samba/linux domina name login server

I have 2 win98 boxes and 1 linux box.  I'm running a cable modem out of the linux box and running IPMASQ and IPCHAINS to let my win98 boxes surf the web.  What i want to do next is setup SAMBA - i would also really like my linux box to authenticate my win98 users.  how can i set this up ??
Who is Participating?
jlevieConnect With a Mentor Commented:
Did I mention that you have to create SMB passwords for each user, no like a dummy I didn't. Each linux user has to have an SMB encrypted password, and you do that with "smbpasswd -a user". the first time you may get some warning as /etc/smbpasswd may not exist.

This looks wrong:

    interfaces =,

The Linux box does have two nic's but only one on the net. If the IP on the inside NIC on the linux box is the line should read:

    interfaces =
When you set up Samba, you'll want to enable "Encrypted Passwords", just to be able to have the Win clients be able to access shares. You'll also need to configure the win98 boxes for their "Primary Network Logon" to be "Client for Microsoft Networks". I think you'll find that life will be a lot simpler if the win98 usernames are the same as the Linux username and follow standard unix conventions (8 chars or less, all lowercase). Each win98 user needs a local Linux account also. So, I guess that in a manner of speaking that you get the authentication "for free"

I should remember what Linux you use as many times as we've corresponded here, but I don't. If you have linuxconf, that is the easiest way to achieve the intial setup, once you've got Samba installed. You can manage the Samba installation via direct edits of the smb.conf file (that's what I do) and also with swat.

If you need more info as to exactly how to set up Samab, or what options to start with, I'll be glad to assist.

ttrogdenAuthor Commented:
i'm running red hat 6.1 - this is still not working - i changed the win98 machine to use Client for Microsoft networks and looked around the linuxconf and i couldn't see where i messed up or was missing anything - here is a copy of my smb.conf file as an FYI - did i miss something in here

# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not many any basic syntactic errors.
#======================= Global Settings =====================================

# workgroup = NT-Domain-Name or Workgroup-Name
    workgroup = linux

# server string is the equivalent of the NT Description field
    server string = Samba Server

# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
    hosts allow = 10. 127.

# if you want to automatically load your printer list rather
# than setting them up individually then you'll need this
    printcap name = /etc/printcap
    load printers = yes

# It should not be necessary to spell out the print system type unless
# yours is non-standard. Currently supported print systems include:
# bsd, sysv, plp, lprng, aix, hpux, qnx
;   printing = bsd

# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
;  guest account = pcguest

# this tells Samba to use a separate log file for each machine
# that connects
    log file = /var/log/samba/log.%m

# Put a capping on the size of the log files (in Kb).
    max log size = 50

# Security mode. Most people will want user level security. See
# security_level.txt for details.
    security = user
# Use password server option only with security = server
;   password server = <NT-Server-Name>

# Password Level allows matching of _n_ characters of the password for
# all combinations of upper and lower case.
;  password level = 8
;  username level = 8

# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
# Do not enable this option unless you have read those documents
    encrypt passwords = yes
    smb passwd file = /etc/smbpasswd

# The following are needed to allow password changing from Windows to
# update the Linux sytsem password also.
# NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above.
# NOTE2: You do NOT need these to allow workstations to change only
#        the encrypted SMB passwords. They allow the Unix password
#        to be kept in sync with the SMB password.
    unix password sync = yes
    passwd program = /usr/bin/passwd %u
    passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*

# Unix users can map to different SMB User names
;  username map = /etc/smbusers

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
;   include = /etc/smb.conf.%m

# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
    interfaces =,

# Configure remote browse list synchronisation here
#  request announcement to, or browse list sync from:
#      a specific host or from / to a whole subnet (see below)
;   remote browse sync =
# Cause this host to announce itself to local subnets here
;   remote announce =

# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
;   local master = no

# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
;   os level = 33

# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
;   domain master = yes

# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
;   preferred master = yes

# Use only if you have an NT server on your network that has been
# configured at install time to be a primary domain controller.
;   domain controller = <NT-Domain-Controller-SMBName>

# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations.
    domain logons = yes

# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
;   logon script = %m.bat
# run a specific logon batch file per username
;   logon script = %U.bat

# Where to store roving profiles (only for Win95 and WinNT)
#        %L substitutes for this servers netbios name, %U is username
#        You must uncomment the [Profiles] share below
;   logon path = \\%L\Profiles\%U

# All NetBIOS names must be resolved to IP Addresses
# 'Name Resolve Order' allows the named resolution mechanism to be specified
# the default order is "host lmhosts wins bcast". "host" means use the unix
# system gethostbyname() function call that will use either /etc/hosts OR
# DNS or NIS depending on the settings of /etc/host.config, /etc/nsswitch.conf
# and the /etc/resolv.conf file. "host" therefore is system configuration
# dependant. This parameter is most often of use to prevent DNS lookups
# in order to resolve NetBIOS names to IP Addresses. Use with care!
# The example below excludes use of name resolution for machines that are NOT
# on the local network segment
# - OR - are not deliberately to be known via lmhosts or via WINS.
; name resolve order = wins lmhosts bcast

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
;   wins support = yes

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
#      Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
;   wins server = w.x.y.z

# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one      WINS Server on the network. The default is NO.
;   wins proxy = yes

