Samba – Can’t access samba share over VPN

network-sharesambavpn

Samba share is on Ubuntu 8.04
Samba config is below:

# Name mangling options
;   preserve case = yes
;   short preserve case = yes


# Most people will find that this option gives better performance.
# See smb.conf(5) and /usr/share/doc/samba-doc/htmldocs/speed.html
# for details
# You may want to add the following on a Linux system:
#         SO_RCVBUF=8192 SO_SNDBUF=8192
   socket options = TCP_NODELAY


#======================= Share Definitions =======================

[public]
        comment = Public Directory
        path = /home/public
        # inherit permissions = no
        # public = yes
        read only = no
        # writeable = yes
        # force create mode = 0775
        # force directory mode = 6775
        # force user = nobody
        # force group = users
        guest ok = yes
        guest only = yes

Out put from samba error log when I try to connect to the share over vpn:

[2011/04/07 15:01:23, 0] lib/access.c:check_access(327)
  Denied connection from  (10.0.1.2)
[2011/04/07 15:01:23, 1] smbd/process.c:process_smb(1062)
  Connection denied from 10.0.1.2
[2011/04/07 15:01:23, 0] lib/access.c:check_access(327)
  Denied connection from  (10.0.1.2)
[2011/04/07 15:01:23, 1] smbd/process.c:process_smb(1062)
  Connection denied from 10.0.1.2
[2011/04/07 15:01:31, 0] lib/access.c:check_access(327)
  Denied connection from  (10.0.1.2)
[2011/04/07 15:01:31, 1] smbd/process.c:process_smb(1062)
  Connection denied from 10.0.1.2

I'm trying to access this share on Windows 7.
If anyone request any other information I'll post here:
When connecting via VPN my ip will be 10.0.1.x
On site it would be 10.0.0.x
IPTABLES -L shows no rules set up

Best Answer

The error log is pretty clear :

Connection denied from 10.0.1.2
Denied connection from  (10.0.1.2)

I guess the VPN clients are not in the same subnet as the lan, and there is some kind of ACL on the samba server to deny request from clients that are not on your lan.

Edit:

looking at your other question regarding this issue, your lan appears to be in 10.0.0.0/24. The client is in 10.0.1.2(/24 ?). The network acl issue make sense.

Edit2:

This should be Samba access-lists, not iptables. If iptables were blocking, the packets would have been dropped and nothing appeared in the logs.

Edit3:

Try to add the following in your smb.conf :

hosts allow = 10.0.0.0/255.255.254.0

and reload samba. This should allow networks 10.0.0.0/24 and 10.0.1.0/24 to access the shares.

Related Solutions

Linux – Problem connecting to a Samba server with share mode security

I think that you need to re-examine whether share-mode security is what you actually need for this problem. Share mode security means that a password is used to authenticate to a share, not a username/password combination.

If you want to allow multiple users (logging in as themselves) access to modify the files then you need to use user level security.

If you want to allow anybody that knows the magic password to see the share, then share mode security is right for you.

See the Samba Documentation for more information on share level security.

Samba Permissions – I’m going to throw it!

This might help. I do something similar, but only one share is open to the group's users. Other shares are read-only except for a single maintainer user. The [global] section of my smb.conf is almost identical to yours, except I don't use the force create/directory mode directives (in my case, they'd interfere with the other shares).

Here's the share definition:

[shared stuff]
        comment = blah, blah, etc
        path = /path/to/share
        write list = @sambagroup
        force group = +sambagroup
        read only = yes
        directory mask = 0775
        create mask = 0664
        guest ok = yes
        invalid users = root
        case sensitive = True
        default case = lower
        preserve case = yes
        short preserve case = yes

The important stuff here are these:

read only = yes -- by default, read only.
guest ok = yes -- guests can browse.
write list = @sambagroup -- Authenticated members of sambagroup can write.
force group = +sambagroup -- The + means that the force only applies to existing members of sambagroup. They're already the only ones who can write. I think, without the +, guest is given sambagroup credentials, which is not wanted (particularly with the write list directive above).
directory mask = 0775
create mask = 0664

These do exactly what you want yours to do: "drwxrwxr-x" on directories, "rwxrwxr-x" on files, and newly created files are owned by the user and sambagroup. The maintainers of the other shares get the same permissions as everyone else when working in shared stuff, and permissions & groups are normal when they work in the other shares.

My smb.conf has been working with only minor tweaks through several different versions of Samba, and currently is used with Samba 3.2.5. I never had it running on Ubuntu 8.04, but it ran on Ubuntu 7.04 for a long time before getting migrated to a recent Debian Lenny install.

Best Answer

Related Solutions

Linux – Problem connecting to a Samba server with share mode security

Samba Permissions – I’m going to throw it!

Related Topic