Newbie questions

Fri Jun 18 14:52:44 GMT 2004

On 18th.June.2004, Randy Wagner asked :

> My users are in a VMS environment and currently FTP files 
> as needed.  I'm a Configuration Manager who has never worked 
> in VMS.  I've seen SAMBA used in the past between Windows 
> and Linux machines.  Users simply mapped a drive to their 
> Linux box directly in the Windows file system.  I have 
> several questions here if anyone would be kind enough to 
> indulge me.
> 
> 1. Does SAMBA need to be installed on the Windows machine, 
>    the VMS machine, or both? 
> 2. How complex a task is it to do this installation? 
> 3. Is it a security nightmare? 

My 2p :

1)  Samba only needs to be installed on the VMS machine - that's the beauty
of it, compared to NFS, as no additional client software is needed on the
Windows workstations ... the client is built-in ... duh :-)

2)  I'm not a VMS sysadmin (I only lurk on this list), but on a Un*x it's
pretty easy to install and setup.  If you use a precompiled binary package,
then pretty much all you need to do is create a "smb.conf" file, defining
your shared filestore and the main operating characteristics (what the VMS
NetBIOS name should be, which "workgroup" or "domain" it should try to join,
etc.).  Samba comes with a huge (IMHO) example smb.conf file, but _my_
standard operating smb.conf is only about 30 lines long.

There are some VMS hoops you must jump through to achieve (a) auto starting
of Samba on every VMS boot, and (b) reliable efficient transfers of large
files (IIRC) ... but others can advise you about that much better than I
can.

3)  As for security, the main thing you'll want to achieve is password
*encryption*.  Samba can allow password exchange to occur either in
plain-text, or encrypted.  The best advice in most real-world environments
is to go for encrypted, in which case security is much better than with FTP
(plain-text passwords).  If you configure your VMS to be part of a Windows
domain, then passwords will be encrypted as standard, and password exchange
will use regular Windows NTLM authentication protocol, which is pretty
secure (well ... so long as your Windows m/c's don't allow protocol
negotiation down to Lan Manager password hash exchange ...).

Aside from password exchange, there *is* a slight security downside in
having to have the SMB ports open on any routers and firewalls involved, and
it is always of course (remotely) possible that a programming bug in Samba
could allow an attacker to send malicious traffic to one or other of the SMB
ports which causes malicious code to execute on your Samba with the
privileges of the Samba process (whatever that is).  But Samba is pretty
well written, and those bugs don't crop up often, and when they do, the
executable code the Bad Guys devise is (almost ?) never VMS executable code
...

But enough rambling from me - anyone else want to take over / disagree ?

Regards
Nick Boyce
EDS, Bristol, UK