# Networking between Linux & windoze through a Linksys router.

## dalek

Here is the deal.  A while back I emerged samba so I could let my fiance store data on my computer, that way when windoze dies she doesn't loose anything and I don't have to move drives around.  Anyway, I have it started and have tried to get it working but I think I am running into problems on the windoze side or with the Linksys router one.  Here's the info:

Linksys router:  WRT54G connected to a cable modem

One Gentoo box in sig below that is connected to port 2

One Windoze XP box   that is connected to port 1

All is connected through ethernet cables, no wireless stuff.

Linksys is a default setup except that I did have to change the IP so it would see the cable modem.  All this uses DHCP too.  This is my Samba conf for what is shared:

```

[DATA]

path = /mnt/data/

hide files = Donna-windoze/

veto files = Donna-windoze/

veto oplock files = Donna-windoze/

case sensitive = no

msdfs proxy = no

hide unreadable = yes

[DOCUMENTS]

path = /home/dale/Desktop/Documents/

case sensitive = no

msdfs proxy = no

hosts allow = 192.168.100.*

hide files = DonnaIM/DonnaIM2/DonnaIM3/

```

Let me know if you need the whoooole thing.    :Shocked:    Can someone help walk me through this?  I think the Linux side is working.  It's the other that has me puzzled.  I'm not real big on windoze networking stuff, in case you can't tell.

Thanks for the help.

 :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy: 

----------

## MEW

In what way does it not work?

Yes, please post the whole thing. (Better would be to upload it elsewhere and link it, if you can.)

----------

## dalek

It appears it is working from here, the Linux box, but windoze can't see anything.  I feel like the router is not letting her computer 'see' mine for some reason.  I know less about the router than windoze so I'm in a mess.

