What to use instead of Samba?

Craig White craigwhite at azapple.com
Tue Nov 22 06:38:18 MST 2005 

On Tue, 2005-11-22 at 00:15 -0700, Victor Odhner wrote:
> Samba is now working for me.  Discussion below.
> 
> I'm still interested in some of the alternatives that were mentioned in this
> interesting thread -- especially for use at work.  They were:
> 
>    pscp for Windows    - Dan Lund suggested this
> 
>    NFS on the linux machine and SFU on the windows box to mount the NFS 
> share.
>       http://www.microsoft.com/windowsserversystem/sfu/default.mspx
>       - Austin Godber
> 
>   WebDAV over HTTPS.
>   Use Apache and mod_dav (and maybe mod_davfs).
>       - Jeremy C. Reed:
>           Since I am not running Apache, I'll pass on this one.
>           However, I might find a use for it at work.
> 
> I have the Windows firewall turned off.  But questioning that led
> me to this:
> 
> < CONCLUSION >
>   My problem was ZoneAlarm:  I had not added the Linux box to
>   my trusted zone.  It was quietly blocking me, I guess, although it
>   did show me the Linux box.
> < CONCLUSION />
> 
> But what I don't understand is:  When I fat-fingered the address,
> leaving out the first digit, ZoneAlarm got all excited about my trying
> to access 91.168.1.1.  Why didn't it alert me when it was blocking
> 192.168.1.1?  Maybe because it "just knows" that is a local address;
> but it would have been nice to know . . .
> 
> Craig, this was useful:
>   testparm -s > /tmp/samba.conf.txt
>   or the verbose (all settings)
>   testparm -sv > /tmp/samba.conf.txt
> For one thing, it stripped off all the comments that make it hard to
> get an overview.  Everything looked good except for the idmap
> stuff which I deleted, but I doubt that had any effect:
>         dns proxy = No
>         idmap uid = 16777216-33554431
>         idmap gid = 16777216-33554431
>     ... or are the idmap entries a no-op with dns proxy turned off?
> 
> JD Austin wrote:
>   Be sure the windows machine isn't blocking that stuff on its
>   firewall.
>     control panel -> network connections -> right click network interface ->
>       properties->advanced-> settings-> exceptions;
>          check file and printer sharing.
>   Well, as I said above I had the Windows firewall turned off.  But
>   this led me to take one more look at ZoneAlarm, and that's what
>   nailed my problem.
> 
> J.D. again:
>   The other thing that seems to help it to reference them by IP ie:
>     \\192.168.1.1\shared
>   Often when \\DOMAIN\share doesn't work \\ipaddress\share does.
>      VO:  Both of these work now.  Neither did before.
> 
> Regarding iptables:  yes, I had given this a heap of attention.  I have
> ssh enabled but not always running.  For the Samba ports, I entered
> the following in the "Security Level Configuration" dialog's
> "Other ports" section:
>       137:udp, 138:udp, 139:tcp, 445:tcp
> My router connected to Cox sends these to bad IPs on the
> 192.168.2.* subnet.
> 
> Alex Dean wrote:
>    If you want 'easy Samba', why not try SWAT?
>       Since I'm not running any web server, this is not convenient.
>       Or does SWAT provide its own http service?
> 
> Donn Shumway offered a checklist:
>   1) What version(s) of Windows are you using?       [XP Pro SP2]
>   2) Are you trying to setup a Primary Domain Controller?
>          [Tried briefly]
>   3) Or, are you using simple Workgroups?
>          [Yes, that's where I am now] Specifically, I don't want
>           to entangle the Windows box with the Linux box so
>           that password management is not under full local control.
>   4) Do you have File and Printer sharing enabled on the
>           Windows PC's?  [Yes]
>   5) Is NetBEUI installed on the Windows PC's     [Yes]
>   6) Do you have a WINS server defined for you internal
>           network?  [Yes]  (I base that on this line in smb.conf:
>           name resolve order = wins lmhosts bcast)
>   7) Are you using encrypted passwords on your Windows PC's?
>         (this is the default)  [Yes]
>   8) Have you setup smb passwords on the Samba server to
>         match your PC user's passwords? [Yes]
>   9) lastly, how are you trying to connect to the share that
>        results in the 'path is not found' message?
>           This happened whenever I clicked on the icon for the
>             Linux box, or tried to get any information about that
>             system.
> 
> Someone allowed as how there was no need for iptables if your
> box does not face the Internet.  I'm behind a router that should
> block everything, but I still want iptables and ZoneAlarm in place.
> The security guys always say that the secret to good security
> setups is multiple lines of defense, and denying all that's not
> allowed.
> 
> Thanks again to everybody for all the support!
> 
-----
glad you solved the issue and yeah, firewalls can be a bitch.

You have listed too many issues to answer with any depth here but
consider...

Benefits of using 'samba domain'
http://us5.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-
member.html

idmap is really only a benefit to winbindd (samba member server to a
different domain controller which provides user/group enumeration from
that controller)

With a network protected by a router, running iptables (firewall) on a
Linux system that permits open access to the common services (i.e. 22,
25, 80, 137-139, 443) probably isn't much better than no firewall on
that system at all. Your best efforts are probably best spent at keeping
this router up-to-date with latest updates.

as for the 'testparm' things I discussed for samba. It's really useful
for posting configuration to lists. Some people do their editing of
smb.conf in a separate file, pipe the output of testparm -sv to the
actual smb.conf that samba uses. One thing is sure, with testparm -sv,
ALL of the defaults are output so there is no confusion about the
settings.

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the PLUG-discuss mailing list