[TriLUG] Different Samba configurations on different network interfaces

Jon Carnes jonc at nc.rr.com
Mon Oct 13 20:33:56 EDT 2003 

On Mon, 2003-10-13 at 17:20, John Beimler wrote:
> I have a file server that sits between the corporate network, and my 
> lab. I want the lab side to be very permissive, but only limited access 
> to the files from the public network.
> 
> I've read up on Samba, and can't quite figure out how to run two 
> different samba servers on two different interfaces, both with very 
> different configurations.
> 
> I know about the "interfaces", "bind interfaces only" options but I was 
> wondering if a single samba configuration could serve up the two 
> different configurations.
> 
> Any tips, or suggestions - even on how to run two smbd's would be 
> appreciated.
> 
> 
> Peace.
> 
> john

The interfaces command is really an all or nothing kind of thing.  Most
admins setup differing access by username authentication rather than by
machine IP.

You can use the "hosts allow" (or "allow hosts") command inside various
shares to limit the access to only the machines inside your lab.  

Note that you can use the client machine's IP for some interesting
things. Samba even has a variable that expands to it:
  %I     The IP address of the client machine.

You can use this and the "config file" parameter in Samba to specify a
different Samba config file for each machine based on it's IP.  If the
IP-Based config file does not exist, then it falls back to using the
default.

So you could create two configurations, one that is restricted and one
that is wide-open... then setup links named after the local machine IP
addresses that point to the wide-open configuration.

See the man page for smb.conf for more details.

I haven't tried to run two versions of Samba on the same machine, but I
think that will not work, as NMBD will always bind to 0.0.0.0 even when
the interfaces command is used.  Here is a section from one of the Samba
Docs:
  For name service it causes nmbd to bind to ports 137 and 138  on
  the  interfaces  listed  in  the interfaces parameter. nmbd also
  binds to the "all addresses" interface (0.0.0.0)  on  ports  137
  and 138 for the purposes of reading broadcast messages.  If this
  option is not set then nmbd will service name requests on all of
  these sockets.  If "bind  interfaces only" is set then nmbd will
  check the source address of any packets coming in on the  broad-
  cast  sockets  and  discard  any  that don’t match the broadcast
  addresses of the interfaces in the  interfaces  parameter  list.

If you read the man page for smb.conf you'll find a lot of interesting
things.  With some creativity you can get what you want! Good Luck.

Jon Carnes

More information about the TriLUG mailing list