I don't have any way to host the file so here it goes:

```
# This is the main Samba configuration file. You should read the

# smb.conf(5) manual page in order to understand the options listed

# here. Samba has a huge number of configurable options (perhaps too

# many!) most of which are not shown in this example

#

# Any line which starts with a ; (semi-colon) or a # (hash)

# is a comment and is ignored. In this example we will use a #

# for commentry and a ; for parts of the config file that you

# may wish to enable

#

# NOTE: Whenever you modify this file you should run the command "testparm"

# to check that you have not made any basic syntactic errors.

#

#======================= Global Settings =====================================

[global]

# 1. Server Naming Options:

# workgroup = NT-Domain-Name or Workgroup-Name

workgroup = WORKGROUP

# netbios name is the name you will see in "Network Neighbourhood",

# but defaults to your hostname

;  netbios name = <name_of_this_server>

# server string is the equivalent of the NT Description field

server string = Samba Server %v

# Message command is run by samba when a "popup" message is sent to it.

# The example below is for use with LinPopUp:

; message command = /usr/bin/linpopup "%f" "%m" %s; rm %s

# 2. Printing Options:

# CHANGES TO ENABLE PRINTING ON ALL CUPS PRINTERS IN THE NETWORK

# if you want to automatically load your printer list rather

# than setting them up individually then you'll need this

printcap name = cups

# It should not be necessary to spell out the print system type unless

# yours is non-standard. Currently supported print systems include:

# bsd, sysv, plp, lprng, aix, hpux, qnx, cups

printing = cups

# Samba 3.x supports the Windows NT-style point-and-print feature. To

# use this, you need to be able to upload print drivers to the samba

# server. The printer admins (or root) may install drivers onto samba.

# Note that this feature uses the print$ share, so you will need to

# enable it below.

# printer admin = @<group> <user>

printer admin = @adm

# This should work well for winbind:

;   printer admin = @"Domain Admins"

# 3. Logging Options:

# this tells Samba to use a separate log file for each machine

# that connects

log file = /var/log/samba/log.%m

# Put a capping on the size of the log files (in Kb).

max log size = 50

# Set the log (verbosity) level (0 <= log level <= 10)

; log level = 3

# 4. Security and Domain Membership Options:

# This option is important for security. It allows you to restrict

# connections to machines which are on your local network. The

# following example restricts access to two C class networks and

# the "loopback" interface. For more examples of the syntax see

# the smb.conf man page. Do not enable this if (tcp/ip) name resolution does

# not work for all the hosts in your network.

;   hosts allow = 192.168.100. 192.168.2. 127.

# Uncomment this if you want a guest account, you must add this to /etc/passwd

# otherwise the user "nobody" is used

;  guest account = pcguest

# Allow users to map to guest:

map to guest = Bad User

# Security mode. Most people will want user level security. See

# security_level.txt for details.

security = share

# Use password server option only with security = server or security = domain

# When using security = domain, you should use password server = *

;   password server = <NT-Server-Name>

;   password server = *

# Password Level allows matching of _n_ characters of the password for

# all combinations of upper and lower case.

;  password level = 8

;  username level = 8

# You may wish to use password encryption. Please read

# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.

# Do not enable this option unless you have read those documents

# Encrypted passwords are required for any use of samba in a Windows NT domain

# The smbpasswd file is only required by a server doing authentication, thus

# members of a domain do not need one.

encrypt passwords = yes

# The following are needed to allow password changing from Windows to

# also update the Linux system password.

# NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above.

# NOTE2: You do NOT need these to allow workstations to change only

#        the encrypted SMB passwords. They allow the Unix password

#        to be kept in sync with the SMB password.

;  unix password sync = Yes

# You either need to setup a passwd program and passwd chat, or

# enable pam password change

;  pam password change = yes

;  passwd program = /usr/bin/passwd %u

;  passwd chat = *New*UNIX*password* %n\n *Re*ype*new*UNIX*password* %n\n ;*passwd:*all*authentication*tokens*updated*successfully*

# Unix users can map to different SMB User names

;  username map = /etc/samba/smbusers

# Using the following line enables you to customise your configuration

# on a per machine basis. The %m gets replaced with the netbios name

# of the machine that is connecting

;   include = /etc/samba/smb.conf.%m

# Options for using winbind. Winbind allows you to do all account and

# authentication from a Windows or samba domain controller, creating

# accounts on the fly, and maintaining a mapping of Windows RIDs to unix uid's

# and gid's. idmap uid and idmap gid are the only required parameters.

#

# winbind separator is the character a user must use between their domain

# name and username, defaults to "\"

;  winbind separator = +

#

# winbind use default domain allows you to have winbind return usernames

# in the form user instead of DOMAIN+user for the domain listed in the

# workgroup parameter.

;  winbind use default domain = yes

#

# template homedir determines the home directory for winbind users, with

# %D expanding to their domain name and %U expanding to their username:

;  template homedir = /home/%D/%U

# When using winbind, you may want to have samba create home directories

# on the fly for authenticated users. Ensure that /etc/pam.d/samba is

# using 'service=system-auth-winbind' in pam_stack modules, and then

# enable obedience of pam restrictions below:

;  obey pam restrictions = yes

#

# template shell determines the shell users authenticated by winbind get

;  template shell = /bin/bash

# 5. Browser Control and Networking Options:

# Most people will find that this option gives better performance.

# See speed.txt and the manual pages for details

socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192 

# Configure Samba to use multiple interfaces

# If you have multiple network interfaces then you must list them

# here. See the man page for details.

;   interfaces = 192.168.12.2/24 192.168.13.2/24

# Configure remote browse list synchronisation here

#  request announcement to, or browse list sync from:

#       a specific host or from / to a whole subnet (see below)

;   remote browse sync = 192.168.3.25 192.168.5.255

# Cause this host to announce itself to local subnets here

;   remote announce = 192.168.1.255 192.168.2.44

# set local master to no if you don't want Samba to become a master

# browser on your network. Otherwise the normal election rules apply

;   local master = no

# OS Level determines the precedence of this server in master browser

# elections. The default value should be reasonable

;   os level = 33

# Domain Master specifies Samba to be the Domain Master Browser. This

# allows Samba to collate browse lists between subnets. Don't use this

# if you already have a Windows NT domain controller doing this job

;   domain master = yes

# Preferred Master causes Samba to force a local browser election on startup

# and gives it a slightly higher chance of winning the election

;   preferred master = yes

# 6. Domain Control Options:

# Enable this if you want Samba to be a domain logon server for

# Windows95 workstations or Primary Domain Controller for WinNT and Win2k

;   domain logons = yes

# if you enable domain logons then you may want a per-machine or

# per user logon script

# run a specific logon batch file per workstation (machine)

;   logon script = %m.bat

# run a specific logon batch file per username

;   logon script = %U.bat

# Where to store roaming profiles for WinNT and Win2k

#        %L substitutes for this servers netbios name, %U is username

#        You must uncomment the [Profiles] share below

;   logon path = \\%L\Profiles\%U

# Where to store roaming profiles for Win9x. Be careful with this as it also

# impacts where Win2k finds it's /HOME share

; logon home = \\%L\%U\.profile

# The add user script is used by a domain member to add local user accounts

# that have been authenticated by the domain controller, or when adding

# users via the Windows NT Tools (ie User Manager for Domains).

# Scripts for file (passwd, smbpasswd) backend:

; add user script = /usr/sbin/useradd -s /bin/false '%u'

; delete user script = /usr/sbin/userdel '%s'

; add user to group script = /usr/bin/gpasswd -a '%u' '%g'

; delete user from group script = /usr/bin/gpasswd -d '%u' '%g'

; set primary group script = /usr/sbin/usermod -g '%g' '%u'

; add group script = /usr/sbin/groupadd %g && getent group '%g'|awk -F: '{print $3}'

; delete group script = /usr/sbin/groupdel '%g'

