SAMBA share on asuswrt v380.59 doesn't let me access folders in the share

[GJW]

I've used the smb.conf.add option to add another share to "/" and I'm using the admin account to connect to the share from my Win10 machine. Windows does allow me to get to the top level of the asus router, but when I try to go into one of the folders, Windows tells me I can't access any of the folders because I don't have the right permissions. The "/" path and all the folders at that path are owned by the admin account.

Does anyone have any advice? Note that earlier versions of asuswrt worked fine with this exact setup.

 

[cuekay]

I don't know if this counts as hijacking the thread or just confirming the issue you're having, but I've been having an issue with accessing Samba shares on hosts in the LAN using various flavors of Linux(CentOS, ArchLinux, Debian), while I've been able to access the folders just fine on Windows machines. I can get as far as viewing the folders shared by the Asus router, but once I try to actually access the contents of the shared folders, I get blocked out. I can run "smbclient -L ASUS %U just fine as shown below:

[root@linsanity include]# smbclient -L asus -U%
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.25]

   Sharename  Type  Comment
   ---------  ----  -------
   entware-ng.arm  Disk  sda2's entware-ng.arm in Corsair Voyager 3.0
   Media  Disk  sdc2's media in Verbatim STORE N GO
   lib  Disk  sdc2's lib in Verbatim STORE N GO
   sbin  Disk  sdc2's sbin in Verbatim STORE N GO
   root  Disk  sdc2's root in Verbatim STORE N GO
   srv  Disk  sdc2's srv in Verbatim STORE N GO
   proc  Disk  sdc2's proc in Verbatim STORE N GO
   dev  Disk  sdc2's dev in Verbatim STORE N GO
   usr  Disk  sdc2's usr in Verbatim STORE N GO
   mnt  Disk  sdc2's mnt in Verbatim STORE N GO
   bin  Disk  sdc2's bin in Verbatim STORE N GO
   etc  Disk  sdc2's etc in Verbatim STORE N GO
   tmp  Disk  sdc2's tmp in Verbatim STORE N GO
   sys  Disk  sdc2's sys in Verbatim STORE N GO
   var  Disk  sdc2's var in Verbatim STORE N GO
   run  Disk  sdc2's run in Verbatim STORE N GO
   selinux  Disk  sdc2's selinux in Verbatim STORE N GO
   opt  Disk  sdc2's opt in Verbatim STORE N GO
   boot.bak  Disk  sdc2's boot.bak in Verbatim STORE N GO
   home  Disk  sdc2's home in Verbatim STORE N GO
   IPC$  IPC  IPC Service (ASUS)
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.25]

   Server  Comment
   ---------  -------
   AAAA   
   BBBB   
   CCCC   
   ASUS  ASUS

   Workgroup  Master
   ---------  -------
   WORKGROUP  ASUS

But, when I tried to run "smbclient -L ASUS" from each of the Linux machines per the advice here, I got this message:

Server does not support EXTENDED_SECURITY  but 'client use spnego = yes and 'client ntlmv2 auth = yes' session setup failed: NT_STATUS_ACCESS_DENIED

I had tried moving up the line "client use spnego = no" in the ASUS's /etc/smb.conf (via /jffs/config/smb.conf) as suggested here to no avail. That is, the changes to smb.conf stick between boots, but I still can't access the router's shared folders from the few Linux-based hosts on my LAN.

I've definitely exhausted all the options and permutations of the following methods my feeble mind could think of:
-when authenticating to access the shared files, keep the domain name as the default "WORKGROUP"
-when authenticating to access the shared files, clear the domain name field
-log in anonymously
-repeat the above steps except toggling the allow guest login from the web ui

Any help would be much appreciated on either GJW's issue or mine as I imagine they're in a way related or hoping that they are.

 

[RMerlin]

Works for me.

merlin@mint-dev ~ $ smbclient \\\\stargate88\\Share
Enter merlin's password: 
Domain=[HOMEREALM] OS=[Unix] Server=[Samba 3.6.25]
smb: \> ls
  .                                   D        0  Sun Mar  6 10:16:15 2016
  ..                                  D        0  Fri Jul 31 20:00:27 2015
  wrtbwmon.zip                              3180  Fri Apr  6 14:10:12 2012
  Test                                D        0  Sun Feb 14 23:04:23 2016
  telnet                                  457204  Sun Jul 20 14:14:00 2014
  cfe.bin                                 262144  Thu Sep 27 00:07:40 2012
  wl.txt                              A    45803  Mon Dec 30 19:24:01 2013
  Nothingness Theory-The Maze.mp3         7504231  Sat Apr 27 00:54:23 2013
  rt87u-us-cfe.bin                        524288  Sun Jul 20 14:03:41 2014
  mtd-write2                              807220  Wed Apr  1 10:00:44 2015
  .minidlna                          DH        0  Sun Feb 14 23:16:21 2016
  Rush                                D        0  Mon Jun 22 23:35:07 2015
  ac56                                D        0  Mon Jun 22 23:34:50 2015
  wan-start                                   84  Mon Dec  3 17:11:29 2012
  Main_WStatus_Content.asp2                 7283  Thu Feb 19 21:44:32 2015
  snortrules-snapshot-2975.tar.gz        34152552  Mon Sep 28 23:19:06 2015
  header.png                          A     5354  Wed Oct 22 01:43:37 2014
  banner-small-2.png                  A     7310  Wed Oct 22 02:10:13 2014
  header2.png                         A     5195  Wed Oct 22 01:21:57 2014
  merlin-banner2.png                  A     7375  Thu Oct 23 00:25:37 2014
  DnsFiltering.png                    A     9282  Fri Jan  2 14:08:39 2015

        60537 blocks of size 65536. 24929 blocks available
smb: \>

Make sure you properly configured user access on your router for the desired share, and that you are providing a valid user with smbclient.

