[Samba] How to tunnel Samba via ssh from Windows XP without having to disable local NetBIOS

[mjsb at sdf.lonestar.org]

The most recent discussions I could find on the internet about how to
tunnel Samba over ssh were on this list
(http://lists.samba.org/archive/samba/2004-February/), but no complete
answers were given.

Here is a near complete answer, which works, pulled together from various
sources on the web (which are referenced). Remaining questions are at the
end. It is kind of PuTTY-centric, but as far as I know it should work with
any ssh client.

If you use PuTTY to tunnel local port '139' to remote port
'servername:139', you will not immediately be able to use the remote
machine's Samba services. Why not? Because local port 139 is already bound
by the NetBIOS services on your local machine. One way to fix this is to
do the above tunnel, then do 'net stop server' from the command prompt on
your local machine
(http://www.derkeiler.com/Newsgroups/comp.security.ssh/2003-09/0242.html).
You will no longer be able to map any drives etc. on your local machine,
but you will be able to map drives on the remote machine, e.g. using:

net use h: \\127.0.0.1\username /user:username /persistent:no

Is there a way to keep the local NetBIOS services running, and still be
able to map drives on the remote machine? Yes.

Install a Microsoft Loopback Adapter
(http://research.lumeta.com/ches/cheap/tunnelsolution.html ;
http://lists.isb.sdnpk.org/pipermail/comp-list/2003-February/001853.html).
You can install as many of these adapters as you like (e.g. for multiple
Samba connections to different machines). You can rename the network
connection on this adapter from "Local Area Connection n" to something
more sensible like "Microsoft Loopback Adapter n" in "Control Panel /
Network Connections". You can uninstall these adapters via "My Computer /
Properties / Hardware / Device Manager".

In the properties pages for the new loopback adapter, disable (don't
uninstall) "Client for Microsoft Networks", "File and Printer Sharing for
Microsoft Networks" and anything else except "Internet Protocol (TCP/IP)".
In the properties dialog for "Internet Protocol (TCP/IP)" for the adapter,
check "Use the following IP address:" and then give the adapter a fixed IP
address (not in the 127.*.*.* range, it will not accept it).
http://research.lumeta.com/ches/cheap/tunnelsolution.html
suggests using 222.222.222.222, which works and is unused.

You can now tunnel local port '222.222.222.222:139' to remote port
'servername:139' (PuTTY accepts this, even though the size of the dialog
box for the local port looks like it might not), and you can immediately
map remote Samba drives, e.g. using:

net use h: \\222.222.222.222\username /user:username /persistent:no

But Samba printers still won't work at this point – you have to take
another step. Edit (or create) C:\WINDOWS\system32\drivers\etc\lmhosts and
add the following line:

222.222.222.222 samba

If you want to use more than one Samba service, you have to give each one
a different IP address and a different 'lmhosts' name. Now you can map
drives using:

net use h: \\samba\username /user:username /persistent:no

and you can also successfully install printer drivers for remote Samba
printers. Go to "Printers and Faxes / Add a printer / Network printer /
Connect to named printer" and enter the printer name as
\\samba\printername (anything else you need to know at this point, like
which printer driver to use, depends on your local setup; note that
\\222.222.222.222\printername does not work here, which is why the lmhosts
name is needed).

If you use this set-up a lot, you may also want to know the right way to
set up PuTTY to authenticate with an SHA key. It is given here
http://codeworks.gnomedia.com/westhost/ssh.php , but, as recommended in
the PuTTY docs, do not omit a pass phrase on your private key file. Once
everything is set up, you can load the PuTTY private key into 'Pageant'
(the PuTTY key manager) just once by double clicking on it. From then on,
while Pageant is running, you can get PuTTY to connect with no further
user interaction (e.g. 'putty -load "Saved session name"') as long as you
have set up an 'Auto-login username' in the saved session.

------------------------------------------

Remaining questions:

1. Why do I have to install a loopback adapter, rather than just
forwarding a port like 127.0.0.5:79 (which works fine for the much simpler
'finger' service)?

2. Why do I have to provide an 'lmhosts' entry for printers to work, but
not for mapped drives?

3. On many networks the above works exactly as advertised, BUT... it does
not work on all the networks I have tried. On some networks I can
establish a perfectly good SSH connection; my PuTTY event log says that
port 139 is forwarded correctly; 'telnet samba 139' clears the screen,
which is a good sign that the connection is working; but all the same the
'net use ...' command gives "System error 53 has occurred.\n\nThe network
path was not found.\n". How can a network allow the SSH connection but
stop the tunnelled Samba port from working?

4. After entering the lmhosts name, do not change the PuTTY setup to map
'samba:139' to 'servername:139' (instead of '222.222.222.222:139' to
'servername:139'), it does not work. Why not?

5. I have not checked whether 222.222.222.222 really is a sensible TCP/IP
port to use. Is it?

Any answers to any of the above (especially any idea about what's going on
when this set-up doesn't work) gratefully appreciated.