Re: [Samba] Authenticating against local PAM configuration
As I mentioned earlier, easy or not, winbind has in the past not proven to be stable and easy or not, I want to avoid using it. The facts of the case are - I have a robust LDAP based authentication that is working. Can I just ask Samba to use the local PAM configuration (regardless of what it is) ? That way, if this windows environment changes authentication mechanisms again, I will have only thing to fix instead of the mess that ADS is (plus, I will need to ask our IT folks to come do a net ads join for us). On Fri, Apr 15, 2011 at 1:04 AM, Daniel Müller muel...@tropenklinik.dewrote: Integrating suse with ads is quiet easy?! Did you think about that: http://www.roboguys.com/index.php?option=com_contenttask=viewid=78Itemid= 47 (Integrating suse with MADS)!? Is not new but in meanwhile it is much easier and it is done by yast. Good Luck Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Madhusudan Singh Gesendet: Donnerstag, 14. April 2011 19:17 An: samba@lists.samba.org Betreff: Re: [Samba] Authenticating against local PAM configuration I forgot to mention that using winbind is not an option. Our previous attempt to use winbind worked for a few months and then broke spectacularly after the organization made some changes to their ADS. It has to be just local pam, the way it is. On Thu, Apr 14, 2011 at 12:14 PM, Madhusudan Singh singh.madhusu...@gmail.com wrote: Hello I have a (OpenSuSE 11.2) linux server that uses our organization LDAP to authenticate users. ssh logins work fine. I have installed a samba server on this server machine and wish to use the same authentication mechanism for Samba clients. I do not have any access to the LDAP server (it runs on windows, I think) and it is against our organization's IT policy to allow saving the LDAP admin password on client machines. I have plenty of Howtos about integrating samba with Open LDAP, but they all require saving the admin password in smbpasswd. Not an option at all here. Our IT people installed some kind of a binary module on the linux machine to allow it to authenticate ssh users but that is the extent to which they are willing to go. Can I somehow ask samba to forward all authentications to the server pam configuration (without explicitly specifying the passdb backend) ? That method will most likely work for us because the pam authentication mechanism works perfectly. Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Authenticating against local PAM configuration
Hello I have a (OpenSuSE 11.2) linux server that uses our organization LDAP to authenticate users. ssh logins work fine. I have installed a samba server on this server machine and wish to use the same authentication mechanism for Samba clients. I do not have any access to the LDAP server (it runs on windows, I think) and it is against our organization's IT policy to allow saving the LDAP admin password on client machines. I have plenty of Howtos about integrating samba with Open LDAP, but they all require saving the admin password in smbpasswd. Not an option at all here. Our IT people installed some kind of a binary module on the linux machine to allow it to authenticate ssh users but that is the extent to which they are willing to go. Can I somehow ask samba to forward all authentications to the server pam configuration (without explicitly specifying the passdb backend) ? That method will most likely work for us because the pam authentication mechanism works perfectly. Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Authenticating against local PAM configuration
I forgot to mention that using winbind is not an option. Our previous attempt to use winbind worked for a few months and then broke spectacularly after the organization made some changes to their ADS. It has to be just local pam, the way it is. On Thu, Apr 14, 2011 at 12:14 PM, Madhusudan Singh singh.madhusu...@gmail.com wrote: Hello I have a (OpenSuSE 11.2) linux server that uses our organization LDAP to authenticate users. ssh logins work fine. I have installed a samba server on this server machine and wish to use the same authentication mechanism for Samba clients. I do not have any access to the LDAP server (it runs on windows, I think) and it is against our organization's IT policy to allow saving the LDAP admin password on client machines. I have plenty of Howtos about integrating samba with Open LDAP, but they all require saving the admin password in smbpasswd. Not an option at all here. Our IT people installed some kind of a binary module on the linux machine to allow it to authenticate ssh users but that is the extent to which they are willing to go. Can I somehow ask samba to forward all authentications to the server pam configuration (without explicitly specifying the passdb backend) ? That method will most likely work for us because the pam authentication mechanism works perfectly. Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Input/output error on attempting to authenticate
