How to set up Encrypted Samba to a Verio VPS

These are some notes for setting up a Samba shared folder on a Verio virtual private server. This is so that the folder can be mounted and accessed as a drive in Windows XP. The connection is encrypted by tunnelling traffic using the port-forwarding feature of SecureCRT SSH.

VPS Configuration

First, install samba on the VPS by running vinstall samba3 as root. Next, run smbpasswd -U USERNAME (as root) for the appropriate user. This user should be an existing, non-root user on the server. Enter a password for the user.

The default configuration file is placed in /etc/smb.conf, and this configuration file does not work. You can use the sample configuration file below to set up a temporary directory for testing.

Sample smb.conf

[global]
    security = share
    encrypt passwords = yes
    server string = Virtual Server
    workgroup = Virtual Workgroup
    guest account = nobody
    password level = 2
    socket options = TCP_NODELAY SO_KEEPALIVE
    share modes = yes
    locking = no
    strict locking = yes
    invalid users = Administrator

[tmp]
    comment = Temp
    path = /var/tmp
    browseable = yes
    guest ok = no
    read only = no
    create mask = 0777
    writeable = yes
    valid users = USERNAME
    public = yes

If all is good, run testparm, and look for any serious errors. Next, as root, run smbd -i -S to run the samba server interactively and send output to STDOUT. This is so you can watch the output for testing. You don't need to run nmbd, because SecureCRT port-forwarding can not forward UDP traffic used by it. nmbd is the NetBIOS daemon and it is only for name resolution. It is unneccessary here because we'll be connecting only to localhost, and do not need the server to broadcast its name and other information.

Windows XP Configuration

From your network adapter properties in "Control Panel"→"Network Connections", you have to uncheck the File and Printer Sharing for Microsoft Networks service to disable it. You must not uncheck Client for Microsoft Networks. You do not need to edit c:\windows\system32\drivers\etc\lmhosts.

File sharing must be disabled in order to use the SSH port forwarding. Type net stop server to stop associated services. Go to Control Panel→Administrative Tools→Services, and set "Computer Browser" and "Server" services to Manual startup. After this is done, local port 139 will become free for port forwarding to the remote server.

SecureCRT Configuration

By default, SecureCRT 4.x restricts which IP addresses can connect for port forwarding. The options are not available on the interface, and must be manually set by editing the SESSION.ini. The file will be named after your session name, and it will be in the sessions folder of the SecureCRT application data folder.

Look for the port forward filter line, and add an allow entry before the deny statment for your local, internal IP address. For more information, see the SecureCRT FAQ entry, How do I modify port-forwarding filters in SecureCRT?. The editing should be done while SecureCRT is not running. The end result will be something like this:

S:"Port Forward Filter"=allow,127.0.0.0/255.0.0.0,0 allow,192.168.0.102,0 deny,0.0.0.0/0.0.0.0,0

To set up the forwarding for Samba, open "Options"→"Session Options"→"Connection"→"Port Forwarding" and click Add. Enter the name as "samba", and the local port as "139". The remote port will automatically become "139" too. Return to your session and port forwarding should begin immediately (an error will be displayed if it can not start). There is no need to forward the other SMB ports, 137 and 138, because nmbd name resolution service can not be forwarded and are not needed.

Testing the Connection

First, to rule out any major connection issues, try to ping your server. Open a cmd prompt and type ping x.x.x.x, using the IP address of your server.

Next, with SecureCRT closed, try to telnet to port 139 of your server by running telnet x.x.x.x 139. If it works, press Ctrl+] to go to a prompt, and then type quit to exit. If it does not work, you will see a connect failed message. Check what happens in your SecureCRT session, because smbd will probably stop running and show some messages. Now, with SecureCRT running and port-forwarding set up, telnet to port 139 of localhost, and you should see the connection taking place on the server.

Finally, to connect the share, run net use x: \\localhost\tmp /user:USERNAME. If all is well, you should have X drive connected to your Verio VPS through a secure, SSH tunnel.

Additional Work

• Tunneling Samba without disabling local file sharing is possible by adding a Loopback Adapter, as described in some articles elsewhere on the net.
• smbd and nmbd need to be set up to run as daemons on server startup.
• Starting SecureCRT and mapping the drive should be automated.