Dear Lazyweb, sorry to bother you again, but I have tried to get this question answered on IRC, on Usenet and on the Samba Mailing List, and was not able to get an answer (not even a remotely clueless one) there. Can you help?
I currently have an "interesting" task to accomplish: An IT environment with about 90 % Windows and 10 % Linux machines would like to unify backup. Currently, the Windows world backs itself up to tape using Backup Exec; the Linux world has Amanda backing up to a big disk RAID.
This RAID is acting up and is scheduled to disappear. The current plan is to back up the Linux world with Amanda to a Samba share which is then backed up to tape by the Backup Exec installation running in the Windows world.
The Linux systems are in a diffent network, and the firewall people would like to keep the ports being open between the two networks to the bare minimum. I don't want to see NETBIOS Broadcasts inside the Linux world, I don't want to see this server in any network neighborhood, and the system acting as the Samba server for the backup should have as few open ports as possible. Of course, the share should be read only and to be as secure as possible.
The following configuration for Samba 3.4.0 from Debian unstable seems to do what is intended (and only needs port tcp/445):
Is this "secure enough" or is there potential for improvement? Which files do I need to copy to /mnt/backup/srv/amanda to run the smbd chrooted? Does it make sense to chroot the smbd in this environment?[global] workgroup = linuxworld server string = %h server dns proxy = no name resolve order = lmhosts host wins bcast interfaces = 192.168.8.26 bind interfaces only = yes log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d security = user encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = no pam password change = no socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 access based share enum = yes allow trusted domains = no disable netbios = yes load printers = no local master = no lock directory = /var/run/samba/locks pid directory = /var/run/samba max smbd processes = 10 min protocol = NT1 name resolve order = host preferred master = no server schannel = yes smb ports = 445 #======================= Share Definitions ======================= [amanda] comment = amanda backup writeable = no read only = yes locking = no path = /mnt/backup/srv/amanda public = no guest ok = no browseable = no hosts allow = 192.168.8.23 max connections = 5 valid users = amanda
Is this configuration going to work with Samba 3.0 (Debian etch) and/or Samba 3.2 (Debian lenny) as well?
Any hints will be appreciated.