Situation: OpenSUSE 11.2 server with LDAP for authentication. Authentication status: users CAN login using LDAP using ssh. Additionally, I have kerberos setup and users can get kerberos tokens without any problem. Environment: ADS running on Windows. I do not control the ADS. I had to ask an IT guy to come run a script that does the equivalent of net ads join and a few other things needed for an OpenSUSE 11.2 server. I cannot upgrade to a newer version of OpenSUSE 11.2 as a specific LDAP module needed for authentication locally is distributed in a binary only format. I do not make the rules here, just try to survive in this windows rich environment. History: I had a working winbind based authentication working here, but there was a change in the authentication setup at the ADS end that broke the authentication. So, I am rebuilding the server as an LDAP + Samba box without any use of winbind. Attempts to authenticate against a samba share fail: $ mount -v -t smbfs //us...@servername.edu/user1 ./share/ Password: mount_smbfs: server rejected the connection: Input/output error (The funny thing is that the above message occurs whether or not I type in the correct password.) Log file on Samba: [2011/04/12 16:13:08, 0] rpc_client/cli_pipe.c:3853(get_schannel_session_key_common) get_schannel_session_key: could not fetch trust account password for domain 'CAMPUS' [2011/04/12 16:13:08, 0] rpc_client/cli_pipe.c:4077(cli_rpc_pipe_open_schannel) cli_rpc_pipe_open_schannel: failed to get schannel session key from server CAMPUSDC10.CAMPUS.AD.CAMPUS.EDU for domain CAMPUS. [2011/04/12 16:13:08, 0] auth/auth_domain.c:187(connect_to_domain_password_server) connect_to_domain_password_server: unable to open the domain client session to machine CAMPUSDC10.CAMPUS.AD.CAMPUS.EDU. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO. [2011/04/12 16:13:08, 0] auth/auth_domain.c:288(domain_client_validate) domain_client_validate: Domain password server not available. [2011/04/12 16:13:08, 2] auth/auth.c:320(check_ntlm_password) check_ntlm_password: Authentication for user [user1] - [user1] FAILED with error NT_STATUS_CANT_ACCESS_DOMAIN_INFO What could be a problem (this may explain the password independent response above) ? Part of my /etc/samba/smb.conf: workgroup = CAMPUS dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 log level = 0 passdb:3 tdb:3 printdrivers:3 auth:3 sam:3 winbind:3 syslog = 0 panic action = /usr/share/samba/panic-action %d security=ads realm=CAMPUS.AD.CAMPUS.EDU password server = campus.ad.campus.edu workgroup = CAMPUS idmap uid = 500-100 idmap gid = 500-100 template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes domain master = no encrypt passwords = true passdb backend = tbdsam obey pam restrictions = yes unix password sync = yes ... Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Guest shares in an ADS security model
So, is it correct to say that if we use ADS security, there is no possibility of having any unauthenticated shares at all ? On Fri, Oct 22, 2010 at 2:42 PM, Madhusudan Singh singh.madhusu...@gmail.com wrote: Thanks for clearing that up. I would not want the AD to get involved at all for this share anyways. On Fri, Oct 22, 2010 at 1:15 PM, Mike Leone tur...@mike-leone.com wrote: On 10/22/2010 2:12 PM, Michael Wood wrote: On 22 October 2010 19:36, Madhusudan Singhsingh.madhusu...@gmail.com wrote: Ok. In my mind, guest access should be just that - no authentication. Well, I believe that it is. But that you need to enable the Guest account in AD for it to be allowed. AFAIK, the Guest account is disabled by default in AD (at least, the later versions, 2003 onwards, possibly earlier). -- Michael J. Leone, mailto:tur...@mike-leone.com PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF Photo Gallery: http://www.flickr.com/photos/mikeleonephotos You have become an avatar of woe and ire, and all of your deeds will conduce to evil Fatal Revenant, Stephen R. Donaldson -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Guest shares in an ADS security model
Ok. In my mind, guest access should be just that - no authentication. On Thu, Oct 21, 2010 at 3:51 PM, Michael Wood esiot...@gmail.com wrote: On 21 October 2010 20:54, Madhusudan Singh singh.madhusu...@gmail.com wrote: Hello, I have no control over the active directory. I just authenticate a subset of its members to give them access to the fileserver. Does this mean that there is no true guest access when using ADS ? I do not know enough about AD to answer your question. -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Guest shares in an ADS security model
