[Samba] msdfs proxy question

Daniel Müller mueller at tropenklinik.de
Mon Feb 4 02:07:37 MST 2013

So If you have done your openvpn config on a  per client. You can restrict in this config the things
users can do. Ex.: Client 1 can only see a specific  host. Client 2 has full access to the fileserver and the net behind it. Group one is distributed with Client 1. Group two is distributed with Client 2.
The second part is with Samba. Only the IP-Range that is distributed with Client 2 can logon and work with files.
Then set the samba groups according to your needs and you are up and running.

Ex. OPENVPN config with logon to Samba 3 Server:


local your.server.i.p
port 1194
proto udp
dev tun
#your keys
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
#your clients config directory
client-config-dir ccd
push "dhcp-option DNS here.your.dns.server"
push "dhcp-option WINS here.your.wins.server"###openvpn provides netbios
push "dhcp-option DOMAIN your.domain"
##your routes
push "route"
push "route"
push "route"
push "route"
max-clients 20
keepalive 10 120
status server-tcp.log
verb 3
#auth against samba/openldap on connect through openvpn client
auth-user-pass-verify   /etc/openvpn/ccd/login.sh via-env

dev tun
proto udp
port 1194
remote your.remote.loginserver 1194
resolv-retry infinite
##Where are your certs?
ca C:\\openvpn\\config\\ca.crt
cert C:\\openvpn\\config\\client1.crt
key C:\\openvpn\\config\\client1.key
ns-cert-type server
verb 3
##prompt for samba/openldap user--pass
route-method exe  ##<-- you need this entries
route-delay 2	  ##<-- for windows to log on
--explicit-exit-notify 2
##Below if you need a script the name need to be client_up.bat or client_down.bat
##--up C:\\openvpn\\config\\client_up.bat

Login.sh (So you can be certain only a authenticated user to samba see the files):
##login script openvpn 071209 dm
##pruefen ob leer username/passwort o anonymous
if ["$username" = "anonymous" || "$username" = "Anonymous" || -z "$username" ||
-z "$password" ]; then exit 1;
###test bind
ldapwhoami -x -h $LDAP -D uid=$username,ou=users,dc=your,dc=domain -w $password
if [ "$?" = "0" ]; then
exit 0;
exit 1;
exit 1;

In your smb.conf,
Hosts allow=

EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de

-----Ursprüngliche Nachricht-----
Von: Michael Wilke [mailto:m at 1982.cc] 
Gesendet: Montag, 4. Februar 2013 09:07
An: samba at lists.samba.org
Cc: mueller at tropenklinik.de
Betreff: Re: AW: [Samba] msdfs proxy question

Hi Daniel,

that is exactly the problem, the samba server has an OpenVPN server, but the VPN user group includes people who are not directly working for the company so they should'nt have access to the internal network.

So even if I could set up the samba box as gw and limit the access to the file server by firewall rules, I'm not sure I can restrict the access to the file server itself and they could see way to much than what they should. 

Is there any other possibility to do that? 

On Mon, 2013-02-04 at 08:33 +0100, Daniel Müller wrote:
> If you have no route to the network nothing will work.
> Samba is not a Gateway nor does it VPN connections or something like that.
> If your second network is a external one you will be better in the 
> first with openvpn And set your routes to your needs.
> If your second network is internal you need to set up a gateway that 
> can be reached from both Networks.
> Good Luck
> Daniel
> -----------------------------------------------
> EDV Daniel Müller
> Leitung EDV
> Tropenklinik Paul-Lechler-Krankenhaus
> Paul-Lechler-Str. 24
> 72076 Tübingen
> Tel.: 07071/206-463, Fax: 07071/206-499
> eMail: mueller at tropenklinik.de
> Internet: www.tropenklinik.de
> -----------------------------------------------
> -----Ursprüngliche Nachricht-----
> Von: samba-bounces at lists.samba.org 
> [mailto:samba-bounces at lists.samba.org] Im Auftrag von Michael Wilke
> Gesendet: Montag, 4. Februar 2013 08:05
> An: samba at lists.samba.org
> Betreff: [Samba] msdfs proxy question
> Hi List,
> I am struggling a little bit with the msdfs proxy parameter.
> I want the samba server as a kind of a bridge between two networks, 
> that the samba server only shares some of the shares provided by our 
> file server to a second network.
> I don't want the samba srv to be a gw or give the clients a route to 
> the internal network, because it is a total different user group.
> I first tried to do so with an msdfs root directory and symlinks but 
> for sure it didn't work, because the clients don't have a route to the 
> source server.
> But msdfs proxy doesn't work either:
> smb.conf:
> -------
> [software-new]
>         msdfs root = yes
>         msdfs proxy= \gunter\software
> -------
> When I try to access the share from a computer in the sec. network the 
> log
> shows:
> -------
> Client requested device type [?????] for share [SOFTWARE-NEW] refusing 
> connection to dfs proxy share 'software-new' (pointing to
> \gunter\software)
> error packet at smbd/reply.c(803) cmd=117 (SMBtconX) 
> -------
> The server is accessible from the samba box and smbclient connects fine:
> root at samba:~# smbclient -L '\\gunter' -U 'DOMAIN\micha'
> WARNING: The "idmap uid" option is deprecated
> WARNING: The "idmap gid" option is deprecated Enter DOMAIN\micha's password:
> Domain=[DOMAIN] OS=[Windows Server 2003 R2 3790 Service Pack 2] 
> Server=[Windows Server 2003 R2 5.2]
> 	Sharename       Type      Comment
> 	---------       ----      -------
> 	...
> 	software        Disk      Software
> 	...
> If I access the msdfs share from the sec. network ( with an 
> IP in the first network ( then the connection redirects me 
> to the gunter server and everything works, but I need a "proxy" not a 
> standard msdfs redirect.
> Any advice appreciated
> Michael
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Michael Wilke
HoD Advisor IT and General Service Department NIMR - Mbeya Medical Research Center (MMRC) P.O. Box 2410 Mbeya - Tanzania
Mobile: +255 684 700 979 (Airtel TZ)
E-Mail: mw at nimr-mmrc.org
Internet: http://www.nimr-mmrc.org/ 

More information about the samba mailing list