Results 1 to 10 of 10

Thread: Task: allow only one ip address to see your share via samba

  1. #1
    almost retired the-mk's Avatar
    Join Date
    Jan 2003
    Location
    KI/OOE/Austria
    Posts
    1,921
    Blog Entries
    6

    Task: allow only one ip address to see your share via samba

    Problem:
    - computer a and computer b are on the same network
    - computer a has Windows XP running, computer b some kind of linux (in my case mandriva)
    - network is XDSL-modem with 4 ports
    - both computers can be seen in internet
    - computer b shall only provide computer a with an samba "windows" share, for all the other computers in the internet it is not allowed to see this share!!
    Code:
                  Internet
                      ^
                      |
                      v
      XDSL-Router/Switch/Gateway
           ^                ^
           |                |
           v                v
    computer a        computer b
    Is it possible with just configuring samba or do I need to do something with iptables, etc... too? Can it be done with standard mandrake firewall?

    It is not possible to put them behind SOHO-routers like Linksys or Netgear and portforward the necessary ports, because some ports (i.e. http) are needed by both computers)

    Advice is appreciated!

    Thanks!
    the-mk

  2. #2
    Dungeon Master alpha's Avatar
    Join Date
    Mar 2002
    Location
    Norfolk, UK
    Posts
    1,700
    According to the example smb.conf you can do this:

    # This option is important for security. It allows you to restrict
    # connections to machines which are on your local network. The
    # following example restricts access to two C class networks and
    # the "loopback" interface. For more examples of the syntax see
    # the smb.conf man page
    hosts allow = 192.168.0. 127.
    If I'm understanding what you want to do, this should do it for you. The option is well documented in the smb.conf man page, it is quite flexible.

  3. #3
    Administrator Bok's Avatar
    Join Date
    Oct 2003
    Location
    Wake Forest, North Carolina, United States
    Posts
    22,163
    Blog Entries
    13
    What are the ip addresses of the two machines?

    If they are private ip addresses and the router has the public ip address then it shouldn't matter anyway..

    Bok

  4. #4
    almost retired the-mk's Avatar
    Join Date
    Jan 2003
    Location
    KI/OOE/Austria
    Posts
    1,921
    Blog Entries
    6
    Alpha,

    this "hosts allow" parameter looks good to me, I need to test that next time when I'm on this computer!

    Bok,

    those two machines do have official IP-addresses! If they would be behind a SOHO router I would not be concerned about security

    Thanks!
    the-mk

  5. #5
    almost retired the-mk's Avatar
    Join Date
    Jan 2003
    Location
    KI/OOE/Austria
    Posts
    1,921
    Blog Entries
    6
    Found some time to test that: hosts allow is working great!
    Thanks!
    the-mk

  6. #6
    Administrator Bok's Avatar
    Join Date
    Oct 2003
    Location
    Wake Forest, North Carolina, United States
    Posts
    22,163
    Blog Entries
    13
    Is there any reason not to have the router as the only public ip address?

    It's a much safer way to have the network.

    Bok

  7. #7
    almost retired the-mk's Avatar
    Join Date
    Jan 2003
    Location
    KI/OOE/Austria
    Posts
    1,921
    Blog Entries
    6
    My problem is that this device is coming from my ISP and I can not configure it.
    the-mk

  8. #8
    Administrator Bok's Avatar
    Join Date
    Oct 2003
    Location
    Wake Forest, North Carolina, United States
    Posts
    22,163
    Blog Entries
    13
    You could put another router in between that one and your PC's..

    Bok

  9. #9
    almost retired the-mk's Avatar
    Join Date
    Jan 2003
    Location
    KI/OOE/Austria
    Posts
    1,921
    Blog Entries
    6

    Question

    Thanks Bok, I'll consider that...

    Another SAMBA question: who of you has running a configuration, where user have to authenticate before seeing a share? Could you share your entries of smb.conf and other configuration files?

    current /etc/samba/smb.conf:
    [global]
    workgroup = Workgroup
    netbios name = myserver
    server string = Samba Server %v

    log file = /var/log/samba/log.%m
    max log size = 50

    hosts allow = 127.0.0.1 , xxx.xxx.xxx.xxx , yyy.yyy.yyy.yyy , zzz.zzz.zzz.zzzz

    security = user
    encrypt passwords = yes
    username map = /etc/samba/smbusers
    guest account = nobody
    map to guest = bad user

    socket options = SO_KEEP_ALIVE IPTOS_LOWDELAY TCP_NODELAY
    dns proxy = no

    [test$]
    path = /tmp
    writable = yes
    public = yes
    That configuration is asking some workstations to authenticate when accessing \\myserver\test$, some workstations can't access them (one is Win XP german in workgroup "Arbeitsgruppe" in WAN [xxx], one is Win XP english in workgroup "Workgroup" in LAN [yyy], one is Win XP english in domain in WAN [zzz]; currently only the german one can access)

    Is it possible to make a user that does not exist in operating system (/etc/passwd) accessing a samba share?

    If not, what kind of password is used when accessing samba? There is another file /etc/samba/smbpasswd, which is currently empty on my linux box...

    If I do "smbpasswd" with a user, which is entered in /etc/samba/smbusers, it tells me that I can't do it, because such a user does not exist.

    Current samba version used is 3.0.20 coming with mandriva linux.

    Do you have ideas how to do this or why two workstations can't access "test$" share, while one can do it?

    Is it possible to allow only one user to access this "test$" share?

    Help is appreciated! Thanks!

    the-mk

  10. #10
    almost retired the-mk's Avatar
    Join Date
    Jan 2003
    Location
    KI/OOE/Austria
    Posts
    1,921
    Blog Entries
    6
    I found a nice link on http://www.oreilly.de/german/freebooks/samba2ger/ (content is in german language) where I could iron all issues out with samba server

    If you know the options of samba, it is a great tool! But it took some time until I found this great online book, which showed me this options

    It's just a little bad sad, that the examples are for samba 2.x while I use samba 3x.
    the-mk

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •