mjsb@sdf.lonestar.org
2004-May-04 14:30 UTC
[Samba] How to tunnel Samba via ssh from Windows XP without having to disable local NetBIOS
The most recent discussions I could find on the internet about how to tunnel Samba over ssh were on this list (http://lists.samba.org/archive/samba/2004-February/), but no complete answers were given. Here is a near complete answer, which works, pulled together from various sources on the web (which are referenced). Remaining questions are at the end. It is kind of PuTTY-centric, but as far as I know it should work with any ssh client. If you use PuTTY to tunnel local port '139' to remote port 'servername:139', you will not immediately be able to use the remote machine's Samba services. Why not? Because local port 139 is already bound by the NetBIOS services on your local machine. One way to fix this is to do the above tunnel, then do 'net stop server' from the command prompt on your local machine (http://www.derkeiler.com/Newsgroups/comp.security.ssh/2003-09/0242.html). You will no longer be able to map any drives etc. on your local machine, but you will be able to map drives on the remote machine, e.g. using: net use h: \\127.0.0.1\username /user:username /persistent:no Is there a way to keep the local NetBIOS services running, and still be able to map drives on the remote machine? Yes. Install a Microsoft Loopback Adapter (http://research.lumeta.com/ches/cheap/tunnelsolution.html ; http://lists.isb.sdnpk.org/pipermail/comp-list/2003-February/001853.html). You can install as many of these adapters as you like (e.g. for multiple Samba connections to different machines). You can rename the network connection on this adapter from "Local Area Connection n" to something more sensible like "Microsoft Loopback Adapter n" in "Control Panel / Network Connections". You can uninstall these adapters via "My Computer / Properties / Hardware / Device Manager". In the properties pages for the new loopback adapter, disable (don't uninstall) "Client for Microsoft Networks", "File and Printer Sharing for Microsoft Networks" and anything else except "Internet Protocol (TCP/IP)". In the properties dialog for "Internet Protocol (TCP/IP)" for the adapter, check "Use the following IP address:" and then give the adapter a fixed IP address (not in the 127.*.*.* range, it will not accept it). http://research.lumeta.com/ches/cheap/tunnelsolution.html suggests using 222.222.222.222, which works and is unused. You can now tunnel local port '222.222.222.222:139' to remote port 'servername:139' (PuTTY accepts this, even though the size of the dialog box for the local port looks like it might not), and you can immediately map remote Samba drives, e.g. using: net use h: \\222.222.222.222\username /user:username /persistent:no But Samba printers still won't work at this point ? you have to take another step. Edit (or create) C:\WINDOWS\system32\drivers\etc\lmhosts and add the following line: 222.222.222.222 samba If you want to use more than one Samba service, you have to give each one a different IP address and a different 'lmhosts' name. Now you can map drives using: net use h: \\samba\username /user:username /persistent:no and you can also successfully install printer drivers for remote Samba printers. Go to "Printers and Faxes / Add a printer / Network printer / Connect to named printer" and enter the printer name as \\samba\printername (anything else you need to know at this point, like which printer driver to use, depends on your local setup; note that \\222.222.222.222\printername does not work here, which is why the lmhosts name is needed). If you use this set-up a lot, you may also want to know the right way to set up PuTTY to authenticate with an SHA key. It is given here http://codeworks.gnomedia.com/westhost/ssh.php , but, as recommended in the PuTTY docs, do not omit a pass phrase on your private key file. Once everything is set up, you can load the PuTTY private key into 'Pageant' (the PuTTY key manager) just once by double clicking on it. From then on, while Pageant is running, you can get PuTTY to connect with no further user interaction (e.g. 'putty -load "Saved session name"') as long as you have set up an 'Auto-login username' in the saved session. ------------------------------------------ Remaining questions: 1. Why do I have to install a loopback adapter, rather than just forwarding a port like 127.0.0.5:79 (which works fine for the much simpler 'finger' service)? 2. Why do I have to provide an 'lmhosts' entry for printers to work, but not for mapped drives? 3. On many networks the above works exactly as advertised, BUT... it does not work on all the networks I have tried. On some networks I can establish a perfectly good SSH connection; my PuTTY event log says that port 139 is forwarded correctly; 'telnet samba 139' clears the screen, which is a good sign that the connection is working; but all the same the 'net use ...' command gives "System error 53 has occurred.\n\nThe network path was not found.\n". How can a network allow the SSH connection but stop the tunnelled Samba port from working? 4. After entering the lmhosts name, do not change the PuTTY setup to map 'samba:139' to 'servername:139' (instead of '222.222.222.222:139' to 'servername:139'), it does not work. Why not? 5. I have not checked whether 222.222.222.222 really is a sensible TCP/IP port to use. Is it? Any answers to any of the above (especially any idea about what's going on when this set-up doesn't work) gratefully appreciated.
Mike Beaton
2004-May-06 23:00 UTC
[Samba] Re: How to tunnel Samba via ssh from Windows XP without having to disable local NetBIOS
I have downloaded smbclient for Win32 from http://www.leenux.org.uk/lpackham/smbclient/ and I have found that smbclient //samba/username -U username *works perfectly well* even at the same time, on the same network card (only wireless card and loopback adapter enabled), that net use h: \\samba\mjsb20 /user:mjsb20 /persistent:no does not work at all (with 'System error 53'). So the answer to the main question about my own tunneling solution, 'what's wrong with it?', seems to be 'nothing'. Instead there is something wrong with the network setup on one of my two network cards (the wireless one) - I always get the above weird situation when connected on one card, never on the other, even though this card works fine for *everything* else. Has anybody got any ideas? I can't find any noticeable differences between the setup of the two cards at all. (The QoS and Interface Metric settings on the cards were different, but now they're not, & no change in the problem.) Help!
Seemingly Similar Threads
- Using Pageant & Putty under Wine -
- Cygwin/rsync/ssh automation problems
- buffer_get_bignum2: negative numbers not supported
- Only a few days left for Online Registration: Solaris Security Summit Nov 3rd
- got stuck in setting up samba to linux box through putty tunneling