# Scripts for LDAP backend (assumes nss_ldap is in use on the domain controller.

# Needs IDEALX scripts, and configuration in smbldap_conf.pm.

# This assumes you've installed the IDEALX scripts into /usr/share/samba/scripts...

; add user script = /usr/share/samba/scripts/smbldap-useradd.pl '%u'

; delete user script = /usr/share/samba/scripts/smbldap-userdel.pl '%u'

; add user to group script = /usr/share/samba/scripts/smbldap-groupmod.pl -m '%u' '%g'

; delete user from group script = /usr/share/samba/scripts/smbldap-groupmod.pl -x '%u' '%g'

; set primary group script = /usr/share/samba/scripts/smbldap-usermod.pl -g '%g' '%u'

; add group script = /usr/share/samba/scripts/smbldap-groupadd.pl '%g' && /usr/share/samba/scripts/smbldap-groupshow.pl %g|awk '/^gidNumber:/ {print $2}'

; delete group script = /usr/share/samba/scripts/smbldap-userdel.pl '%g'

# The add machine script is use by a samba server configured as a domain

# controller to add local machine accounts when adding machines to the domain.

# The script must work from the command line when replacing the macros,

# or the operation will fail. Check that groups exist if forcing a group.

# Script for domain controller for adding machines:

; add machine script = /usr/sbin/useradd -d /dev/null -g machines -c 'Machine Account' -s /bin/false -M '%u'

# Script for domain controller with LDAP backend for adding machines (You need

# the IDEALX scripts, and to configure the smbldap_conf.pm first):

; add machine script = /usr/share/samba/scripts/smbldap-useradd.pl -w -d /dev/null -g machines -c 'Machine Account' -s /bin/false '%u'

# Domain groups:

# Domain groups are now configured by using the 'net groupmap' tool

# Samba Password Database configuration:

# Samba now has runtime-configurable password database backends. Multiple

# passdb backends may be used, but users will only be added to the first one

# Default:

; passdb backend = smbpasswd guest

# TDB backen with fallback to smbpasswd and guest

; passdb backend = tdbsam smbpasswd guest

# LDAP with fallback to smbpasswd guest

# Enable SSL by using an ldaps url, or enable tls with 'ldap ssl' below.

; passdb backend = ldapsam:ldaps://ldap.mydomain.com smbpasswd guest

# Use the samba2 LDAP schema:

; passdb backend = ldapsam_compat:ldaps://ldap.mydomain.com smbpasswd guest

# idmap uid account range:

# This is a range of unix user-id's that samba will map non-unix RIDs to,

# such as when using Winbind

; idmap uid = 10000-20000

; idmap gid = 10000-20000

# LDAP configuration for Domain Controlling:

# The account (dn) that samba uses to access the LDAP server

# This account needs to have write access to the LDAP tree

# You will need to give samba the password for this dn, by

# running 'smbpasswd -w mypassword'

; ldap admin dn = cn=root,dc=mydomain,dc=com

; ldap ssl = start_tls

# start_tls should run on 389, but samba defaults incorrectly to 636

; ldap port = 389

; ldap suffix = dc=mydomain,dc=com

; ldap server = ldap.mydomain.com

# Seperate suffixes are available for machines, users, groups, and idmap, if

# ldap suffix appears first, it is appended to the specific suffix.

# Example for a unix-ish directory layout:

; ldap machine suffix = ou=Hosts

; ldap user suffix = ou=People

; ldap group suffix = ou=Group

; ldap idmap suffix = ou=Idmap

# Example for AD-ish layout:

; ldap machine suffix = cn=Computers

; ldap user suffix = cn=Users

; ldap group suffix = cn=Groups

; ldap idmap suffix = cn=Idmap

# 7. Name Resolution Options:

# All NetBIOS names must be resolved to IP Addresses

# 'Name Resolve Order' allows the named resolution mechanism to be specified

# the default order is "host lmhosts wins bcast". "host" means use the unix

# system gethostbyname() function call that will use either /etc/hosts OR

# DNS or NIS depending on the settings of /etc/host.config, /etc/nsswitch.conf

# and the /etc/resolv.conf file. "host" therefore is system configuration

# dependant. This parameter is most often of use to prevent DNS lookups

# in order to resolve NetBIOS names to IP Addresses. Use with care!

# The example below excludes use of name resolution for machines that are NOT

# on the local network segment

# - OR - are not deliberately to be known via lmhosts or via WINS.

; name resolve order = wins lmhosts bcast

# Windows Internet Name Serving Support Section:

# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server

;   wins support = yes

# WINS Server - Tells the NMBD components of Samba to be a WINS Client

#       Note: Samba can be either a WINS Server, or a WINS Client, but NOT both

;   wins server = w.x.y.z

# WINS Proxy - Tells Samba to answer name resolution queries on

# behalf of a non WINS capable client, for this to work there must be

# at least one  WINS Server on the network. The default is NO.

;   wins proxy = yes

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names

# via DNS nslookups. The built-in default for versions 1.9.17 is yes,

# this has been changed in version 1.9.18 to no.

dns proxy = no

restrict anonymous = no

guest ok = yes

domain master = no

preferred master = no

max protocol = NT

ldap ssl = No

server signing = Auto

# 8. File Naming Options:

# Case Preservation can be handy - system default is _no_

# NOTE: These can be set on a per share basis

;  preserve case = no

;  short preserve case = no

# Default case is normally upper case for all DOS files

;  default case = lower

# Be very careful with case sensitivity - it can break things!

;  case sensitive = no

# Enabling internationalization:

# you can match a Windows code page with a UNIX character set.

# Windows: 437 (US), 737 (GREEK), 850 (Latin1 - Western European),

# 852 (Czech), 861 (???), 932 (Japanese),

# 936 (Simplified Chin.), 949 (Korean Hangul),

# 950 (Trad. Chin.).

# More detail about code page is in

# "http://www.microsoft.com/globaldev/reference/oslocversion.mspx"

# UNIX: ISO8859-1 (Western European), ISO8859-2 (Eastern Eu.),

# ISO8859-5 (Russian Cyrillic), KOI8-R (Alt-Russ. Cyril.)

# This is an example for french users:

;   dos charset = 850

;   unix charset = ISO8859-1

#============================ Share Definitions ==============================

[homes]

comment = Home Directories

browseable = no

read only = no

# You can enable VFS recycle bin on a per share basis:

# Uncomment the next 2 lines (make sure you create a

# .recycle folder in the base of the share and ensure

# all users will have write access to it. See

# examples/VFS/recycle/REAME in the samba docs for details

;   vfs object = /usr/lib/samba/vfs/recycle.so

# Un-comment the following and create the netlogon directory for Domain Logons

; [netlogon]

;   comment = Network Logon Service

;   path = /var/lib/samba/netlogon

;   guest ok = yes

;   writable = no

# Un-comment the following to provide a specific roving profile share

# the default is to use the user's home directory

;[Profiles]

;    path = /var/lib/samba/profiles

;    browseable = no

;    guest ok = yes

# This script can be enabled to create profile directories on the fly

# You may want to turn off guest acces if you enable this, as it

# hasn't been thoroughly tested.

;root preexec = PROFILE=/var/lib/samba/profiles/%u; if [ ! -e $PROFILE ]; ;                then mkdir -pm700 $PROFILE; chown %u:%g $PROFILE;fi

# NOTE: If you have a CUPS print system there is no need to

# specifically define each individual printer.

# You must configure the samba printers with the appropriate Windows

# drivers on your Windows clients. On the Samba server no filtering is

# done. If you wish that the server provides the driver and the clients

# send PostScript ("Generic PostScript Printer" under Windows), you have

# to swap the 'print command' line below with the commented one.

[printers]

comment = All Printers

path = /var/spool/samba

browseable = no

# to allow user 'guest account' to print.

guest ok = yes

printable = yes

create mask = 0700

# =====================================

# print command: see above for details.

# =====================================

print command = lpr-cups -P %p -o raw %s -r   # using client side printer drivers.

printer name = HP-Deskjet-3820

;   print command = lpr-cups -P %p %s # using cups own drivers (use generic PostScript on clients).

# The following two commands are the samba defaults for printing=cups

# change them only if you need different options:

;   lpq command = lpq -P %p

;   lprm command = cancel %p-%j

# This share is used for Windows NT-style point-and-print support.

# To be able to install drivers, you need to be either root, or listed

# in the printer admin parameter above. Note that you also need write access

# to the directory and share definition to be able to upload the drivers.

# For more information on this, please see the Printing Support Section of

# /usr/share/doc/samba-<version>/Samba-HOWTO-Collection.pdf

[print$]

path = /var/lib/samba/printers

write list = @adm root

[DATA]

path = /mnt/data/

hide files = Donna-windoze/

veto files = Donna-windoze/

veto oplock files = Donna-windoze/

case sensitive = no

msdfs proxy = no

hide unreadable = yes

[DOCUMENTS]

path = /home/dale/Desktop/Documents/

case sensitive = no

msdfs proxy = no

hosts allow = 192.168.100.*

hide files = DonnaIM/DonnaIM2/DonnaIM3/

