Where did I go wrong with this Samba configuration?

Sun Jul 9 12:28:02 GMT 2000

At 14:45 09/07/00 +1000, George Adams wrote:

>Well, I have one last idea: Could IPCHAINS, in the process of handling the
IP 
>masquerading, somehow be preventing the NetBIOS connections from being
made?  
>How can I find out?

It can, but it's highly unlikely. This would happen if your IPCHAINS config
blocks or redirects traffic on port 138 or 139 of your internal NIC.

>Windows configuration:
>  - Protocols installed: TCP/IP and NetBEUI

I'm guessing that you haven't read that part of the Samba HOWTO (or was it
the FAQ?) which tells you that a Windows box with NetBEUI installed will
not work properly with using SMB over TCP/IP? Start by removing NetBEUI and
IPX (if it's installed) and any other protocols that aren't TCP/IP from
your Windows boxes. Also make sure the "I want to enable NetBIOS over
TCP/IP" checkbox in the NetBIOS tab of your TCP/IP properties is either
checked or greyed out. Under Bindings make sure that "Client for Microsoft
Networks" is checked, and also file sharing if you want things to go the
other way.

>  - TCP/IP settings:
>    - IP Addresses: Static (192.168.1.2 - 192.168.1.4)
>    - Gateway: 192.168.1.1
>    - WINS Server: 192.168.1.1
>    - DNS: (set to my ISP's DNS servers)
>    - Bindings: Client for MS Networks, and File/Print Sharing

If you have more than one client machine (I think you said you had five?)
you _REALLY_SHOULD_ install and learn how to use the DHCP and DNS server
daemons on the Linux box. 
	It is very easy to get one number out of place when you're setting a dozen
or more variables on the client side. These daemons running permits your
client machines to automatically get just about all of their network
related settings, you only have to worry about setting up a couple of
config files on the server side. Also, once that's done, you can bring in a
new system and network setup then consists of installing TCP/IP and
plugging it in. (i.e. you no longer need to set the various options under
TCP/IP properties and you do not need a hosts or lmhosts file). I'm willing
to give you some pointers/examples on how to set up DHCP and DNS if you want.

>  - EnablePlainTextPassword registry setting:
>    tried with it and without it - no difference.

That's understandable, if it were an authentication problem the DOS NetBIOS
client would have told you that your password was wrong.

>
>/etc/smb.conf
>-------------
>[global]
>        workgroup = MYGROUP
>        server string = Samba Server
>        interfaces = eth1 127.0.0.1/24
>        security = SHARE
>        log file = /var/log/samba/log.%m
>        max log size = 50
>        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>        os level = 65
>        preferred master = Yes
>        domain master = Yes
>        dns proxy = No
>        wins support = Yes
>        guest account = smbuser
>        hosts allow = 192.168.1. 127. 

This is mostly ok, but unless you're using IPCHAINS to block ports 138 and
139 on your external (ADSL) interface you may have left your machine open
to abuse here. You should add the line "bind interfaces only = True" to
your global section to prevent Samba from listening to requests from
outside your LAN (the "hosts allow" line will normally prevent Samba from
actually allowing read/write access from outside your LAN, but someone
could use IP spoofing to get around that).
--

Q:      What's tiny and yellow and very, very, dangerous?
A:      A canary with the super-user password.