by Hi
I am trying to implement a simple Samba server on a Slackware 10.1 machine
running for a bunch of Windows users that also have unix accounts on the
machine. Using webmin, I did convert the unix users to samba users
(smbpasswd is located in /etc/samba/private). A possible problem is that I
have very little experience using windows (haven't used any windows version
regularly since windows 95, or at all since windows 2000), so please be
patient with me.
The client machines all run Windows XP Professional. I do not have a machine
running any version of windows but can request any one of my users to test
out the setup.
I want the users to have read and write permissions only
in /home/<username>. They are currently using sftp to transfer their files
back and forth, but having the same appear as a network mounted drive
would make things a little easier for them. How does one accomplish this ?
The o/p of smbclient -L localhost -U% :
Domain=[OMEGA] OS=[Unix] Server=[Samba 3.0.10]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba Server on Molectron)
ADMIN$ IPC IPC Service (Samba Server on Molectron)
Domain=[OMEGA] OS=[Unix] Server=[Samba 3.0.10]
Server Comment
--------- -------
MOLECTRON Samba Server on Molectron
Workgroup Master
--------- -------
OMEGA
My /etc/samba/smb.conf read as :
[global]
dns proxy = no
log file = /var/log/samba.%m
load printers = no
server string = Samba Server on Molectron
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = no
workgroup = OMEGA
encrypt passwords = yes
smb passwd file = /etc/samba/private/smbpasswd
unix password sync = Yes
passwd program = /usr/bin/passwd %u
os level = 255
domain master = no
security = user
preferred master = yes
max log size = 50
password server = None
winbind use default domain = no
bind interfaces only = yes
template shell = /bin/false
[homes]
comment = Home Directories
browseable = no
writable = yes
Is the above configuration suitable for the setup I have described earlier ?
(The part about home directories is still not done as I indicated above).
There are no printers, so I did not define a [printers] section. In general,
do any of samba controlled printers have to be physically connected to the
machine ? In our setup, the server and the printers I might want to add are
located quite a distance apart from each other (a few hundred feet). The
printers are setup on the web using a gotdns.com type of scheme (I did not
set them up). Can I add those somehow as windows printers through samba ?
(Just makes things a little tighter than having to set things up over the
Internet through http).
In my firewall, I have opened the following ports :
SAMBAPORT1=137
SAMBAPORT2=138
SAMBAPORT3=139
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport $SAMBAPORTx -j allowed
I am not comfortable with opening any more ports than are strictly
necessary. Ease of use is nice, but not at the cost of security. Can't I
just tunnel samba over the ssh port (22) ?
Another security concern is that users may install some windows software
that helps them emulate rsync with the mapped network drive as the target.
I could care less about what they store in their own areas, but if they
store passwords (plain text or otherwise) on their windows client machines
so that the backups may run unattended, and given the "legendary security"
of windows *.*, the contents of their windows machines can be considered to
be compromised from day one. In that case, how do I restrict the amount of
damage that compromised users can cause to the server (put them into a low
privilege group that does not permit logins directly to the server via ssh,
etc. ) ? In the past, I have not had to deal with clients running windows,
so I felt a little more comfortable than I am right now.
Thanks.