[Samba] Bare Minimum configuration needed for a single-user read-only share?
Marc Haber
mh+samba at zugschlus.de
Mon Aug 3 05:55:32 MDT 2009
Hello,
I currently have an "interesting" task to accomplish: An IT
environment with about 90 % Windows and 10 % Linux machines would like
to unify backup. Currently, the Windows world backs itself up to tape
using Backup Exec; the Linux world has Amanda backing up to a big disk
RAID.
This RAID is acting up and is scheduled to disappear. The current plan
is to back up the Linux world with Amanda to a Samba share which is
then backed up to tape by the Backup Exec installation running in the
Windows world.
The Linux systems are in a diffent network, and the firewall people
would like to keep the ports being open between the two networks to
the bare minimum. I don't want to see NETBIOS Broadcasts inside the
Linux world, I don't want to see this server in any network
neighborhood, and the system acting as the Samba server for the backup
should have as few open ports as possible. Of course, the share should
be read only and to be as secure as possible.
The following configuration for Samba 3.4.0 from Debian unstable seems
to do what is intended (and only needs port tcp/445):
[global]
workgroup = linuxworld
server string = %h server
dns proxy = no
name resolve order = lmhosts host wins bcast
interfaces = 192.168.8.26
bind interfaces only = yes
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = user
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = no
pam password change = no
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
access based share enum = yes
allow trusted domains = no
disable netbios = yes
load printers = no
local master = no
lock directory = /var/run/samba/locks
pid directory = /var/run/samba
max smbd processes = 10
min protocol = NT1
name resolve order = host
preferred master = no
server schannel = yes
smb ports = 445
#======================= Share Definitions =======================
[amanda]
comment = amanda backup
writeable = no
read only = yes
locking = no
path = /mnt/backup/srv/amanda
public = no
guest ok = no
browseable = no
hosts allow = 192.168.8.23
max connections = 5
valid users = amanda
Is this "secure enough" or is there potential for improvement? Which
files do I need to copy to /mnt/backup/srv/amanda to run the smbd
chrooted? Does it make sense to chroot the smbd in this environment?
Is this configuration going to work with Samba 3.0 (Debian etch)
and/or Samba 3.2 (Debian lenny) as well?
Any hints will be appreciated.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190
More information about the samba
mailing list