Yes. I guess this is a question about whether share-wise security models can be specified. On Fri, Oct 22, 2010 at 1:12 PM, Michael Wood esiot...@gmail.com wrote: On 22 October 2010 19:36, Madhusudan Singh singh.madhusu...@gmail.com wrote: Ok. In my mind, guest access should be just that - no authentication. Well, I believe that it is. But that you need to enable the Guest account in AD for it to be allowed. I might be wrong, of course, but I think that's how it works. What you want to do is bypass AD for one print share. Maybe that's possible, but I don't know. On Thu, Oct 21, 2010 at 3:51 PM, Michael Wood esiot...@gmail.com wrote: On 21 October 2010 20:54, Madhusudan Singh singh.madhusu...@gmail.com wrote: Hello, I have no control over the active directory. I just authenticate a subset of its members to give them access to the fileserver. Does this mean that there is no true guest access when using ADS ? I do not know enough about AD to answer your question. -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Guest shares in an ADS security model
Thanks for clearing that up. I would not want the AD to get involved at all for this share anyways. On Fri, Oct 22, 2010 at 1:15 PM, Mike Leone tur...@mike-leone.com wrote: On 10/22/2010 2:12 PM, Michael Wood wrote: On 22 October 2010 19:36, Madhusudan Singhsingh.madhusu...@gmail.com wrote: Ok. In my mind, guest access should be just that - no authentication. Well, I believe that it is. But that you need to enable the Guest account in AD for it to be allowed. AFAIK, the Guest account is disabled by default in AD (at least, the later versions, 2003 onwards, possibly earlier). -- Michael J. Leone, mailto:tur...@mike-leone.com PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF Photo Gallery: http://www.flickr.com/photos/mikeleonephotos You have become an avatar of woe and ire, and all of your deeds will conduce to evil Fatal Revenant, Stephen R. Donaldson -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Guest shares in an ADS security model
Hello, I have no control over the active directory. I just authenticate a subset of its members to give them access to the fileserver. Does this mean that there is no true guest access when using ADS ? On Wed, Oct 20, 2010 at 3:34 PM, Michael Wood esiot...@gmail.com wrote: On 20 October 2010 17:52, Madhusudan Singh singh.madhusu...@gmail.com wrote: Seems pathetic to reply to my own message, but since I cannot find any working examples via Google, I have to ask this question. Should be simple enough for the resident gurus to answer ? I would guess you need to enable to Guest user in Active Directory and then set up the share such that the Guest user has access. On Mon, Oct 18, 2010 at 10:38 AM, Madhusudan Singh singh.madhusu...@gmail.com wrote: Are these possible ? I am trying to setup a guest access printer attached to a working fileserver that authenticates its users against a Windows AD. I keep getting authentication requests on attempting to connect to the printer. Before I post my smb.conf, I need to know if what I am trying to do is even possible, -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Guest shares in an ADS security model
Seems pathetic to reply to my own message, but since I cannot find any working examples via Google, I have to ask this question. Should be simple enough for the resident gurus to answer ? On Mon, Oct 18, 2010 at 10:38 AM, Madhusudan Singh singh.madhusu...@gmail.com wrote: Are these possible ? I am trying to setup a guest access printer attached to a working fileserver that authenticates its users against a Windows AD. I keep getting authentication requests on attempting to connect to the printer. Before I post my smb.conf, I need to know if what I am trying to do is even possible, Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Guest shares in an ADS security model
Are these possible ? I am trying to setup a guest access printer attached to a working fileserver that authenticates its users against a Windows AD. I keep getting authentication requests on attempting to connect to the printer. Before I post my smb.conf, I need to know if what I am trying to do is even possible, Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Permitting guest printer access with ADS security