```

Sorry so huge.  I also tried setting this up through KDE.  When I add a user and then go back to see if it worked or not, the user was not added.  I'm not sure why.  Any ideas on that?  I did have to put in my root password to do that though.    :Embarassed: 

Thanks for the help.

 :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy: 

----------

## Allochtoon

Is there a firewall running on her computer?

What does the samba log say when windows tries to access the share?

----------

## MEW

What workgroup is her WinXP box in? They have to be the same for Network Neighborhood to work, I think.

EDIT: Does it work if you try to go to \\yourcomputername on her computer (using Windows Explorer)?

----------

## Pizon

It would help a lot here if you could provide a synopsis of the errors messages you receive on the Windows XP computer.  That being said, I would definitely make sure that both computers are using the same workgroup.  This isn't essential but it makes things easier.  The other thing I would try is using the Windows search utility to search for your (samba) computer.  I would search both by name and by ip address.

----------

## dalek

What you all are saying is some good points, problem is, I don't know how to do this in windoze.  I only use Linux and have never actually owned a copy of windoze, ever.  I don't get error messages in windoze but it doesn't see my system either.  

I have found a tutorial or two that tells how to set up samba and I did that.  It just doesn't say much if anything about the windoze part.  Between that and the router, I'm clueless.  I think the Linux end is ready.

How do I see what the workgroup is and how do I change it?  I did do the \\smoker once before but I don't remember it saying anything but it didn't find it.

Sorry I am so windoze ignorant.    :Embarassed:    This is a Linux forums though.

 :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy: 

----------

## dalek

UPDATE!!!  If I go to the network neighborhood, it shows up as smoker.  It won't let me in or anything but it says it sees something out there.

I did change the workgroup name in my samba config file.  That seemed to help a lot.  

Any more ideas?  I need some.

 :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy: 

----------

## jmbsvicetto

Hi.

