[Samba] Bare Minimum configuration needed for a single-user read-only share?

[Marc Haber]

Hello,

I currently have an "interesting" task to accomplish: An IT
environment with about 90 % Windows and 10 % Linux machines would like
to unify backup. Currently, the Windows world backs itself up to tape
using Backup Exec; the Linux world has Amanda backing up to a big disk
RAID.

This RAID is acting up and is scheduled to disappear. The current plan
is to back up the Linux world with Amanda to a Samba share which is
then backed up to tape by the Backup Exec installation running in the
Windows world.

The Linux systems are in a diffent network, and the firewall people
would like to keep the ports being open between the two networks to
the bare minimum. I don't want to see NETBIOS Broadcasts inside the
Linux world, I don't want to see this server in any network
neighborhood, and the system acting as the Samba server for the backup
should have as few open ports as possible. Of course, the share should
be read only and to be as secure as possible.

The following configuration for Samba 3.4.0 from Debian unstable seems
to do what is intended (and only needs port tcp/445):

[global]
   workgroup = linuxworld
   server string = %h server
   dns proxy = no
   name resolve order = lmhosts host wins bcast
   interfaces = 192.168.8.26
   bind interfaces only = yes
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = user
   encrypt passwords = true
   passdb backend = tdbsam

   obey pam restrictions = yes
   unix password sync = no
   pam password change = no
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   access based share enum = yes
   allow trusted domains = no
   disable netbios = yes
   load printers = no
   local master = no
   lock directory = /var/run/samba/locks
   pid directory = /var/run/samba
   max smbd processes = 10
   min protocol = NT1
   name resolve order = host
   preferred master = no
   server schannel = yes
   smb ports = 445

#======================= Share Definitions =======================

[amanda]
  comment = amanda backup
  writeable = no
  read only = yes
  locking = no
  path = /mnt/backup/srv/amanda
  public = no
  guest ok = no
  browseable = no
  hosts allow = 192.168.8.23
  max connections = 5
  valid users = amanda

Is this "secure enough" or is there potential for improvement? Which
files do I need to copy to /mnt/backup/srv/amanda to run the smbd
chrooted? Does it make sense to chroot the smbd in this environment?

Is this configuration going to work with Samba 3.0 (Debian etch)
and/or Samba 3.2 (Debian lenny) as well?

Any hints will be appreciated.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190