Samba server cannot be access across the internet
Your ISP, particularly if it's a residential ISP, may be blocking the ports. This is to protect against many exploits that are out there that infect actual Windows systems, typically older Windows operating systems such as Windows 98, etc. Comcast does this.
You also really do not want to send SMB traffic unencrypted through an untrusted network such as the Internet, especially if you have older Windows systems that only support weak NTLM authentication.
Samba works great over a routed or bridged OpenVPN setup - and will be a lot more secure.
Use SSH/WinSCP as an easier-to-setup alternative.
Related videos on Youtube
![John](https://i.stack.imgur.com/weTJG.jpg?s=256&g=1)
John
Updated on September 18, 2022Comments
-
John almost 2 years
I have a computer at my house running Ubuntu Server 12.04 that is mapped to an external ip address. The server is running a Samba server with one share. Here is the configuration file:
... #======================= Global Settings ======================= [global] ## Browsing/Identification ### # Change this to the workgroup/NT-domain name your Samba server will part of workgroup = UBUNTUSERVER # server string is the equivalent of the NT Description field server string = %h server (Samba, Ubuntu) # Windows Internet Name Serving Support Section: # WINS Support - Tells the NMBD component of Samba to enable its WINS Server # wins support = no # WINS Server - Tells the NMBD components of Samba to be a WINS Client # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both ; wins server = w.x.y.z # This will prevent nmbd to search for NetBIOS names through DNS. dns proxy = no # What naming service and in what order should we use to resolve host names # to IP addresses ; name resolve order = lmhosts host wins bcast ... #### Debugging/Accounting #### # This tells Samba to use a separate log file for each machine # that connects log file = /var/log/samba/log.%m # Cap the size of the individual log files (in KiB). max log size = 1000 # If you want Samba to only log through syslog then set the following # parameter to 'yes'. # syslog only = no # We want Samba to log a minimum amount of information to syslog. Everything # should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log # through syslog you should set the following parameter to something higher. syslog = 0 # Do something sensible when Samba crashes: mail the admin a backtrace panic action = /usr/share/samba/panic-action %d ####### Authentication ####### # "security = user" is always a good idea. This will require a Unix account # in this server for every user accessing the server. See # /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html # in the samba-doc package for details. # security = user # You may wish to use password encryption. See the section on # 'encrypt passwords' in the smb.conf(5) manpage before enabling. encrypt passwords = true # If you are using encrypted passwords, Samba will need to know what # password database type you are using. passdb backend = tdbsam obey pam restrictions = yes # This boolean parameter controls whether Samba attempts to sync the Unix # password with the SMB password when the encrypted SMB password in the # passdb is changed. unix password sync = yes # For Unix password sync to work on a Debian GNU/Linux system, the following # parameters must be set (thanks to Ian Kahan <<[email protected]> for # sending the correct chat script for the passwd program in Debian Sarge). passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . # This boolean controls whether PAM will be used for password changes # when requested by an SMB client instead of the program listed in # 'passwd program'. The default is 'no'. pam password change = yes # This option controls how unsuccessful authentication attempts are mapped # to anonymous connections map to guest = bad user ... [share] comment = John Share path=/data/share read only = no browseable = yes guest ok = no
As you can see I have my own custom share called 'share' at the bottom of the configuration file. My server has an internal ip address of
192.168.1.157
and is mapped to an external ip adress of66.73.*.*
I can connect to my samba share when I am on my local network via:
smb://[email protected]/share
but when I try:
smb://[email protected].**.**/share
I get an error:
Could not display "smb://[email protected].**.**/share/" Error: Failed to mount Windows share Please select another viewer and try again
I have enabled DMZplus mode on my router for the external ip address. It should allow all traffic to flow to the external ip address:
Allow all applications (DMZplus mode) - Set the selected computer in DMZplus mode. All inbound traffic, except traffic which has been specifically assigned to another computer using the "Allow individual applications" feature, will automatically be directed to this computer. The DMZplus-enabled computer is less secure because all unassigned firewall ports are opened for that computer.
Note: On LAN devices which have a Private IP address, once DMZplus mode is selected and you click save, the system will issue a new IP address to the selected computer. The computer must be set to DHCP mode to receive the new IP address from the system, and you must reboot the computer. If you are changing DMZplus mode from one computer to another computer, you must reboot both computers.
Now when I do a port scan on my external ip
(66.73.**.**)
I get this:Starting Nmap 5.21 ( http://nmap.org ) at 2014-01-15 18:00 CST Nmap scan report for ********************** (66.73.**.**) Host is up (0.094s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds
As you can see, the ports for samba are open from outside the firewall. I tried to connect to it again using the samba client on my Ubuntu 12.04 and it still is giving me the same error.
The firewall at the router level should not be stopping any traffic. The firewall on my ubuntu server is also disabled:
john@john-server:~$ sudo ufw status [sudo] password for john: Status: inactive john@john-server:~$
The traceroute and ping are also normal:
john@john-ubuntu:~$ traceroute 66.73.**.** traceroute to 66.73.**.** (66.73.**.**), 30 hops max, 60 byte packets 1 homeportal (192.168.1.254) 5.974 ms 5.967 ms 5.967 ms 2 *************************************** (66.73.**.*) 74.207 ms 74.602 ms 79.749 ms 3 *************************************** (66.73.**.**) 86.636 ms 87.632 ms 87.639 ms PING 66.73.**.** (66.73.**.**) 56(84) bytes of data. 64 bytes from 66.73.**.**: icmp_req=1 ttl=63 time=71.0 ms 64 bytes from 66.73.**.**: icmp_req=2 ttl=63 time=171 ms 64 bytes from 66.73.**.**: icmp_req=3 ttl=63 time=140 ms ^C --- 66.73.**.** ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 71.006/127.456/171.293/41.903 ms
I have an AT&T router:
Model: 4111N-031
Does anyone know where my connection is getting screwed up?
-
John over 10 years@Lawrence port scan was from an internal source, but was directed at the external ip address
-
John over 10 years@JasonIlicic I cleared all of the log files in
/var/log/samba
and then restarted the server. Then I tried to connect to the samba server and there was no record of it in the log files.
-