• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3016
  • Last Modified:

Disable NetBIOS over TCP/IP using SAMBA

We are a small school trying to save money. We currently use a "proprietary” application for student learning. This application needs a “server” as a plain storage. The application actually runs on the workstations, the server is more or less just a repository. The start of the problem is this application requires read, write, and access for users when they connect to the server share. With kids this is dangerous if they can “see the folder by browsing”. We successfully locked down their Windows 2000 Workstations with local policy. We discovered the students could see the network share by using Microsoft Word to browse to the network share. We solved this problem by disabling NetBIOS over TCP/IP on each of the student’s workstations. As administrator we set each workstation’s path for the share as \\\share . The application could reach the server share and access files, and the application works perfectly.

Our Goal
Our school can save a great deal of money by not having to pay for Microsoft client access licenses if we can move to a Red Hat Linux server. We can use this money for more beneficial educational packages. But, at the same time if students can browse to this server share, they could delete important files that would disrupt education. This would cost us more money.

Current Configuration
I have set up a Red Hat 9 server with DHCP, DNS, and SAMBA. From a Windows 2000 client workstation everything is transparent. The application works flawlessly. The only difference we see is performance. The Red Hat server appears much faster than the Microsoft server. From a Workstation I can run nslookup for each workstation and receive an answer. I can ping every computer by name or IP. The DHCP service on the Red Hat server appears to be working properly. When I issue an ipconfig /all command form a client; it is receiving the proper IP for the SAMBA WINS and DNS. I even did some over-kill by listing the server name and IP address in both the clients HOSTS and LMHOSTS file. In the client network TCP/IP properties I enabled LMHOST Lookup.

The Problem
I think I know the answer, but I am praying for a work-around. When I disable NetBIOS over TCP/IP on the workstations the network share fails. (Still using \\\share) NetBIOS besides performing name resolution it also is providing the network communication protocol for SAMBA. Is this correct? SAMBA is dependent on NetBIOS to communicate with Windows server message block? Whereas Windows 2000 computers can use native TCP/IP and can use DNS for name resolution and still communicate with TCP/IP for smb? The only place users can browse the network from is Microsoft Word. We have locked everything down with Microsoft Windows local group policy. I can find no reference in Windows local policy to prevent users from browsing the network. There might be a “Domain Policy”, but of course this requires a Windows 2000 Domain Controller, and that would put us back to square one. This is really important to us, because we could purchase some advanced math applications for the students that we would save by going to Linux.

Is there a possibility that SAMBA is not configured properly, even though it works with NetBIOS enabled? Is it possible that the WINS server function is not working properly on the Linux server? Is there another way for the Linux server to provide a network share to Microsoft Windows 2000 computers without using NetBIOS? Is there a local group policy in Windows 2000 that I am missing that prevents browsing of the network? Any direction you could provide would be helpful, even if you confirm that what we are trying to do can’t be done.

Thanks so much,

Christy Jo
  • 2
1 Solution

This works the other way round. The original protocol for Windows was NetBEUI. Now they use Netbios over TCP/IP. Not TCP/IP natively.
Samba knows Netbios over TCP/IP, but no NetBEUI. So, when you disable it, it does not work anymore.

What you can do, though, is forbidding the browsing of these folders in your smb.conf :

        comment = My app folder
        browseable = no
        read only = no
        create mode = 0755

BTW, samba 3.0 can act as a domain controller and, thus, enable policies.

You could also set user authentication on that share (through samba) and thus only make it accessible for teachers.

The domain-controller option within samba is a good suggestion since it also enables you to centralize your user-managment, but it might be overkill, depends a bit on your network size (the larger it is, the more reason to do it).

Only forbidding browsing isn't a good idea as people could guess the name of a file and still alter/delete it, start writing files to this share untill it runs out of space, ...
christyjoAuthor Commented:
Thanks to both of you. I like to option of making the folder not being able to browse! To roeleboel: You make some excellent points. You are right about them guessing a path, but we have disabled Explorer, Internet Explorer, and the run command. The students were trying to use the bowse freature in Microsoft Word, under file open. Note to Alf666. Windows 2000 and above does enable NetBIOS over TCP/IP, but if you switch to Native mode... no Windows 9X machines on the network, then Active Directory uses just DNS for name resolution. Of course Active Directory has to be running, and this of course means a Domain Controller... ugh! You might have saved us some money. I Thank you. The students will benefit.
Christy Jo
Just remember to keep an eye out for students using macros within office, as these can bypass all the lockouts you've described above.
I don't know what kind of students you have, but when I was in high school it was a 'little hobby' of us to circumvent lockouts in as many ways as possible :-)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now