Just a quick Q

Stephen Langasek vorlon at netexpress.net
Thu Jul 16 01:08:48 GMT 1998 

On Tue, 14 Jul 1998 11:00:12 -0500, James OGorman <jameso at shf.org> wrote:

> I am getting ready to set up a RedHat 5.1 Box to be located at a remote
> site hooked up by modem. It is going to be running IP Masq for about 3
> Win 95 machines. It will also be running as a Samba server for these
> machines, using server auth through the WinNT PDC at the main site. User
> files will be stored at the Samba server then copied onto tape at the
> main site at about 4 in the morning. I am planning on setting up Null
> IPs on the 3 95 boxes.

> Is there anything I should be aware of before going for it? I picked up
> the Samba book and am almost done with it (very well written I must
> add), and everything looks like it will work ok. I am just tring to
> cover my butt before I get to deep into this. Anyone have any problems
> when the clients are using IP masq to access the outside world through
> samba? I dont plan on the 95 boxes to log on to the NT domain to save on
> traffic unless I have to.

> Ideas? I am barking up the wrong tree? Or am I heading down the right
> path? Thanks.

How well this will work for you depends on how much functionality you're
looking to get out of it.  You do lose some capabilities by using ip masq
instead of public IP, but all things considered it works pretty darn well
when you have no choice but to masquerade.  The big issue to look at is
that IP masq does not normally let you make incoming TCP/IP connections
through the masquerading firewall. For samba, this means no getting to
shares on those Win95 boxes from your central site, basically.

I've had some success with masqueraded machines being able to browse and
access machines on a remote subnet.  It was a little flaky, and a lot slow
on finding things, but it served my needs at the time so I never bothered
to refine it (or even determine to what extent it was possible to do so).
If that's all you need, masquerading ought to do fine.  If you also need
the machines outside the firewall to get at the SMB shares on the ones
inside the firewall, you're gonna need something more.  A couple of
options:
  * IP tunnelling and virtual LANs. If the primary network activity these
(currently masqed) boxes is going to be seeing is communicating with the
remote site, then network latency should not be a problem; if you have (or
can put) another linux box (or other box capable of implementing the RFC)
at the remote site, the two machines should be able to route all traffic
quite nicely.
  * re-exporting smb shares. With smbmount under Linux, it should be
possible to mount all the relevant data on the masqing server that you
want the Win95 machines to share, then re-share it from smbd on that
machine.
  * ip masqing tricks. This probably involves much more work than
you're interested in investing here :), but assuming it's possible to
determine the /real/ destination of a packet by peeking inside and looking
at the samba-specific stuff (and I admit I don't know enough about the smb
protocol to know if this is indeed always possible), then theoretically,
newer Linux kernels could be taught to route (or bridge, depending) the
packets.  This is not a ready-made solution, however, and not something to
be attempted lightly. :)

Hope this helps...

                              -Steve Langasek

More information about the samba mailing list