Go Premium for a chance to win a PS4. Enter to Win


Disable NetBIOS over TCP/IP using SAMBA

Posted on 2004-04-03
Medium Priority
Last Modified: 2006-11-17
We are a small school trying to save money. We currently use a "proprietary” application for student learning. This application needs a “server” as a plain storage. The application actually runs on the workstations, the server is more or less just a repository. The start of the problem is this application requires read, write, and access for users when they connect to the server share. With kids this is dangerous if they can “see the folder by browsing”. We successfully locked down their Windows 2000 Workstations with local policy. We discovered the students could see the network share by using Microsoft Word to browse to the network share. We solved this problem by disabling NetBIOS over TCP/IP on each of the student’s workstations. As administrator we set each workstation’s path for the share as \\\share . The application could reach the server share and access files, and the application works perfectly.

Our Goal
Our school can save a great deal of money by not having to pay for Microsoft client access licenses if we can move to a Red Hat Linux server. We can use this money for more beneficial educational packages. But, at the same time if students can browse to this server share, they could delete important files that would disrupt education. This would cost us more money.

Current Configuration
I have set up a Red Hat 9 server with DHCP, DNS, and SAMBA. From a Windows 2000 client workstation everything is transparent. The application works flawlessly. The only difference we see is performance. The Red Hat server appears much faster than the Microsoft server. From a Workstation I can run nslookup for each workstation and receive an answer. I can ping every computer by name or IP. The DHCP service on the Red Hat server appears to be working properly. When I issue an ipconfig /all command form a client; it is receiving the proper IP for the SAMBA WINS and DNS. I even did some over-kill by listing the server name and IP address in both the clients HOSTS and LMHOSTS file. In the client network TCP/IP properties I enabled LMHOST Lookup.

The Problem
I think I know the answer, but I am praying for a work-around. When I disable NetBIOS over TCP/IP on the workstations the network share fails. (Still using \\\share) NetBIOS besides performing name resolution it also is providing the network communication protocol for SAMBA. Is this correct? SAMBA is dependent on NetBIOS to communicate with Windows server message block? Whereas Windows 2000 computers can use native TCP/IP and can use DNS for name resolution and still communicate with TCP/IP for smb? The only place users can browse the network from is Microsoft Word. We have locked everything down with Microsoft Windows local group policy. I can find no reference in Windows local policy to prevent users from browsing the network. There might be a “Domain Policy”, but of course this requires a Windows 2000 Domain Controller, and that would put us back to square one. This is really important to us, because we could purchase some advanced math applications for the students that we would save by going to Linux.

Is there a possibility that SAMBA is not configured properly, even though it works with NetBIOS enabled? Is it possible that the WINS server function is not working properly on the Linux server? Is there another way for the Linux server to provide a network share to Microsoft Windows 2000 computers without using NetBIOS? Is there a local group policy in Windows 2000 that I am missing that prevents browsing of the network? Any direction you could provide would be helpful, even if you confirm that what we are trying to do can’t be done.

Thanks so much,

Christy Jo
Question by:christyjo
  • 2

Accepted Solution

Alf666 earned 2000 total points
ID: 10748741

This works the other way round. The original protocol for Windows was NetBEUI. Now they use Netbios over TCP/IP. Not TCP/IP natively.
Samba knows Netbios over TCP/IP, but no NetBEUI. So, when you disable it, it does not work anymore.

What you can do, though, is forbidding the browsing of these folders in your smb.conf :

        comment = My app folder
        browseable = no
        read only = no
        create mode = 0755

BTW, samba 3.0 can act as a domain controller and, thus, enable policies.


Expert Comment

ID: 10748987
You could also set user authentication on that share (through samba) and thus only make it accessible for teachers.

The domain-controller option within samba is a good suggestion since it also enables you to centralize your user-managment, but it might be overkill, depends a bit on your network size (the larger it is, the more reason to do it).

Only forbidding browsing isn't a good idea as people could guess the name of a file and still alter/delete it, start writing files to this share untill it runs out of space, ...

Author Comment

ID: 10750182
Thanks to both of you. I like to option of making the folder not being able to browse! To roeleboel: You make some excellent points. You are right about them guessing a path, but we have disabled Explorer, Internet Explorer, and the run command. The students were trying to use the bowse freature in Microsoft Word, under file open. Note to Alf666. Windows 2000 and above does enable NetBIOS over TCP/IP, but if you switch to Native mode... no Windows 9X machines on the network, then Active Directory uses just DNS for name resolution. Of course Active Directory has to be running, and this of course means a Domain Controller... ugh! You might have saved us some money. I Thank you. The students will benefit.
Christy Jo

Expert Comment

ID: 10750506
Just remember to keep an eye out for students using macros within office, as these can bypass all the lockouts you've described above.
I don't know what kind of students you have, but when I was in high school it was a 'little hobby' of us to circumvent lockouts in as many ways as possible :-)

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses

879 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question