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
    dns proxy = no
    netbios name = linux
    map to guest = never
    password level = 0
    null passwords = no
    os level = 0
    preferred master = no
    domain master = no
    wins support = no
    dead time = 0
    debug level = 0

# Case Preservation can be handy - system default is _no_
# NOTE: These can be set on a per share basis
;  preserve case = no
;  short preserve case = no
# Default case is normally upper case for all DOS files
;  default case = lower
# Be very careful with case sensitivity - it can break things!
;  case sensitive = no

#============================ Share Definitions ==============================
    comment = Home Directories
    browseable = yes
    writable = yes
    public = yes
    only user = no

    comment = root
    path = /root
    guest ok = yes
    share modes = yes
    browsable = yes
    writeable = yes

# Un-comment the following and create the netlogon directory for Domain Logons
; [netlogon]
;   comment = Network Logon Service
;   path = /home/netlogon
;   guest ok = yes
;   writable = no
;   share modes = no

# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
;    path = /home/profiles
;    browseable = no
;    guest ok = yes

# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
    comment = All Printers
    path = /var/spool/samba
    browseable = no
# Set public = yes to allow user 'guest account' to print
    guest ok = no
    writable = no
    printable = yes
The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

ttrogdenAuthor Commented:
well eth1 - is - so are you saying i should change the interface to reflect that ip
ttrogdenAuthor Commented:
ok - i made the changes and it's wokring great - thanks again for the help - on a side note - I want to button down my firewall on my linux box - could you show me what ports I should shutdown and how to shut them down - if you feel i should open up another questions just ask - it's just that i'm running out of points - it seems i'm giving them all to you :)
Sure I'll try to help. Which side of the firewall do you want to tighten up? The outside ought to be easy as the default config for ipchains typically just blocks all inbounds and you have to port-forward specific things. The inside requires knowing more about what services you want to have available.
ttrogdenAuthor Commented:
ok - i found this file on the internet and am using it it's called rc.firewall and i put the call for it in the rc.local  It seems to work - but i was wondering if it's safe ??  

# rc.firewall - Initial SIMPLE IP Masquerade test for 2.1.x and 2.2.x kernels using IPCHAINS
# Load all required IP MASQ modules
#   NOTE:  Only load the IP MASQ modules you need.  All current IP MASQ modules
#          are shown below but are commented out from loading.

# Needed to initially load modules
/sbin/depmod -a

# Supports the proper masquerading of FTP file transfers using the PORT method
/sbin/modprobe ip_masq_ftp

# Supports the masquerading of RealAudio over UDP.  Without this module,
#       RealAudio WILL function but in TCP mode.  This can cause a reduction
#       in sound quality
#/sbin/modprobe ip_masq_raudio

# Supports the masquerading of IRC DCC file transfers
#/sbin/modprobe ip_masq_irc

# Supports the masquerading of Quake and QuakeWorld by default.  This modules is
#   for for multiple users behind the Linux MASQ server.  If you are going to play
#   Quake I, II, and III, use the second example.
#   NOTE:  If you get ERRORs loading the QUAKE module, you are running an old
#   -----  kernel that has bugs in it.  Please upgrade to the newest kernel.
#Quake I / QuakeWorld (ports 26000 and 27000)
#/sbin/modprobe ip_masq_quake
#Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960)
#/sbin/modprobe ip_masq_quake 26000,27000,27910,27960

# Supports the masquerading of the CuSeeme video conferencing software
#/sbin/modprobe ip_masq_cuseeme

#Supports the masquerading of the VDO-live video conferencing software
#/sbin/modprobe ip_masq_vdolive

#CRITICAL:  Enable IP forwarding since it is disabled by default since
#           Redhat Users:  you may try changing the options in /etc/sysconfig/network from:
#                       FORWARD_IPV4=false
#                             to
#                       FORWARD_IPV4=true
echo "1" > /proc/sys/net/ipv4/ip_forward

# Dynamic IP users:
#   If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this following
#       option.  This enables dynamic-ip address hacking in IP MASQ, making the life
#       with Diald and similar programs much easier.
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# MASQ timeouts
#   2 hrs timeout for TCP session timeouts
#  10 sec timeout for traffic after the TCP/IP "FIN" packet is received
#  160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users)
/sbin/ipchains -M -S 7200 10 160

# DHCP:  For people who receive their external IP address from either DHCP or BOOTP
#        such as ADSL or Cablemodem users, it is necessary to use the following
#        before the deny command.  The "bootp_client_net_if_name" should be replaced
#        the name of the link that the DHCP/BOOTP server will put an address on to?
#        This will be something like "eth0", "eth1", etc.
#        This example is currently commented out.
/sbin/ipchains -A input -j ACCEPT -i eth0 -s 0/0 67 -d 0/0 68 -p udp

# Enable simple IP forwarding and Masquerading
#  NOTE:  The following is an example for an internal LAN address in the 192.168.0.x
#         network with a or a "24" bit subnet mask.
#         Please change this network number and subnet mask to match your internal LAN setup
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -s -j MASQ
That looks quite safe to me. There aren't an port-forwarders to inside machines (well except bootps/bootpc to get DHCP to work). The only traffic that will allowed to travers the firewall from the Internet is that which a part of something inititated by an inside syste, and you have to allow that. Yep, pretty safe.
ttrogdenAuthor Commented:
thanks again jlevie - i'm sure we will talk again !!

You are most welcome... Catch you later...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.