Setting up Samba on Red Hat 9.1 - also a ping problem

[Donboy]

I'm attempting to setup Samba on my Linux box. I am a new user to Linux, so there is an enormous learning curve I'm trying to overcome. My expertise is really more with Windows.

I have tried installing Webmin on my Linux machine for configuring Samba, which looks to be a great app, but I still can't make Samba work. I will paste my smb.conf file below. Please let me know if anyone sees any obvious problems.

When I start Linux and then start Samba, I go to my Windows machines and I can see the name of my share under the MSHOME group, but when I double-click on it, I get the message "You may not have permission to use this network resource. Contact the administrator of this server to find out if you have the necessary permissions. The network path was not found." The permissions I have set for the folders in Linux is 777 on "home" and "SharedDocuments".

Also, I have 3 Windows computers on my LAN. I tried to ping the Linux box from 2 different Windows machines and they both timed out. On the Linux box, I tried to ping my Win2k machine and it worked. I tried to ping the WinXP box but it didn’t work.

Man, I'm confused. Please help! I have this feeling it has less to do with my smb.conf file and more to do with networking the machines together because of the ping problem.

[global]
log file = /var/log/samba/log.%m
server string = Data Server
workgroup = MSHOME

[Files]
comment = File Server
writeable = yes
public = yes
path = /home/SharedDocuments

 

[smah]

First, have you created any samba users? Look at smbpasswd (hint - there are several posts in this forum, search for 'users').

Second, in the global section try adding:
encrypt passwords = yes
netbios name = whateveryouwant
security = share 'or user depending on what you want

Third, you may be correct about the network problems, but how did you ping the linux box - by name or IP address? How did you ping the xp box - by name or IP address? A firewall would block a ping. Are you running any firewalls on these machines?

 

[Donboy]

Yes, when I was using Webmin, I clicked on Convert Unix Users to Samba Users and it added a whole bunch of users to the list. I really only have one real user (myself). The rest of them are stuff like root, ldap, gdm, mysql and many others that are not actual usernames.

I just added the stuff you mentioned and restarted Samba using Webmin's "Restart Samba Servers" command, but only because I don't remember the command to restart it at the command line. Actually, now things have gotten worse. I can't even see the share in Windows anymore. I don't have any idea why, but I know the connection is good because I can access the internet from the Linux box (and all other machines) with no problems.

I did a ping at the command prompt in Windows by IP address of the Linux box. I've assigned it an IP address manually, while I'm letting the router assign the IPs of all other machines. The IP of the Linux box is 192.168.0.50. The WinXP machine is 192.168.0.100. The Win2k machine is 192.168.0.101.

 

[Donboy]

Oops, I forgot to mention that I have been running Zonealarm on the Windows machines, but I have disabled that and it still doesn't work. Otherwise, the only firewalls I know of are within the router itself and whatever Red Hat has installed by default. Right now, I'm running a pretty clean install of Red Hat. When I was loading it I selected the option to install "everything" and haven't changed anything since then. This Samba ordeal is the first thing I've tried to do on the machine since installing Red Hat.

 

[smah]

OK, one step at a time and use webmin:

Samba Users:
I assume that your linux username is one word, all lower case with some password. This has now been converted to a Samba user and password. Is your windows user name (on both windows machines) exactly the same - same one word name, all lower case and same password? If not, that's OK - go to webmin, samba, global configuration area, Authentication. In the username mapping section, click the 'listed below' option and add your unix/samba username and your full windows account name (with correct case). Save and restart Samba. BTW, you should probably remove root and all the others.

pinging Linux:
I'm not sure what firewall gets installed with RH, but that's most likely the problem. To confirm this using Webmin, go to the system tab, boot up and shutdown. Look for the firewall software, mark the checkbox and stop the selected service. Take note of the name - if this is the cause of the problem, you may want to post a question in the linux server forum forum54 as to how to allow the communications that you want to pass through.

Now see if you can ping and connect from the Windows computers.

pinging Windows:
Zone Alarm is the most likely culprit. Rather than disable it, look for a section to add trusted zones or something similar (it's been a while since I used ZA). Add your etire IP range, excluding the router (192.168.0.2 - 192.168.0.255). Even with ZA disabled (even uninstalled in some cases) the True Vector service can still be running. If you hunt hard enough on ZA's website, you will find something to this effect. Also don't forget to make sure XP's firewall is disabled.

 

[Donboy]

The Windows username wasn't exactly right. On the Win2k machine, I've got it set to automatically login as "Administrator" so I mapped my unix username (donboy) to Administrator, so that should be good. On the WindowsXp machine (it's Windows XP home edition, if that matters) I've got my username set properly (donboy) and my password matches what I'm using on Unix.

Not sure how to go about removing all those bogus users like root and others, but I guess that's low priority for now.

I found 3 firewall-type programs listed under Webmin that may have been a problem. ip6tables, ipchains, and iptables. I clicked on the checkboxes for those 3 and clicked on "Stop Selected". There was a results page that says...