In your windows box, open the command prompt and type the following

```
c:\...> net view \\smoker

c:\...> net view \\<smoker-ip-address>

c:\...> net use z: \\smoker\data

c:\...> net use y: \\<smoker-ip-address>\data
```

Do you get any error? Can you see any files under z: or y:?

By the way, have you tested on your Linux box with smbclient?

----------

## dalek

Here comes my cut n paste.

```
C:\>net view \\smoker

System error 53 has occurred.

The network path was not found.

C:\>net view \\192.168.100.3

System error 53 has occurred.

The network path was not found.

C:\>net use z:\\smoker\mnt\data\

System error 67 has occurred.

The network name cannot be found.

C:\>net use z:\\192.168.100.3\mnt\data\

System error 67 has occurred.

The network name cannot be found.

C:\>
```

But in the window under the network thing, it shows up as smoker.  When I click it says it is not there.  Weird.  Maybe I need to reboot my Linux box?    :Laughing:   :Laughing:    Yeah, right!!

Any ideas now?  This is to weird.  I set a lot of this up with the KDE GUI.  It appears that something is working on my end at least.

Thanks for the help.

 :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy: 

----------

## MEW

Does anything show up in the samba logfiles when you try to double-click Smoker from Network Neighborhood?

You can set the workgroup name in WinXP by going to the System Properties control panel (Windows Key + Break; right-click My Computer, go to Properties; Or Start | Settings | Control Panel | System) and then the "Computer Name" tab (or something like that).

----------

## jmbsvicetto

The following means that you have network resolution problems

 *dalek wrote:*   

> 
> 
> ```
> C:\>net view \\smoker
> 
> ...

 

I thought this should work, but I'm not sure anymore.

 *dalek wrote:*   

> 
> 
> ```
> C:\>net view \\192.168.100.3
> 
> ...

 

Back to the basics. On your windows host do:

```
# ping smoker

# ping 192.168.100.3
```

Do you get any replies? Are you using any DNS or WINS server on your network? If so, did you remember to add smoker address to the servers?

If you can ping the linux host, can you do the following?

```
# telnet smoker 137

# telnet 192.168.100.3 137
```

Do you get any reply? If not, in you linux host, what is the output of the following?

```
# netstat -an | grep 137
```

----------

## dalek

Well, some of it anyway:

```
C:\Documents and Settings\Teresa>ping smoker

Ping request could not find host smoker. Please check the name and try again.

C:\Documents and Settings\Teresa>ping 192.168.100.3

Pinging 192.168.100.3 with 32 bytes of data:

Request timed out.

Request timed out.

Ping statistics for 192.168.100.3:

    Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),

Control-C

^C

C:\Documents and Settings\Teresa>
```

I figured since those didn't work, the others wouldn't either.  Is it my Linux box that is blocking it or windoze?  At least it sees it is there.  

Thanks.

 :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy: 

----------

## nobspangle

Do you have a firewall installed on your linux box?

How about on your windows box?

----------

## dalek

I don't recall installing a firewall on the Linux box.  She has McAfee on hers and I think the firewall is on.  I'm not sure about her settings though.  It is likely just default.  However, McAfee usually pops up and tells her when a program is trying to do something different.

Is there any way to tell what is what?  I don't see anything.  Here is my list of what is running when I boot:

```
root@smoker / # rc-update show

           alsasound |

              autofs |

            bootmisc | boot

             checkfs | boot

           checkroot | boot

               clock | boot

         consolefont | boot

         crypto-loop |

               cupsd |      default

                dbus |      default

                dhcp |

            dhcrelay |

          domainname |

              esound |

                famd |

             folding |

            gkrellmd |

                 gpm |

                hald |      default

             hddtemp |

              hdparm |

            hostname | boot

             hotplug |      default

     http-replicator |      default

           ip6tables |

            iptables |      default

               ivman |      default

             keymaps | boot

                lisa |

               local |      default nonetwork

          localmount | boot

             metalog |

             modules | boot

            net.eth0 |      default

            net.eth1 |

            net.eth2 |

              net.lo | boot

        net.ppp0.old |

            netmount |      default

                nscd |

          ntp-client |      default

                ntpd |      default

             numlock |      default

             nvclock |

       pg_autovacuum |

             portmap |

          postgresql |

             pwcheck |

             reslisa |

           rmnologin | boot

              rsyncd |      default

               samba |      default

           saslauthd |

              serial | boot

          serial.old |

               slapd |

              slurpd |

              smartd |      default

                sshd |

           syslog-ng |      default

                upsd |      default

              upsdrv |

              upsmon |

             urandom | boot

             usermin |

          vixie-cron |      default

                 xdm |      default

              xprint |

               zzfah |      default

root@smoker / #   
```

Should I turn off her McAfee firewall and test this out for a bit?

I may be in and out for a bit.  She is sick and we just got back from the emergency room.  I'm playing nurse at the moment.  Thought I would mention that in case I don't reply for a good while or something.

Thanks for the help.

 :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy: 

----------

## DawgG

(hey , i finally found that one user i always believed i'd never find: "i've never used windoze, only linux." grown up with a good os. GREAT!!)

ok,

on windoze:

1. turn off anything firewall-like on the winoze-box (3rd-party-products and the winoze-integrated one; i think there's some security-center or sth where u can turn it off)

2. (does she have xp prof or home version? because some opts might be different) somewhere among workplace->folder-options there is a way to turn OFF easy or simple file-sharing. turn it off.

