Sunday, July 27, 2008
Accessing SMB shares under firewall
There are, generally speaking, five "standard" ways to make files on (Linux) server available to clients:
- Using FTP server;
- If sshd is running, files could be accessed with SFTP;
- If Web server is running, WebDAV could be used;
- Using NFS (see earlier port);
- Using SMB-shares.
In principle, last choice - using Samba shares - is supposed to be most "native" with respect to Windows clients; let's consider how difficult it is to use it practically...
For the following, we assume that SMB server is running on "SERVER" and we'll be using it to access file of local regular user "user".
1. Install and configure samba
# apt-get install samba smbclient
1.2. Modify config file.
Here we zero in on "minimalistic" approach, which only requires minimal changes to default config file (as distributed with Debian, anyway). It has one built-in share "homes" which provides access to each user's home directory (it is enabled by default, but in read-only mode)
1.2.1. Backup default config file:
cp /etc/samba/smb.conf /etc/samba/smb.conf.original
1.2.2. Modify global settings:
workgroup = <Enter some name>
interfaces = <enter some interfaces from /sbin/ifconfig, e.g. lo venet0:0>
printcap name = /dev/null (shut down all complaints in logs about printers)
encrypt passwords = yes (or else you won't connect from Windows NT and up)
security = user (this should be the default anyway)
smb passwd file = /etc/samba/smbpasswd (see below why/when this is necessary)
1.2.3. Modify setting for share.
If you are satisfied with read-only access to user's directory, there is nothing more to change. If you want read-write access, there are some settings to adjust:
writable = yes
create mask = 0644
directory mask = 0755
Note on "encrypt password": if encrypt password = false, you don't need "smb passwd file", system password file will be used. For some reason it did NOT work for me if "encrypt password = true". As suggested in , I did this:
cat /etc/passwd | mksmbpasswd > /etc/samba/smbpasswd
smbpasswd user (for each use who needs his home dir access via SMB)
1.2.4. Restart server:
1.2.5. Test installation (on the server as user)
If you can, test from another location which does not block outgoing ports 139, 445
smbclient //SERVER/homes -U user
2. Setup Windows computer
In principle, the following command
net use [<drive letter>:] \\SERVER\homes /user:user /persistent:no
should be able to mount corresponding share. However, for this to work it is necessary that client computer had direct access to server using ports 139 and/or 445. If server is to be used in local subnet, this is undoubtedly so and no more setup is required. However, if you are accessing server from the Internet, and your ISP is blocking these ports (like RCN), read on.
The idea is to try to mount SMB shares on SERVER as if they were available on localhost; intercept requests made on (local) ports 139 and 445 and somehow forward them to SERVER.
This however appears to be more difficult than it sounds. The problem is, Windows by default binds all adapters on port 445 :
> netstat -ano | grep 445
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
and the only way to make this port available for binding is to disable NetBios completely, which is rather pointless, since then you won't be able to amount anything at all (if, however, you want to play with this, refer to  and ).
Fortunately, however, usually Windows, after failing to mount using port 445, falls back to port 139, which apparently you can bind, albeit not on "standard" loopback adapter 127.0.0.1; (well, you can bind to it, but it won't work for whatever reason), thus necessity to create new loopback connection. This "fallback" logic is in no way guaranteed and moreover has reportedly been broken by a recent Vista patch; but at least on XP this seems to work, as long as you implement 2.1 and 2.2 below.
2.1. If you are using Windows XP, install this Windows patch .
2.2. For your existing Internet connection, enable option "EnableBIOS over TCP/IP" (in fact, it may be sufficient to do so for any Internet connection. Quoting from : "It also appears that if there are no valid interfaces with NetBIOS over tcp enabled, then windows will not attempt to use port 139")
2.4. It may or may not be necessary, but I also (a) disabled all "items" for new 10.0.0.1 loopback connection (except TCP/IP, see first screenshot above) ; (b) enabled LMHOSTS lookup; (c) disabled NetBIOS over TCP/IP (see second screenshot) ; (d) disabled "File and Printer Sharing for Microsoft Networks" for ALL connections;
2.5. Reboot and you are all set!
3. Setup port forwarding
This can be done in one of the two ways.
You can use of the many existing utilities for port forwarding. (It is more correct in fact to speak of reversed port forwarding, but people usually call it port forwarding all the same). In this case you need a (non-blocked) port to forward to, and your Samba server should be told to listen on this port.
Alternatively, you can use ssh port tunneling capability and tunnel port 139 through ssh. This requires more complicated setup and is more difficult to automate, but does not require any additional port to be used and has an additional benefit of securing your Samba traffic via ssh.
3.1. Using ssh tunneling.
3.1.1. With Cygwin (or similar CLI) ssh:
ssh -L 10.0.0.1:139:localhost:139 SERVER
3.1.2. Using PuTTY
3.2. Using port forwarding.
3.2.1. Add another option to smb.conf :
smb ports = 445 139 8445 8139
4. Using SMB shares
4.1. Under Windows
net use [<drive letter>:] \\10.0.0.1\homes /user:user /persistent:no
(Unless user if Windows user name and password matches, you'll be asked to enter server password at this point)
4.2. Under Linux
Make sure you have "smbfs" installed ("apt-get install smbfs") and issue this command as super-user:
mount -t smbfs -o username=user%<user password>,uid=<local username>,port=8139 //SERVER/homes <local mount point>
4.3. Using smbclient, any platform
For any platform which has utility "smbclient" or equivalent, and provided that you've configured SMB server to listen to port 8138, you can use this
smbclient //SERVER/homes -U user -p 8139
to access your files.
You can get MinGW-based smbclient.exe for Windows from here (it works fine except that you have to specify password in the command line); alternatively, you can build your own Cygwin-based version using one of the patched published here (you'll need to disable first test in Samba source file source/tests/summary.c)
I don't mean this in a bad way, of course! Ethical concerns aside... I just hope that as technology further advances, the possibility of transferring our brains onto a digital medium becomes a true reality. It's a fantasy that I dream about almost every day.
(Posted on Nintendo DS running [url=http://kwstar88.livejournal.com/491.html]R4 SDHC[/url] DS SurfV3)