Question on SAMBA

[KraziKid]

My father wants me to set up a network for his office. He uses QuickBooks on Windows for their accounting/invoices/etc... The problem is, current;y they share the file they have on disk, and when one is edited, the changes on the other copy aren't retained. They want me to set up a network drive that will hold the QuickBooks database. I have an idea to use SAMBA on a gentoo system I am setting up for a firewall. What they need is something that is available from the internet so that my aunt (who does the accounting) can map the drive in the office to her home computer. What I want to find out is, can SAMBA do this? If so, can I make the connection encrypted? If anyone can give an example where this is impemented, that would be great. I will be making a cron job to backup the database every x minutes so that there is always a backup, but I want to know if I can make this a secure connection. If SAMBA can't do this, can someone recommend an app they use that can.

[Kulfaangaren!]

Hi.

The files I think should be treated as very sensitive, are you really sure you wanna stick em on the firewall/inetgw ?

I prefer to keep this kind of sensitive material offline (read...on a comp without internet access).

Anyways...yes, Samba can bind to all interfaces of the firewall/inetgw and accept connections from your aunt....she would have to use a service name containing the IP adress of your firewall/inetgw like \\192.168.1.1\QuickBooks.

Secure ? Well...if your aunt is using a computer with Win9X/ME then I think no. If she uses WinNT4/2K/XP then at least the authentication can be encrypted.

What I would do if I HAD to find a solution that worked kind of like this, is to make sure the Samba daemon does NOT bind to the outside interface of your firewall/inetgw and find an ssh distro for windows with which she could scp the files, that way it would even be encrypted during transfer.
You probably should automate the process for her which would ofcourse mean that you would have to find an scp that could be scripted from a batch file ( cygwin and openssh ? Then you could even write the script in bourne shell or bash )
Don't forget to only allow her machine in through the firewall, iptables should be able to do MAC adress matching which would uniquely identify her network interface no matter what dynamic IP her ISP is giving her.

Hope this helps.

// Fredrik

[KraziKid]

First of all, I should have mentioned she is running XP. Now, the problem with what you suggested about scp and cygwin is that she is not at all tech savvy. She wouldn't know the difference between a bash prompt, and a dos prompt. Now, I know that the authentication can be encrypted using 2k/XP encrypted passwords, but I want to keep the data secure as well. Are there any programs that would let me do this, but still allowing me to map the network drive for her? If not I will install an ssh client such as mindterm on there computer and teach them how to use the built in scp/sftp file transfers. But I want to do that as a last resort, for nothing simpler for her. Thanks for the help so far.

EDIT: Also, I was going to setup SAMBA to only allow her and my IP from the outside. I wouldn't bind it directly to eth0, but to XXX.YYY.ZZZ.WWW/255.255.248.0 (my ISP uses 255.255.248.0 netmask). This way at least that would work. Also, if you could provide a command for iptables that would do MAC authentication for the server that would help too. Also, can I setup SAMBA to use another port instead of 139?

[Kap]

Remember the containment order:
an Ethernet frame can carry (among other things) an IP packet
an IP packet can carry (among other things) a TCP connection
a TCP connection can carry (among other things) a Samba session

on the internet you send IP packets, nothing more

so, even if your aunt's computer is using Ethernet for her connection (with cablemodem or ADSL or whatever), those Ethernet frames (with her MAC address) will be discarded by her ISP, and only the IP packets inside them will get routed.

the MAC address the server/firewall gets in the end would be from the router; not from the originating PC. (since the router encapsulates the incoming IP packets in brand new Ethernet frames to put them in the LAN)

--
Kz

[Kulfaangaren!]

Hello again.

I guessed she was not so "tech savvy" as you put it, that is why i wrote about writing a script to do it for her, automate things...that would let her click an icon and type a password, even my mom can do that She will not have to know i]how/i it works...just that it does when she clicks the icon. A bash shell script would also let you do some tests on wether the transfer was successfull etc. wich could be nice...if it failed, popup a winpopup with the reason or at least that it didn't work ?

To my knowledge Samba does not contain a way to encrypt the whole transaction...I still think scp is your best bet.

Reading Kap's post above kinda rules out MAC adress matching to verify that it is her/your computer...darn...I have some serious black holes in my networking knowledge.

An other thing to worry about...how are you coing to make sure that your father is not editing the file at the same time that your aunt is downloading it...could end up very messy with corrupt db files as a result. *shudder* Horrible thought! Same problem with your backup copying you mentioned.

Hmmm...solveable with a perl script and lsof ? Make sure the file is closed before you try to copy it ?

// Fredrik

[The Shadow Surfer]

http://hr.uoregon.edu/davidrl/samba/samba-security.html#ssh
This tells have to set up a "Tunneling SMB through SSH"

This way you can do a secure mounting of you data on a remote windows PC