3. in a comand-prompt (cmd.exe) type 

```
nbtstat -a <sambabox-netbios-name>
```

 or 

```
 nbtstat -a <sambabox-ip-address>
```

. the result of this will tell you if they can "talk" to each other (exchange names etc.)

4. check the windoze-eventlog

on the sambabox:

1. add a user that has the same name as the windoze-user, give it permissions on the respective dirs/files: the paths in the share-defs in smb.conf (unless you want to go really deep into samba and set up username-mapping, windoze-domainfuck and the like)

2. i suggest you set up a VERY BASIC smb.conf-file (the samba-online-docs are a very great help here, copy&paste) and, for testing purposes, use the most liberal permissions on everything (loal files/dirs and NO security-restrictions in smb.conf). use the samba-command 

```
testparm (-v)
```

 very often.

about 20 lines should do what you want.

i think the main problem is your smb.conf (the one you posted); it has a lot of errors.  e.g, the machine HAS to have a netbios-name (yours is comented out). don't confuse what has to be in certain sections. leave out the stuff you don't need or want.

3. if u use no dns-server it might help that both hosts'  hosts-files have the same entries (yes, windoze does have that file :wink: ).  the 

```
ping <sambabox-netbiosname>
```

 will not work until the sambabox is give a the right name via smb.conf ( or it's the same in the host-files, which is kind of pointless here).

4. sometimes it has helped to play with the parameter 

```
encrypt passwords = [yes|no]
```

 in the smb.conf.

in the samba-online-docs there is an easy guide; look around here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/FastStart.html  it has helped me many many times and i'm certain you'll get your setup running in no time.

(and you might check if your router/firewall in between lets the relevant ports pass (135-139, maybe 445 i guess)

----------

## dalek

 *DawgG wrote:*   

> (hey , i finally found that one user i always believed i'd never find: "i've never used windoze, only linux." grown up with a good os. GREAT!!)

 

I don't use windoze, she does.  I'm mowing the grass so I will try this later when it starts to rain.  Thanks for the info.  Back later.

 :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy: 

----------

## nobspangle

you have iptables in your default runlevel, you may want to check that out

----------

## dalek

If I stop iptables it will retain the settings won't it??  We are gone to the neurologist today.  I HOPE to be back later.  Wish us luck.    :Crying or Very sad: 

 :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy: 

----------

## dalek

Sorry so long.  We have been having rounds with the Doctor.  They seem to want to make a career out of figuring out what is wrong.  Anyway, I stopped iptables and now it works fine.  I guess I need to figure out what to do to get it to allow connections with iptables running.

Thanks for the help and again sorry for the slowness of my testing.  Oh, webmin got installed too.  Very cool setup there.    :Embarassed:   :Laughing: 

 :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy: 

Any ideas on the iptables thing??  I have to warn you, we have another Dr's appointment tomorrow for a MRI and a heart test thing.  They found out last week that she had a brain.    :Rolling Eyes:    Now they want to make sure she has a heart and a neck.    :Shocked: 

----------

## MEW

Could you post your iptables rules (`iptables -L`)?

----------

## dalek

Sure.  Here you go:

```
root@smoker / # iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http

DROP       all  --  anywhere             anywhere            state INVALID,NEW

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

DROP       all  --  anywhere             anywhere            state INVALID,NEW

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

root@smoker / #       
```

I read the man page.    :Confused:   :Confused:   :Confused:    I guess I need to find time to read a wiki or something.  I need more explaining on that one.    :Embarassed:    I do get the http part though.  That's a webpage.   :Very Happy: 

 :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy: 

----------

## MEW

It's your "DROP       all  --  anywhere             anywhere            state INVALID,NEW " rule, I think (in INPUT). I think that that will not allow any incoming connections to anything (except HTTP). 

Try this (allows traffic on tcp or udp from 192.168.0.0/24 to ports 138, 139, and 445, and puts the rules before what I think is the problem rule):

```
iptables -I INPUT 2 -p udp --dport 445 --source 192.168.0.0/24 -j ACCEPT

iptables -I INPUT 2 -p tcp --dport 445 --source 192.168.0.0/24 -j ACCEPT

iptables -I INPUT 2 -p udp --dport 138 --source 192.168.0.0/24 -j ACCEPT

iptables -I INPUT 2 -p tcp --dport 138 --source 192.168.0.0/24 -j ACCEPT

iptables -I INPUT 2 -p udp --dport 139 --source 192.168.0.0/24 -j ACCEPT

iptables -I INPUT 2 -p tcp --dport 139 --source 192.168.0.0/24 -j ACCEPT
```

----------

## dalek

I'll try that for sure.  I think the way the other was setup was taken from a script I found to chare the net with other rigs that are connected to this one, well they were anyway.  I guess he made it allow what was needed then told it to drop everything else.  Secure I guess but to secure for what I am trying to do now.

I'll also try to "understand" what those mean when I type them in.  I need to anyway.  It took me a while on the route command too.    :Embarassed:   :Rolling Eyes: 

Thanks for the help.  

