Hashing out Samba
Submitted by Worzie on Mon, 2007-03-05 20:55.
networking | Samba | Windown
I just recently wrestled with my little smb setup here to tighten the grip on who might be accessing my share. My intention is to simply share my own smb share I have running in VmWare with my XP host. My XP host is logged into a domain server not to the local machine. The Linux I have installed in VmWare is FC5 running from USB drive and using the NAT networking setting. My company has blocked DHCP to only those machines authenticated with by the domain server. I originally used the KDE Control Center to setup my smb sharing homes. However I felt a bit uncomfortable with the possibility of people with remote desktop access being able to drop into my share. So I created a new share with access to only part of my /home space. I had great difficulty with the KDE Control Center giving access to this new share. For some reason I was simply not able to authenticate into it.
So I prefer/suggest using swat to configure SAMBA. Starting with a clean slate, I removed the homes share and printers. Prior to all this I added my user via the terminal console: 'smbpasswd -a warren'. This is very similar to adding a new system user. Also I used the same user as my existing system user; not sure why but it doesn't like non system users being added, go figure.
Some non SAMBA defaults from the stock FC5 samba RPM I am using are depicted in my smb.conf file below:
# Samba config file created using SWAT
# from 127.0.0.1 (127.0.0.1)
# Date: 2007/03/02 13:56:48
[global]
workgroup = WD
netbios name = USB
server string =
username map = /etc/samba/smbusers
log level = 1
server signing = auto
preferred master = No
domain master = No
ldap ssl = no
[USB2]
path = /home/warren/software/Xfer
read only = No
Also I am not using the same workgroup as my windows xp pro domain host is using. In xp, I browse the network neighborhood and into my WD workgroup I find the USB share and browsing to it pops up the authentication window. I choose not to save password. I also don't map to this share. What I do is create a shortcut to the \\WD\USB\usb2 share and have it on my Desktop or quick links toolbar. In the morning I click it and it asks for authentication and am set for the day. No worries about IP address or XP home or XP pro here at work or at home; it all just works.
» Worzie's blog | login to post comments
Often
Submitted by Worzie on Tue, 2007-03-06 10:41.
I use it primarily as a means of dealing with email attachments. I enjoy using my Linux box for personal and work email, so it is my go-between. Yeah it's overkill and downright narley but hey, I do this because I choose to use Linux as much as possible even at work.
So this share is just work files so there is no problem if ppl at work fall into it. It goes with the choice in how secure I chose to make it as well. Much better than when I was sharing homes.
» login to post comments
Some thoughts, I might add:
Submitted by fj40dan on Mon, 2007-03-05 23:00.
Some thoughts, I might add: (some of it may already be there)
unix password sync = yes
valid users = warren ## allows only your user
hosts allow = work.ip.add.ress home.ip.add.ress/subnet
os level = 5 ## keeps you from winning elections
name resolve order = lmhosts host
You would have to make a lmhosts file though, this should keep samba from trying to get the browse list from network elections/broadcast. Samba uses lmhosts files just like windows.
I would probably remove:
ldap ssl = no
You shouldn't need an ldap server to go from usb drive to the host machine. As you have a username map. I say that without ever using fedora. I know that redhat comes with its own directory server, I'm sure it is just a jazzed up openldap.
I have another idea that might work slick, does your works domain controller map a home folder/profile directories? Are you allowed to make shares on your machine? If you don't want your usb/smb to get noticed I might have a better way.
dan
btw: I would like to do a presentation for joining linux (ubuntu) to an active directory domain.
» login to post comments
Thanks for the insight
Submitted by Worzie on Tue, 2007-03-06 09:10.
One thing I intentionally pointed out is that my smb.conf is merely a difference in the defaults supplied by the Fedora rpm. However the ldap ssl shouldn't be there; no is the default so not sure why swat put that in. Possibly it was set and as I was hitting all the default buttons it toggled it.
You make good points as did others in another email list about setting allowed users and hosts. I am using these interesting defaults here:
security = USER
username map = /etc/samba/smbusers
create mask = 0744
force create mode = 00
security mask = 0777
force security mode = 00
directory mask = 0755
force directory mode = 00
directory security mask = 0777
fstype = NTFS
domain logons = No
lm announce = Auto
lm interval = 60
preferred master = No
local master = Yes
domain master = No
browse list = Yes
enhanced browsing = Yes
force directory security mode = 00
I don't use the update unix password mainly because it is just me. If I had users to deal with, sure. I wouldn't want to keep changing both user and smbusers... but hey, it's job security if you are the SA.
Dan, would you like to submit your timeslot on the calendar?
» login to post comments
Warren, Another thing you
Warren,
Another thing you might consider doing... is... if you don't access your Samba share for a while, stop the smb service... and when you want to use it, start it up manually.
I don't know if that is good advice for you because I don't know how many times during the course of a day you access it... but if there are days you rarely access it, manually turning it on and off sounds like a good measure.
--
TYL, Scott Dowdle