I forgot to add that the file server is working fine. On Thu, Oct 14, 2010 at 4:57 PM, Madhusudan Singh singh.madhusu...@gmail.com wrote: I am using security = ads to authenticate users to my Samba server. I want to allow guest access to Samba print server at the same time. This is my smb.conf: [global] workgroup = workgroup name realm = realm name server string = %h server (Samba, Ubuntu) security = ADS map to guest = Bad User obey pam restrictions = Yes password server = password server pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 printcap name = cups disable spoolss = Yes show add printer wizard = No domain master = No dns proxy = No panic action = /usr/share/samba/panic-action %d idmap uid = 500-100 idmap gid = 500-100 template shell = /bin/bash winbind separator = + winbind use default domain = Yes hosts allow = 10.0.0.0/8, 127.0.0.1 hosts deny = ALL [homes] comment = Home Directories invalid users = root, bin, daemon, nobody, named, sys, tty, disk, users valid users = %U write list = @fileusers read only = No create mask = 0700 directory mask = 0700 browseable = No browsable = No [printers] comment = All Printers path = /var/spool/samba guest ok = Yes printable = Yes use client driver = Yes browseable = No browsable = No [hpprinter] comment = HP Printer path = /var/spool/samba create mask = 0700 guest ok = Yes printable = Yes browseable = No browsable = No However, I keep getting requests for authentication when I try to print to smb://servername/hpprinter. Cups printing on the server works perfectly. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Permitting guest printer access with ADS security
I am using security = ads to authenticate users to my Samba server. I want to allow guest access to Samba print server at the same time. This is my smb.conf: [global] workgroup = workgroup name realm = realm name server string = %h server (Samba, Ubuntu) security = ADS map to guest = Bad User obey pam restrictions = Yes password server = password server pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 printcap name = cups disable spoolss = Yes show add printer wizard = No domain master = No dns proxy = No panic action = /usr/share/samba/panic-action %d idmap uid = 500-100 idmap gid = 500-100 template shell = /bin/bash winbind separator = + winbind use default domain = Yes hosts allow = 10.0.0.0/8, 127.0.0.1 hosts deny = ALL [homes] comment = Home Directories invalid users = root, bin, daemon, nobody, named, sys, tty, disk, users valid users = %U write list = @fileusers read only = No create mask = 0700 directory mask = 0700 browseable = No browsable = No [printers] comment = All Printers path = /var/spool/samba guest ok = Yes printable = Yes use client driver = Yes browseable = No browsable = No [hpprinter] comment = HP Printer path = /var/spool/samba create mask = 0700 guest ok = Yes printable = Yes browseable = No browsable = No However, I keep getting requests for authentication when I try to print to smb://servername/hpprinter. Cups printing on the server works perfectly. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] A question about Samba, authentication, groups, quotas, etc.
I think I might have worked out the grouping problem locally by simply adding (manually) the names of members of B to /etc/group, and changing the directory ownership to the corresponding groups. Its a strange situation as there are users in /etc/group that are not present in /etc/passwd (they are Windows AD authenticated). However, a few irritants remain. 1. When I try to use: valid users = @localgroupname it does not permit mounting of the shares (though ssh logins work fine). I have to use valid users = %U to get past that. Is there some way I could enter the group membership to smb.conf ? 2. Regarding C. D and E, I have done something similar, and added valid users = @localCgroupname etc. to the shares definition. However, when I use a smb login from a Mac client, I see only the home directory mounted and not the second share that the user is a member of (this user is a member of B and C). Any suggestions are welcome. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] A question about Samba, authentication, groups, quotas, etc.
On Wed, Sep 22, 2010 at 11:44 PM, Grant grantlid...@gmail.com wrote: Since you are already doing everything based on AD ... Have the windows folks make AD security groups for your groups b c d e And then filter the shares using smb.conf entries like valid users = @ad\groupB write list = @ad\groupB To make it really convenient for you have the ad team make you an admin for a small area in AD where you set up and administer your groups using active directory users and computers on a windows box It was the first thing I tried. Here are some reasons it will not work: 1. For some strange reason, not all the members of set B are capable of being added to these new groups (don't ask me, its windows after all - I am not the AD admin). 2. The response of the admins is rather slow. If someone joins or leaves B, I want to be able to respond faster than the weeks lead time we currently have. So, I guess I am asking if there is something like a samba user whitelist (that I could use in conjunction with denying everyone access by default). Or something equivalent to this. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] A question about Samba, authentication, groups, quotas, etc.
