev tun #your keys ca keys/ca.crt cert keys/server.crt key keys/server.key dh keys/dh1024.pem server 10.0.9.0 255.255.255.0 #your clients config directory client-config-dir ccd client-to-client duplicate-cn push "dhcp-option DNS here.your.dns.server" push "dhcp-option WINS here.your.wins.server"###openvpn provides netbios push "dhcp-option DOMAIN your.domain" ##your routes route 192.168.135.0 255.255.255.0 push "route 192.168.135.0 255.255.255.0" push "route 192.168.134.0 255.255.255.0" push "route 192.168.133.0 255.255.255.0" push "route 192.168.132.0 255.255.255.0" max-clients 20 keepalive 10 120 comp-lzo persist-key persist-tun status server-tcp.log verb 3 #auth against samba/openldap on connect through openvpn client auth-user-pass-verify /etc/openvpn/ccd/login.sh via-env Client: client dev tun proto udp port 1194 remote your.remote.loginserver 1194 ## resolv-retry infinite nobind persist-key persist-tun ##Where are your certs? ca C:\\openvpn\\config\\ca.crt cert C:\\openvpn\\config\\client1.crt key C:\\openvpn\\config\\client1.key ns-cert-type server comp-lzo verb 3 pull ##prompt for samba/openldap user--pass auth-user-pass auth-nocache route-method exe ##<-- you need this entries route-delay 2 ##<-- for windows to log on --explicit-exit-notify 2 ##Below if you need a script the name need to be client_up.bat or client_down.bat ##--up C:\\openvpn\\config\\client_up.bat Login.sh (So you can be certain only a authenticated user to samba see the files): #!/bin/sh ##login script openvpn 071209 dm ## LDAP=xxx.xxx.xxx.xxx ##pruefen ob leer username/passwort o anonymous if ["$username" = "anonymous" || "$username" = "Anonymous" || -z "$username" || -z "$password" ]; then exit 1; fi ###test bind ldapwhoami -x -h $LDAP -D uid=$username,ou=users,dc=your,dc=domain -w $password ### if [ "$?" = "0" ]; then exit 0; else exit 1; fi exit 1; In your smb.conf, Hosts allow= 10.0.9.0/24 ----------------------------------------------- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de ----------------------------------------------- -----Ursprüngliche Nachricht----- Von: Michael Wilke [mailto:m...@1982.cc] Gesendet: Montag, 4. Februar 2013 09:07 An: samba@lists.samba.org Cc: muel...@tropenklinik.de Betreff: Re: AW: [Samba] msdfs proxy question Hi Daniel, that is exactly the problem, the samba server has an OpenVPN server, but the VPN user group includes people who are not directly working for the company so they should'nt have access to the internal network. So even if I could set up the samba box as gw and limit the access to the file server by firewall rules, I'm not sure I can restrict the access to the file server itself and they could see way to much than what they should. Is there any other possibility to do that? On Mon, 2013-02-04 at 08:33 +0100, Daniel Müller wrote: > If you have no route to the network nothing will work. > Samba is not a Gateway nor does it VPN connections or something like that. > If your second network is a external one you will be better in the > first with openvpn And set your routes to your needs. > If your second network is internal you need to set up a gateway that > can be reached from both Networks. > > Good Luck > Daniel > > > ----------------------------------------------- > EDV Daniel Müller > > Leitung EDV > Tropenklinik Paul-Lechler-Krankenhaus > Paul-Lechler-Str. 24 > 72076 Tübingen > > Tel.: 07071/206-463, Fax: 07071/206-499 > eMail: muel...@tropenklinik.de > Internet: www.tropenklinik.de > ----------------------------------------------- > > -----Ursprüngliche Nachricht----- > Von: samba-boun...@lists.samba.org > [mailto:samba-boun...@lists.samba.org] Im Auftrag von Michael Wilke > Gesendet: Montag, 4. Februar 2013 08:05 > An: samba@lists.samba.org > Betreff: [Samba] msdfs proxy question > > Hi List, > > I am struggling a little bit with the msdfs proxy parameter. > > I want the samba server as a kind of a bridge between two networks, > that the samba server only shares some of the shares provided by our > file server to a second network. > I don't want the samba srv to be a gw or give the clients a route to > the internal network, because it is a total different user group. > > I first tried to do so with an msdfs root directory and symlinks but > for sure it didn't work, because the clients don't have a route to the > source server. > > But msdfs proxy doesn't work either: > > smb.conf: > ------- > [software-new] > msdfs root = yes > msdfs proxy= \gunter\software > > ------- > > When I try to access the share from a computer in the sec. network the > log > shows: > > ------- > Client requested device type [?????] for share [SOFTWARE-NEW] refusing > connection to dfs proxy share 'software-new' (pointing to > \gunter\software) > error packet at smbd/reply.c(803) cmd=117 (SMBtconX) > NT_STATUS_BAD_NETWORK_NAME > ------- > > The server is accessible from the samba box and smbclient connects fine: > > root@samba:~# smbclient -L '\\gunter' -U 'DOMAIN\micha' > WARNING: The "idmap uid" option is deprecated > WARNING: The "idmap gid" option is deprecated Enter DOMAIN\micha's password: > > Domain=[DOMAIN] OS=[Windows Server 2003 R2 3790 Service Pack 2] > Server=[Windows Server 2003 R2 5.2] > > Sharename Type Comment > --------- ---- ------- > ... > software Disk Software > ... > > > If I access the msdfs share from the sec. network (10.10.12.0) with an > IP in the first network (10.10.10.0) then the connection redirects me > to the gunter server and everything works, but I need a "proxy" not a > standard msdfs redirect. > > Any advice appreciated > > Michael > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- Michael Wilke HoD Advisor IT and General Service Department NIMR - Mbeya Medical Research Center (MMRC) P.O. Box 2410 Mbeya - Tanzania Mobile: +255 684 700 979 (Airtel TZ) E-Mail: m...@nimr-mmrc.org Internet: http://www.nimr-mmrc.org/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
