A few questions regarding samba from a samba and windows rookie

A few questions regarding samba from a samba and windows rookie

Post by Madhusudan Sing » Fri, 01 Apr 2005 02:54:13


I am trying to implement a simple Samba server on a Slackware 10.1 machine
running for a bunch of Windows users that also have unix accounts on the
machine. Using webmin, I did convert the unix users to samba users
(smbpasswd is located in /etc/samba/private). A  possible problem is that I
have very little experience using windows (haven't used any windows version
regularly since windows 95, or at all since windows 2000), so please be
patient with me.

The client machines all run Windows XP Professional. I do not have a machine
running any version of windows but can request any one of my users to test
out the setup.

I want the users to have read and write permissions only
in /home/<username>.  They are currently using sftp to transfer their files
back and forth, but  having the same appear as a network mounted drive
would make things a little easier for them. How does one accomplish this ?

The o/p of smbclient -L localhost -U% :

Domain=[OMEGA] OS=[Unix] Server=[Samba 3.0.10]

        Sharename       Type      Comment
        ---------       ----      -------
        IPC$            IPC       IPC Service (Samba Server on Molectron)
        ADMIN$          IPC       IPC Service (Samba Server on Molectron)
Domain=[OMEGA] OS=[Unix] Server=[Samba 3.0.10]

        Server               Comment
        ---------            -------
        MOLECTRON            Samba Server on Molectron

        Workgroup            Master
        ---------            -------

My /etc/samba/smb.conf read as :

        dns proxy = no
        log file = /var/log/samba.%m
        load printers = no
        server string = Samba Server on Molectron
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        local master = no
        workgroup = OMEGA
        encrypt passwords = yes
        smb passwd file = /etc/samba/private/smbpasswd
        unix password sync = Yes
        passwd program = /usr/bin/passwd %u
        os level = 255
        domain master = no
        security = user
        preferred master = yes
        max log size = 50
        password server = None
        winbind use default domain = no
        bind interfaces only = yes
        template shell = /bin/false

   comment = Home Directories
   browseable = no
   writable = yes

Is the above configuration suitable for the setup I have described earlier ?
(The part about home directories is still not done as I indicated above).

There are no printers, so I did not define a [printers] section. In general,
do any of samba controlled printers have to be physically connected to the
machine ? In our setup, the server and the printers I might want to add are
located quite a distance apart from each other (a few hundred feet). The
printers are setup on the web using a gotdns.com type of scheme (I did not
set them up). Can I add those somehow as windows printers through samba ?
(Just makes things a little tighter than having to set things up over the
Internet through http).

In my firewall, I have opened the following ports :

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport $SAMBAPORTx -j allowed

I am not comfortable with opening any more ports than are strictly
necessary.  Ease of use is nice, but not at the cost of security. Can't I
just tunnel samba over the ssh port (22) ?

Another security concern is that users may install some windows software
that helps them emulate rsync with the mapped network drive as the target.
I could care less about what they store in their own areas, but if they
store passwords (plain text or otherwise) on their windows client machines
so that the backups may run unattended, and given the "legendary security"
of windows *.*, the contents of their windows machines can be considered to
be compromised from day one. In that case, how do I restrict the amount of
damage that compromised users can cause  to the server (put them into a low
privilege group that does not permit logins directly to the server via ssh,
etc. ) ? In the past, I have not had to deal with clients running windows,
so I felt a little more comfortable than I am right now.