"Address family not supported by protocol. Perhaps iptables or your kernel needs to be upgraded. [FAILED]"

It says this same message a couple of times. Right after that, it says something like...

"Resetting built in chains to the default ACCEPT policy: [OK]"

If you think it's valuable, I'll have to get on the Linux machine and copy and paste the results here to post them.
When I return to shutdown actions, all 3 are still listed as "yes" meaning they will be started on reboot. After a reboot, they are still listed as Yes, so I think it must have failed to remove them.

Do you think I need to post this info in the forum you mentioned?

I went into Zonealarm and set the trusted site. I actually could only find a spot to enter one IP address, so I entered the IP of the Linux box. 192.168.0.50. Is that good? Or do I need to enter something else?

Thanks for all your help so far.

 

[Donboy]

PS, I am now able to ping the Windows Xp machine from Linux, so maybe the ZA thing worked, but I cannot ping the Linux from Windows XP. I think I need to find a way to remove those firewall things we found. Any ideas how?

 

[smah]

I can't help you with the firewalls on RH - I don't use either of them. I am surprised to see ipchains and iptables - I thought that iptables was used on newer distros and ipchains was used on older distros, but I could be wrong about that. Using the keyword search function in some of the linux forums turned up thread54-557125. There are many others - you may find your answer by searching, otherwise you'll have to ask. You'll probably want to keep the firewall running and open ports 137, 138, 139 & 445. - see

http://de.samba.org/samba/devel/docs/html/securing-samba.html

To remove the extra samba users go to webmin, servers, samba, edit samba users and passwords (just above convert unix users that you used to create them), click the user to get rid of and then delete.

 

[Donboy]

I'd be wary of opening those ports. I've read all over the web that opening those ports (137-139) is a bad idea. Ultimately, my Linux box will become a webserver so exposing those ports to the internet would keep me up late at night worrying. Please correct me if my fears are unfounded.

I just looked at the link you provided and it seems like doing "host based protection" would be the best way. This would allow me to specify that only certain IP numbers would be allowed to connect to Samba. Please correct me if I'm wrong, but I think the correct thing to put would be hosts allow = 127.0.0.1 192.168.0.100/24. I'm not really sure about those last numbers I put. Can I allow a specific IP like that??? The article seemed to suggest that it was meant for allowing whole networks and not individual machines.

Also, the very next line is hosts deny = 0.0.0.0/0, which I assume to mean Samba will deny from the internet. True? If so, this seems to be adding a second layer of protection because not only are you telling Samba to deny from the internet but you're also saying to allow only these numbers.

If this is all correct, then I wonder if I would be wise to just deny from the internet and let that be all. All the machines on my LAN are located in my house and I have no security issues about anyone who lives in my home.

What do you think?

 

[smah]

What you've seen about opening those ports is correct, but I'm sure what you've seen is in reference to making them open on the internet. You have to have them open to your LAN, otherwise windows TCP/IP networking will not work. BTW, they are open on your windows machines also.

In the global section of your smb.conf you can add the line:
hosts allow = 192.168.0. 127.
This will only allow computers on your network to access samba. I believe that the hosts deny line you mention will deny everything else (somewhat redundant, but won't hurt). I highly recommend adding the 'hosts allow' to your smb.conf. As a side note, I also recommend adding this to Webmin (Webmin configuration, IP access control).

The real question about what you want your personal firewalls to allow is: How is your network connected to the internet? If you have another firewall or NAT device such as a router, this will block the mentioned ports from the internet if it's set up properly. There are several places this can be tested such as

http://grc.com

and

http://www.dslreports.com.

 

[Donboy]

Let me make sure I have this IP right.

hosts allow = 192.168.0.127

Is that correct??? I don't have a 127 assigned. Or did you mean...

hosts allow = 192.168.0. 127

Would that be a whitespace between the dot and 127?

And yes, I have a router that all these machines are linked to and the router is fed by cable modem.

 

[smah]

Yes there is a space before 127 (and a period after). These are 2 different ranges of IP addresses:

192.168.0.anything
and
127.anything.anything.anything

127.0.0.1 is called the loopback address and it refers to itself.

 

[Donboy]

Just as a followup, I wanted to let you know that I included those statements in my "Global" group in the smb.conf file and it didn't help. I've also posted to another forum about the firewall problem and so far I'm not getting anywhere.

If you have any final words of advice or insight, I'd be grateful. If not, that's ok too, and thank you very much for all your help with my problem.

 

[smah]

Yes, unfortunately, you still won't get to the samba machine until the firewall has allowed those ports. If you use KDE or Gnome on the linux machine, there should be some sort of Control Center or something similar that will allow you to turn off the firewall, at least for testing.

 

[sabbathunter]

i have found a way to turn off the firewall and gain access to the linux samba server. however i dont want to leave the firewalls off, because it is hooked up to the internet and i dont want any outside people to gain access to the linux machine.
how can i set it up so that the inside machines can get thru the firewall, but outside ones cannot?

peace
david