Transcript VPN Plus Samba

VPN Plus Samba
Making My Home Computing
Environment Identical to My Work
Computing Environment
At the Office
I am running Windows 2000 (sp2)
My Laptop is connected to the
departmental network
I can access my network files from
windows the same way that I access
my local files.
From Home
I am not connected to the departmental
network
The only way to access my
departmental network files is via ftp.
How to make home like work
Create a Virtual Private Network (VPN)
to allow me to tunnel from my house to
the department via my ISP (adelphia
using cable modem)
Set up the network to allow windows
users to access resources such as files
and printers on a Unix System via
Samba
Setting up VPN
My local machine runs Windows 2000.
Windows 2000 has VPN capabilities when
using PPTP (point-to-point tunneling
protocol).
We needed a FreeBSD, Linux, or Solaris
solution that supports PPTP.
We decided on mpd, multi-link ppp daemon
based on netgraph(4) a FreeBSD package
mpd
http://www.freebsd.org/cgi/url.cgi?port
s/net/mpd/pkg-descr contains the port
description
http://www.freebsd.org/cgi/pds.cgi?port
s/net/mpd contains the source
ftp://ftp.freebsd.org/pub/FreeBSD/ports
/i386/packages-stable/All/mpd-3.7.tgz
contains the package
mpd (continued)
mpd is capable of setting up



Multi-link PPP capability
PAP, CHAP, and MS-CHAP authentication
PPP compression and encryption
Point-to-Point Tunnelling Protocol (PPTP)
We implemented only what was
required for this project.
mpd Installation
Downloaded latest package to /root
gunzip’ed the package (left in root)
(un)tarred package (into root but we
cleaned up the mess when we were
finished)
Install in the usual manner. make
install
Configuration
mpd Configuration
There are four configuration files:




mpd.conf
mpd.links
mpd.secret
mpd.script
All of these are in /usr/local/etc/mpd on
gw11. Log in as root to read them.
mpd.conf
This file defines what the bundles are,
what the links within those bundles are,
how the interface should be configured,
and various ppp parameters…
/usr/local/etc/mpd/mpd.conf contains
the file.
telnet://gw11.cs.uofs.edu
mpd.links
Contains one link per simultaneous pptp
connection.
Ours is set up to allow two users to
connect simultaneously.
mpd.secret
Unencrypted list of usernames,
passwords, and ip addresses for
connection to the VPN.
In other words, connecting to the VPN
does not connect you as a USER to the
network.
There are methods of making this more
secure
mpd.secret (cont)
Here is the current file:


ryan "running"
sid "walking"
134.198.161.227/28
134.198.161.223/28
When connecting to the VPN one of these
username/password combinations must be
used.
Both of them may be used simultaneously.
mpd.script
Since we did no dialup connection, this
script remains one of the mysteries of
the ages.
There is an mpd.script.sample with
1558 lines available in
/usr/local/etc/mpd on gw11 if you need
to use dialup scripts.
What is Samba
Samba is an open source software suite
that provides file and print services to
SMB (CIFS or NetBIOS) clients such as
Windows 95/98, Windows NT, or OS2.
What is Samba (continued)
A samba enabled Unix (or other) machine can
provide the following services:





Share one or more filesystems
Share printers installed on both the server and its
clients
Assist clients with Network Neighborhood
browsing
Authenticate clients logging onto a Windows
domain
Provide or assist with WINS name server
resolution
What is Samba (continued)
Samba revolves around a pair of Unix
daemons – smbd nmbd
smbd - A daemon that allows file and printer
sharing on an SMB network and provides
authentication and authorization for SMB
clients
nmbd - A daemon that looks after the
Windows Internet Name Service (WINS), and
assists with browsing
Reasons to Use Samba
You don't want to pay for - or can't afford - a
full-fledged Windows NT server, yet you still
need the functionality that one provides.
You want to set up a common area for data
or user directories that will be available to
Windows and Unix clients.
You want to be able to share printers across
both Windows and Unix workstations.
You want to be able to access NT files from a
Unix server.
Simple Network Setup with
samba
Samba Installation
Samba can be installed in the usual ways (ie
by ports, package, or rpm installation).
Samba is also included in red-hat linux and
unix distributions.
Samba is supported for the following types of
machines – Unix, Linux, VMS, MVS, OS/2,
Stratus-VOS, Amiga, MPE/iX
We chose to do a package installation on a
red-hat 7.2 machine running NFS.
Samba Installation (cont.)
1st we downloaded samba from the samba
homepage into root’s home directory sambalatest.tar.gz
Steps for simple installation:



unzip and untar the file
Cd into package’s directory
Run make install with no configuration options
More configuration options? Then read:


docs/textdocs/WHATSNEW.txt
docs/textdocs/UNIX_INSTALL.txt
Samba Installation Directories
/usr/local/samba - Main tree
/usr/local/samba/bin - Binaries
/usr/local/samba/lib - smb.conf, lmhosts,
configuration files, etc.
/usr/local/samba/man - Samba documentation
/usr/local/samba/private - Samba encrypted
password file
/usr/local/samba/swat - SWAT files
/usr/local/samba/var - Samba log files, lock
files, browse list info, shared memory files, process
ID files
Samba Configuration
The samba configuration files live in the
/usr/local/samba/lib directory
The main configuration file is
/usr/local/samba/lib/smb.conf
This file can be edited through a text editor
but it is much easier to use the Samba Web
Administration Tool aka SWAT !
You need to configure your system before
you can use swat
Configuring Your Red-Hat
System for Swat
Create a file named swat in the /etc/xinetd.d
directory
This file should contain the following:
service swat
{
port = 901
socket_type = stream
wait = no
user = root
server = /usr/local/samba/bin/swat
log_on_failure += USERID
disable = no
}
Configuring Your Red-Hat
System for Swat (cont.)
Add the following line into the
/etc/services file
swat
901/tcp
# SWAT
It is a good idea to limit the use of
SWAT to certain hosts…For Example:
In /etc/hosts.deny:
swat: ALL
In /etc/hosts.allow:
swat: LOCAL, 134.198.168.128
Now You Are Ready To Use SWAT!
What is SWAT
Basically it is a visual front-end to the
smb.conf file
Following from above


SWAT can be started by a browser through port
901
Any user may log into SWAT, but only root may
edit the config Files
Using SWAT



http://lab4.research.cs.uofs.edu:901
Administrator login example
User login example
Samba Resources
http://www.samba.org/

You can download the latest package from here
http://www.oreilly.com/catalog/samba/chapte
r/book/

A free online version of the book “Using Samba”
Link to smb RFC


ftp://ftp.isi.edu/in-notes/search.ietf.org/internetdrafts/draft-crhertel-smb-url-02.txt
Author – Chris Hertel
Chapter 26 of “Unix Administration
Handbook”
Long Range Goals
Put a router in my house to attach to
the Internet and allow my home
network to be a subnet of the
department’s network.
Add disk space to my router and make
my home network equivalent to the
research subnet with full access to the
department network.