 :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy: 

----------

## dalek

OK.  I tried that and I also tried changing the address to 192.168.100.0 but nothing but a error that I don't have access from the windoze machine.

Now I am trying to understand this but it is still a bit muddy.  This is what it says right now:

```
root@smoker / # iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http

ACCEPT     tcp  --  192.168.100.0/24     anywhere            tcp dpt:netbios-ssn

ACCEPT     udp  --  192.168.100.0/24     anywhere            udp dpt:netbios-ssn

ACCEPT     tcp  --  192.168.100.0/24     anywhere            tcp dpt:netbios-dgm

ACCEPT     udp  --  192.168.100.0/24     anywhere            udp dpt:netbios-dgm

ACCEPT     tcp  --  192.168.100.0/24     anywhere            tcp dpt:microsoft-ds

ACCEPT     udp  --  192.168.100.0/24     anywhere            udp dpt:microsoft-ds

DROP       all  --  anywhere             anywhere            state INVALID,NEW

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

DROP       all  --  anywhere             anywhere            state INVALID,NEW

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

root@smoker / #        
```

This is awful, it actually says windows.  < Dale pukes >  This is eth0:

```
root@smoker / # ifconfig eth0

eth0      Link encap:Ethernet  HWaddr 00:01:53:81:00:E7

          inet addr:192.168.100.3  Bcast:192.168.100.127  Mask:255.255.255.128

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:1477522 errors:0 dropped:0 overruns:0 frame:0

          TX packets:1035748 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:1973023959 (1881.6 Mb)  TX bytes:115051647 (109.7 Mb)

          Interrupt:10 Base address:0xc000

root@smoker / #     
```

The highest IP the router uses is 192.168.100.4 if that helps.  I also learned that iptables -F gives you a fresh start when you screw up.    :Laughing: 

If you have any ideas, let me know.  I'll try to bang on it some more over here too.  I'll try not to screw up anything the -F won't fix.    :Shocked: 

Thanks.

 :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy: 

----------

## MEW

I sniffed samba on my machine, and I see that it also uses port 137/udp ("netbios-ns"). 

```
iptables -I INPUT 2 -p tcp --dport 137 --source 192.168.100.0/24 -j ACCEPT

iptables -I INPUT 2 -p udp --dport 137 --source 192.168.100.0/24 -j ACCEPT
```

----------

## dalek

That worked like a charm.  For future reference:

```
root@smoker / # iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http

ACCEPT     udp  --  192.168.100.0/24     anywhere            udp dpt:netbios-ns

ACCEPT     tcp  --  192.168.100.0/24     anywhere            tcp dpt:netbios-ns

ACCEPT     tcp  --  192.168.100.0/24     anywhere            tcp dpt:netbios-ssn

ACCEPT     udp  --  192.168.100.0/24     anywhere            udp dpt:netbios-ssn

ACCEPT     tcp  --  192.168.100.0/24     anywhere            tcp dpt:netbios-dgm

ACCEPT     udp  --  192.168.100.0/24     anywhere            udp dpt:netbios-dgm

ACCEPT     tcp  --  192.168.100.0/24     anywhere            tcp dpt:microsoft-ds

ACCEPT     udp  --  192.168.100.0/24     anywhere            udp dpt:microsoft-ds

DROP       all  --  anywhere             anywhere            state INVALID,NEW

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

DROP       all  --  anywhere             anywhere            state INVALID,NEW

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

root@smoker / # 
```

Hmmmm, to get all that, do this:

```
iptables -I INPUT 2 -p udp --dport 445 --source 192.168.0.0/24 -j ACCEPT

iptables -I INPUT 2 -p tcp --dport 445 --source 192.168.0.0/24 -j ACCEPT

iptables -I INPUT 2 -p udp --dport 138 --source 192.168.0.0/24 -j ACCEPT

iptables -I INPUT 2 -p tcp --dport 138 --source 192.168.0.0/24 -j ACCEPT

iptables -I INPUT 2 -p udp --dport 139 --source 192.168.0.0/24 -j ACCEPT

iptables -I INPUT 2 -p tcp --dport 139 --source 192.168.0.0/24 -j ACCEPT

iptables -I INPUT 2 -p tcp --dport 137 --source 192.168.100.0/24 -j ACCEPT

iptables -I INPUT 2 -p udp --dport 137 --source 192.168.100.0/24 -j ACCEPT
```

I have a couple questions now.  1 What exactly does all this mean?  2 Why is that iptables -L takes so long to list?  My rig is in my sig and it took several minutes to get that list.  I have been reading this but it may be out dated:  http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/index.html  I notice it talks about 2.2 and 2.4 kernels more than it does 2.6 kernels.  Is there something better and newer?

Thanks.  Now to go do my /etc/init.d/iptables save before I forget.    :Embarassed: 

 :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy: 

Oh, I installed webmin.  Can I use it to config this?  I found a section that uses iptables and such.  Just curious.