Hello, Server: Ubuntu Lucid server version Role: Samba file server (I administer it) Authentication: Against a Windows AD (I do not administer it) using winbind. No other authentication scheme is practicable/possible - I do NOT want to manage passwords locally on this machine. LDAP: Not explicitly configured - local policies require a binary *.so file that does not work with Debian based systems (I don't set this policy). Status: Authentication works and shares have been set up. People from Windows, Mac and Linux can successfully access their shares. The system is firewall and samba (hosts deny, hosts allow) secured to deny access from anyone outside of the network. Excerpt from /etc/samba/smb.conf: security = ads realm = AD server name in capital case password server = AD server name workgroup = LOCALGROUP idmap uid = 500-100 idmap gid = 500-100 winbind separator = + winbind enum users = no winbind enum groups = no winbind use default domain = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes domain master = no [homes] comment = Home Directories browseable = no read only = no create mask = 0700 directory mask = 0700 valid users = %U invalid users = root bin daemon nobody named sys tty disk users I want to make certain things happen with this, but being a slight Samba newbie (and generally impatient of anything windows related) I do not know the best way forward (or if what I want is even possible). The situation: Consider sets of people A = a colossal set of about 1 people, each of which can authenticate against the AD referenced above. B = a set of about 30 people - a subset of A (every member of B is a member of A) C, D, E = smaller sets of about 4-5 people each. The intersection of C, D, E is non-zero. The union of C, D and E is a subset of B. Wish I could draw a Venn diagram. All these sets have a fluid membership (people come and go). But the set relationships above, and the rough numbers above remain more or less constant. I want: 1. No member of A that is not a member of B to ever be able to access any shares on the server. 2. No member of B to be able to access the home directories (under /home/LOCALGROUP/ that are not his / her own or one of C, D, or E (read on) if he / she is also a member of C. D or E. 3. Members of C, D and E should be able to access /home/LOCALGROUP/C (or D or E) but no one else should be able to. 4. Impose quotas on all members of B (have maximum upper sizes for /home/LOCALGROUP/member of B) and have fixed sizes for C, D and E. If this were a simple Unix setup, I would define group memberships (and impose quota on /home). But this is a little bit different (and the users are not even listed in /etc/passwd), and I am a bit new to Samba. Any suggestions ? Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] A question about Samba, authentication, groups, quotas, etc.
I understand neither the language nor the intent of this message. How could the initial message possibly be spam ? Was it the use of the capital case for the workgroup ? 2010/9/22 postmas...@avi-drome.nl Message rejected: message contains bad words. Message is marked as spam. De informatie uit deze e-mail (en eventuele bijlagen) is uitsluitend bestemd voor de geadresseerde(n), gebruik door anderen is niet toegestaan. De informatie kan vertrouwelijk van aard zijn en onder een geheimhoudingsplicht vallen. Indien deze e-mail niet voor u bestemd is, wordt u verzocht de afzender daarvan op de hoogte te stellen en deze e-mail te vernietigen. Afzender en/of haar werkgever kan de veiligheid en betrouwbaarheid van e-mail communicatie niet garanderen en aanvaardt geen aansprakelijkheid voor schade ten gevolge van het gebruik van email. Onze diensten en overige werkzaamheden worden uitgevoerd op basis van een overeenkomst van opdracht, waarop onze algemene voorwaarden van toepassing zijn. Please consider the environment before printing this e-mail -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba over ssh ?
Hi I need to make my samba server available over the internet to a mobile user base. I was wondering if samba could be run over ssh (at both client and server ends). I am not comfortable about opening ports 139 and 445. Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba over ssh ?
On Thursday 31 March 2005 16:29, Andrew Bartlett wrote: On Thu, 2005-03-31 at 12:37 -0500, Madhusudan Singh wrote: Hi I need to make my samba server available over the internet to a mobile user base. I was wondering if samba could be run over ssh (at both client and server ends). I am not comfortable about opening ports 139 and 445. The standard answer is to use a VPN. Andrew Bartlett Thanks. Would CIPE be an appropriate solution ? I am beginning to read up on it. Does it work the following way : Linux Server : Samba (139,445) -- 22 Internet 22 -- Windows ? (numbers are port numbers) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba over ssh ?
