Disable NetBIOS over TCP/IP using SAMBA
Posted on 2004-04-03
We are a small school trying to save money. We currently use a "proprietary” application for student learning. This application needs a “server” as a plain storage. The application actually runs on the workstations, the server is more or less just a repository. The start of the problem is this application requires read, write, and access for users when they connect to the server share. With kids this is dangerous if they can “see the folder by browsing”. We successfully locked down their Windows 2000 Workstations with local policy. We discovered the students could see the network share by using Microsoft Word to browse to the network share. We solved this problem by disabling NetBIOS over TCP/IP on each of the student’s workstations. As administrator we set each workstation’s path for the share as \\192.168.1.2\share . The application could reach the server share and access files, and the application works perfectly.
Our school can save a great deal of money by not having to pay for Microsoft client access licenses if we can move to a Red Hat Linux server. We can use this money for more beneficial educational packages. But, at the same time if students can browse to this server share, they could delete important files that would disrupt education. This would cost us more money.
I have set up a Red Hat 9 server with DHCP, DNS, and SAMBA. From a Windows 2000 client workstation everything is transparent. The application works flawlessly. The only difference we see is performance. The Red Hat server appears much faster than the Microsoft server. From a Workstation I can run nslookup for each workstation and receive an answer. I can ping every computer by name or IP. The DHCP service on the Red Hat server appears to be working properly. When I issue an ipconfig /all command form a client; it is receiving the proper IP for the SAMBA WINS and DNS. I even did some over-kill by listing the server name and IP address in both the clients HOSTS and LMHOSTS file. In the client network TCP/IP properties I enabled LMHOST Lookup.
I think I know the answer, but I am praying for a work-around. When I disable NetBIOS over TCP/IP on the workstations the network share fails. (Still using \\192.168.1.2\share) NetBIOS besides performing name resolution it also is providing the network communication protocol for SAMBA. Is this correct? SAMBA is dependent on NetBIOS to communicate with Windows server message block? Whereas Windows 2000 computers can use native TCP/IP and can use DNS for name resolution and still communicate with TCP/IP for smb? The only place users can browse the network from is Microsoft Word. We have locked everything down with Microsoft Windows local group policy. I can find no reference in Windows local policy to prevent users from browsing the network. There might be a “Domain Policy”, but of course this requires a Windows 2000 Domain Controller, and that would put us back to square one. This is really important to us, because we could purchase some advanced math applications for the students that we would save by going to Linux.
Is there a possibility that SAMBA is not configured properly, even though it works with NetBIOS enabled? Is it possible that the WINS server function is not working properly on the Linux server? Is there another way for the Linux server to provide a network share to Microsoft Windows 2000 computers without using NetBIOS? Is there a local group policy in Windows 2000 that I am missing that prevents browsing of the network? Any direction you could provide would be helpful, even if you confirm that what we are trying to do can’t be done.
Thanks so much,