----------

## MEW

1. The idea is that we want to allow incoming traffic to ports 137, 138, 139, and 445 on tcp and udp. To take the first line as an example:

"-I INPUT 2" means to Insert this rule into the INPUT table at position 2 (so it's ahead of the DROP all else rule, which had formerly occupied position 2). "-p udp" means that this rule only applies if the UDP protocol is in use. "--dport 445" means that this rule only applies if the destination port is 445. "--source 192.168.100.0/24" means that the rule only applies to traffic from the network 192.168.100.0/24 (which is any IP address whose first 24 bits match the first 24 of 192.168.100.0; that is, 192.168.100.0 - 192.168.100.255). "-j ACCEPT" means that the rule says that a packet that matches the criteria specified earlier should be ACCEPTed. (iptables rules work like "ACCEPT any packet whose protocol is udp, whose destination port is 445, and whose source matches 192.168.100.0/24", and it follows the first rule that it finds that matches the packet.)

2. It is probably spending most of that time trying to lookup names for various things (networks, ports, etc.). I don't know why it takes that long on your machine, but you can make it faster by running "iptables -L --numeric" or "iptables -Ln" so that it will just display the IP address, network address, or port number.

3. I have no experience with webmin and so can't help you with that.

----------

## dalek

#1,  that I can understand pretty well.  If I tell it to put a rule to drop all packets in position number 1 then everything gets dropped and nothing gets through, correct?  I understand about ports to just not what they are used for.  I thing web browsing uses 80, email 25 and 110.   I know those I guess.

#2.  I was reading a guide and read about that.  It says it actually tries to look up a list of addresses until it gets a time out.  CPU and such really has nothing to do with that command.

#3.  It does have it and I'm not sure how to use it either.  Maybe I can learn something.

I still can't find a really good guide that I can understand though.  I get bits and pieces is all.  I got more out of your paragraph for #1 than I did out of 11 pages from what I was reading.    :Embarassed: 

Thanks for the help and answering questions.  I'm still secure, my Sweetie can back up her windoze box and I am happy.

 :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy: 

----------

## dalek

Well, after some reading I have another question.  Let's say for example when her win XP machine was trying to access my machine it was "knocking" on a certain port.  Is there a log to find out what port it was trying to get into?  I use syslog-ng if that matters.  I was reading about it in the man page but I was wondering about the unsucessful attempts on blocked ports.  That way if I do something new, I can tell something needs a port open.

Thanks again.  I'm learning something here.

 :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy: 

----------

## robdd

Hi there Dale

One good way of seeing what is going on over the network is to use ethereal, which is gui-based packet monitor. You should be able to 'emerge ethereal', then sit back and wait for a while. Once it's emerge'd OK you have to run it as root under X - just type 'ethereal' and it should start up. Then hit Start to start capturing packets. If you're impatient like me select the option to update the packet display in real time.

To see what is happening with the Windoze box you may have to turn off iptables (I've never used iptables myself). Etheral by default will show all traffic, but you can apply a display filter to just show traffic to and from another IP address. Down the bottom left of the ethereal screen there's a filter box - just type in 'ip.addr == 192.168.1.111' - or whatever the IP of the Windoze box is. Then you can see exactly which ports the Windoze box is addressing. (<rant>In my experience Windoze boxes are unbelievably chatty - they're always broadcasting crap. Which makes me wonder why it takes sooooooooooo long when you try to display Network Neighbourhood stuff on Windoze. Even after all that talking the box *still* has to check the network *again* while you twiddle your thumbs</rant>).

BTW - here's a link to stuff on TCP ports: http://www.webopedia.com/quick_ref/portnumbers.asp It may help when you're trying to figure out what ports the Windoze box is addressing.

Good Luck

----------

## dalek

I have ethreal installed.  I didn't even think about it though.  I was just thinking I could check the log files every once in a while too, just in case.    :Wink:    You never know when someone may try to come in.

 :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy: 

----------

## MEW

iptables packets are not logged by default, but you can make certain packets be logged. To log a packet, create a rule with the target set to "LOG" ("-j LOG") that matches it. You probably also want to specify some logging options, such as --log-prefix to have a description in the logfile. So, for example, `iptables -I INPUT 10 -m state --state NEW,INVALID -m limit --limit 3/minute -j LOG --log-prefix "Connection attempt stopped: "` adds a rule in position 10 (just before your DROP rule) that logs "-j LOG" any packets that try to create a new connection "--state NEW,INVALID" (you have to load the state module with "-m state" before you can use it). This rule will match a maximum average of 3 times per minute (with bursts up to 5 per minute (default)), so that your logs don't get filled. The log message will be prefixed with "Connection attempt stopped: " so that you can see why the packet is being logged; it will be logged with log level warning (by default). 

An example of what a logged packet would look like (from a similar rule on my machine):

```
Jun 11 09:45:31 lapdog Connection attempt stopped: IN=wlan0 OUT= MAC=00:0d:88:e8:db:28:00:20:78:1f:e0:1d:08:00 SRC=192.168.0.2 DST=192.168.0.10 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58675 DF PROTO=TCP SPT=35255 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
```

EDIT: Note: Sending a packet to the LOG target does not do anything to the packet and iptables continues to try to match the next rule (so that in your case the packet would be logged, then the next rule would DROP it). 

EDIT2: The LOG rule has to come first, though, because the DROP rule would stop execution of the table, so that if the DROP rule was matched, the LOG rule wouldn't get looked at.

----------