On Thursday 31 March 2005 23:34, Craig White wrote: On Thu, 2005-03-31 at 23:25 -0500, Madhusudan Singh wrote: On Thursday 31 March 2005 16:29, Andrew Bartlett wrote: On Thu, 2005-03-31 at 12:37 -0500, Madhusudan Singh wrote: Hi I need to make my samba server available over the internet to a mobile user base. I was wondering if samba could be run over ssh (at both client and server ends). I am not comfortable about opening ports 139 and 445. The standard answer is to use a VPN. Andrew Bartlett Thanks. Would CIPE be an appropriate solution ? I am beginning to read up on it. Does it work the following way : Linux Server : Samba (139,445) -- 22 Internet 22 -- Windows been a while since I used Cipe - I don't recall which ports it used but it surely wasn't the ssh port (22). would recommend against starting with it since you won't find it to be supported by many 2.6 distro's without a bunch of extra work. Suggest that you use openvpn openvpn.sourceforge.net Craig Thanks for your suggestion. I have installed openvpn and the lzo library on which it depends. One nagging question that I still have is : Does using openvpn (or any VPN solution in general) obviate the need to open these vulnerable ports ? The little documentation that I have read so far talk a lot about encryption. While that is important, I also need to think about the ports (strangely, the firewall does not open any of those ports but nmap -P0 run on the machine reveals that these ports are open : 139/tcp open netbios-ssn 445/tcp open microsoft-ds ) Anyways, another concern I have is that while I have the samba server up and running and all my users are happy with it, how much disruption and user effort can I expect when I implement openvpn ? Like typical windows users, they value ease of use over security. Don't take me wrong, I will definitely implement this if it contributes towards security, but I need to know this to be able to tell my users what to expect. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] A few questions regarding samba from a samba and windows newbie (almost)
Hi I am trying to implement a simple Samba server on a Slackware 10.1 machine running for a bunch of Windows users that also have unix accounts on the machine. Using webmin, I did convert the unix users to samba users (smbpasswd is located in /etc/samba/private). A possible problem is that I have very little experience using windows (haven't used any windows version regularly since windows 95, or at all since windows 2000), so please be patient with me. The client machines all run Windows XP Professional. I do not have a machine running any version of windows but can request any one of my users to test out the setup. I want the users to have read and write permissions only in /home/username. They are currently using sftp to transfer their files back and forth, but having the same appear as a network mounted drive would make things a little easier for them. How does one accomplish this ? Following a suggestion by someone on this list, I changed the workgroup name so the o/p of smbclient -L localhost -U% : Domain=[OMEGA] OS=[Unix] Server=[Samba 3.0.10] Sharename Type Comment - --- IPC$IPC IPC Service (Samba Server on Molectron) ADMIN$ IPC IPC Service (Samba Server on Molectron) Domain=[OMEGA] OS=[Unix] Server=[Samba 3.0.10] Server Comment ---- MOLECTRONSamba Server on Molectron WorkgroupMaster ---- OMEGA My /etc/samba/smb.conf read as : [global] dns proxy = no log file = /var/log/samba.%m load printers = no server string = Samba Server on Molectron socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = no workgroup = OMEGA encrypt passwords = yes smb passwd file = /etc/samba/private/smbpasswd unix password sync = Yes passwd program = /usr/bin/passwd %u os level = 255 domain master = no security = user preferred master = yes max log size = 50 password server = None winbind use default domain = no bind interfaces only = yes template shell = /bin/false [homes] comment = Home Directories browseable = no writable = yes Is the above configuration suitable for the setup I have described earlier ? (The part about home directories is still not done as I indicated above). There are no printers, so I did not define a [printers] section. In general, do any of samba controlled printers have to be physically connected to the machine ? In our setup, the server and the printers I might want to add are located quite a distance apart from each other (a few hundred feet). The printers are setup on the web using a gotdns.com type of scheme (I did not set them up). Can I add those somehow as windows printers through samba ? (Just makes things a little tighter than having to set things up over the Internet through http). In my firewall, I have opened the following ports : SAMBAPORT1=137 SAMBAPORT2=138 SAMBAPORT3=139 $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport $SAMBAPORTx -j allowed I am not comfortable with opening any more ports than are strictly necessary. Ease of use is nice, but not at the cost of security. Can't I just tunnel samba over the ssh port (22) ? Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Need some help setting up a Samba server
Hi I am trying to implement a simple Samba server on a Slackware 10.1 machine running for a bunch of Windows users that also have unix accounts on the machine. Using webmin, I did convert the unix users to samba users. A possible problem is that I have very little experience using windows, so please be patient with me. I want them to have read and write permissions only in /home/username. How does one accomplish this ? O/p of smbclient -L localhost -U% : Domain=[MOLECTRON] OS=[Unix] Server=[Samba 3.0.10] Sharename Type Comment - --- IPC$IPC IPC Service (Samba Server on Molectron) ADMIN$ IPC IPC Service (Samba Server on Molectron) Domain=[MOLECTRON] OS=[Unix] Server=[Samba 3.0.10] Server Comment ---- MOLECTRONSamba Server on Molectron WorkgroupMaster ---- MOLECTRON Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba