Samba Help Needed
Dear Lazyweb, sorry to bother you again, but I have tried to get this question answered on IRC, on Usenet and on the Samba Mailing List, and was not able to get an answer (not even a remotely clueless one) there. Can you help?
I currently have an "interesting" task to accomplish: An IT environment with about 90 % Windows and 10 % Linux machines would like to unify backup. Currently, the Windows world backs itself up to tape using Backup Exec; the Linux world has Amanda backing up to a big disk RAID.
This RAID is acting up and is scheduled to disappear. The current plan is to back up the Linux world with Amanda to a Samba share which is then backed up to tape by the Backup Exec installation running in the Windows world.
The Linux systems are in a diffent network, and the firewall people would like to keep the ports being open between the two networks to the bare minimum. I don't want to see NETBIOS Broadcasts inside the Linux world, I don't want to see this server in any network neighborhood, and the system acting as the Samba server for the backup should have as few open ports as possible. Of course, the share should be read only and to be as secure as possible.
The following configuration for Samba 3.4.0 from Debian unstable seems to do what is intended (and only needs port tcp/445):
Is this "secure enough" or is there potential for improvement? Which files do I need to copy to /mnt/backup/srv/amanda to run the smbd chrooted? Does it make sense to chroot the smbd in this environment?[global] workgroup = linuxworld server string = %h server dns proxy = no name resolve order = lmhosts host wins bcast interfaces = 192.168.8.26 bind interfaces only = yes log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d security = user encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = no pam password change = no socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 access based share enum = yes allow trusted domains = no disable netbios = yes load printers = no local master = no lock directory = /var/run/samba/locks pid directory = /var/run/samba max smbd processes = 10 min protocol = NT1 name resolve order = host preferred master = no server schannel = yes smb ports = 445 #======================= Share Definitions ======================= [amanda] comment = amanda backup writeable = no read only = yes locking = no path = /mnt/backup/srv/amanda public = no guest ok = no browseable = no hosts allow = 192.168.8.23 max connections = 5 valid users = amanda
Is this configuration going to work with Samba 3.0 (Debian etch) and/or Samba 3.2 (Debian lenny) as well?
Any hints will be appreciated.
Trackbacks
No Trackbacks
Comments
Display comments as Linear | Threaded
Anonymous on :
rsync over SSH seems like a better solution for the Linux boxes, if you just want to get data onto a Windows system. Both SSH and rsync run on Windows. This would only require port 22.
Marc 'Zugschlus' Haber on :
This is how we currently do it. We want to get away from wasting disk space in the windows world, so the backup software should directly get the data from the Linux box. And the Windows backup software can do cifs, cifs and cifs.
Andreas Marschke on :
I would recommend bacula we used oit onour last backup job when we needed to backup a server remotely I, dont know about the backup capabillities of woindows but we made that possible by a timed boot that would bootup into a linux and send a backup request remotely to the server its still in use. It works perfect and can made over night.
Marc 'Zugschlus' Haber on :
You are misunderstanding. We do not look for a new backup software for Windows, I am looking for a way to have the Linux world backed up by the existing Windows installation which is not to be changed, and which the Windows admin do not plan to install any new software, scripts or other mechanisms.
flawed on :
Sorry for missing the topic, but I believe there is a BackupExec client for Linux. What is the reason for not wanting to use this approach?
Marc 'Zugschlus' Haber on :
The system in question is security relevant; I'd rather not spoil it with commercial closed-source software which has to be bought. What the heck is so flawed with the Samba approach?
Lennie on :
Before anyone would help you, the first question they would need to ask is: what version of windows is it ? That is doing the backup.
Will it work on older versions of Debian, well, no: "access based share enum" is only supported since Samba 3.4
And maybe it's just me, but maybe you should just use:
name resolve order = host
Do you really need anything more ?
But hey, what do I know, I've not done a smb.conf in ages.
Marc 'Zugschlus' Haber on :
Currently, W2k3, with the Option of being W2k8 "real soon now"
I see. That would have to be removed on the older versions then.
No idea, I'll try it.
Thanks, I really appreciate that.
Wouter Verhelst on :
You are aware that you can mount SMB shares by IP address, right...?
Marc 'Zugschlus' Haber on :
Yes, I am. The configuration listed above works fine with IP address and host name (the host has a proper DNS entry). And I won't use the IP address since I am the one who usually lectures that IP adresses are not to be used anywhere besides access lists and the DNS.
Hans Bonfigt on :
Did you already consider to push your linux backups to the windows machine by 'smbtar'?
Marc 'Zugschlus' Haber on :
Am I talking in chinese or what?? It is not repeat not desired to push the data to the windows world as this would need disk storage in the windows world. If the backup software pulls the data from the LInux world, the data goes straight to tape, thus no disk space needed in the Windows world.
Hans Bonfigt on :
"We want to get away from wasting disk space in the windows world"
Sorry, I overread this hint. There are lots of opportunities to stop wasting disk space in the windows world, though.
Marc 'Zugschlus' Haber on :
That depends on your point of view. The windows world considers the Linux backups waste of disk space. They, of course, do not consider their own data dumps wasted.