 

[cuekay]

Thanks so much for the response. I've been on it attacking this thing from newly discovered angles and learning(well, maybe more like reading up on more than actual learning) way more about Samba than I wanted to in the process. Having used file sharing in the past strictly within a Windows based network, introducing Linux to it and myself to Linux has seriously complicated LAN file-sharing as I know it.

Having read up about samba and working with its tools, I realized that I may need to understand the smb.conf file a bit more instead of letting the firmware generate one on my behalf. The smb.conf that I have is as follows:

[global]
client use spnego = no
workgroup = WORKGROUP
netbios name = ASUS
server string = ASUS
unix charset = UTF8
display charset = UTF8
log file = /var/log.samba
log level = 0
max log size = 5
security = USER
guest ok = no
map to guest = Bad User
encrypt passwords = yes
pam password change = no
null passwords = yes
max protocol = NT1
passdb backend = smbpasswd
smb encrypt = disabled
smb passwd file = /etc/samba/smbpasswd
force directory mode = 0777
force create mode = 0777
max connections = 5
obey pam restrictions = no
use spnego = no
disable spoolss = yes
host msdfs = no
strict allocate = No
bind interfaces only = yes
interfaces = br0 192.168.1.1/255.255.255.0
use sendfile = yes
wins support = yes
os level = 255
domain master = yes
local master = yes
preferred master = yes
map archive = no
map hidden = no
map read only = no
map system = no
store dos attributes = yes
dos filemode = yes
oplocks = yes
level2 oplocks = yes
kernel oplocks = no
wide links = no


[boot]
comment = ESD-USB's boot in Corsair Voyager 3.0
path = /tmp/mnt/ESD-USB/boot
dos filetimes = yes
fake directory create times = yes
valid users = admin
invalid users =
read list = client1
write list = client1
[lib]
comment = sdc2's lib in Verbatim STORE N GO
path = /tmp/mnt/sdc2/lib
dos filetimes = yes
fake directory create times = yes
valid users = client1
invalid users =
read list = client1
write list = client1
[sbin]
comment = sdc2's sbin in Verbatim STORE N GO
path = /tmp/mnt/sdc2/sbin
dos filetimes = yes
fake directory create times = yes
valid users = client1
invalid users =
read list = client1
write list = client1
[root]
comment = sdc2's root in Verbatim STORE N GO
path = /tmp/mnt/sdc2/root
dos filetimes = yes
fake directory create times = yes
valid users = client1
invalid users =
read list = client1
write list = client1
[boot]
comment = sdc2's boot in Verbatim STORE N GO
path = /tmp/mnt/sdc2/boot
dos filetimes = yes
fake directory create times = yes
valid users = client1
invalid users =
read list = client1
write list = client1
[srv]
comment = sdc2's srv in Verbatim STORE N GO
path = /tmp/mnt/sdc2/srv
dos filetimes = yes
fake directory create times = yes
valid users = client1
invalid users =
read list = client1
write list = client1
[proc]
comment = sdc2's proc in Verbatim STORE N GO
path = /tmp/mnt/sdc2/proc
dos filetimes = yes
fake directory create times = yes
valid users = client1
invalid users =
read list = client1
write list = client1
[dev]
comment = sdc2's dev in Verbatim STORE N GO
path = /tmp/mnt/sdc2/dev
dos filetimes = yes
fake directory create times = yes
valid users = client1
invalid users =
read list = client1
write list = client1
[usr]
comment = sdc2's usr in Verbatim STORE N GO
path = /tmp/mnt/sdc2/usr
dos filetimes = yes
fake directory create times = yes
valid users = client1
invalid users =
read list = client1
write list = client1
[mnt]
comment = sdc2's mnt in Verbatim STORE N GO
path = /tmp/mnt/sdc2/mnt
dos filetimes = yes
fake directory create times = yes
valid users = client1
invalid users =
read list = client1
write list = client1
[bin]
comment = sdc2's bin in Verbatim STORE N GO
path = /tmp/mnt/sdc2/bin
dos filetimes = yes
fake directory create times = yes
valid users = client1
invalid users =
read list = client1
write list = client1
[media]
comment = sdc2's media in Verbatim STORE N GO
path = /tmp/mnt/sdc2/media
dos filetimes = yes
fake directory create times = yes
valid users = client1
invalid users =
read list = client1
write list = client1
[etc]
comment = sdc2's etc in Verbatim STORE N GO
path = /tmp/mnt/sdc2/etc
dos filetimes = yes
fake directory create times = yes
valid users = client1
invalid users =
read list = client1
write list = client1
[tmp]
comment = sdc2's tmp in Verbatim STORE N GO
path = /tmp/mnt/sdc2/tmp
dos filetimes = yes
fake directory create times = yes
valid users = client1
invalid users =
read list = client1
write list = client1
[sys]
comment = sdc2's sys in Verbatim STORE N GO
path = /tmp/mnt/sdc2/sys
dos filetimes = yes
fake directory create times = yes
valid users = client1
invalid users =
read list = client1
write list = client1
[var]
comment = sdc2's var in Verbatim STORE N GO
path = /tmp/mnt/sdc2/var
dos filetimes = yes
fake directory create times = yes
valid users = client1
invalid users =
read list = client1
write list = client1
[run]
comment = sdc2's run in Verbatim STORE N GO
path = /tmp/mnt/sdc2/run
dos filetimes = yes
fake directory create times = yes
valid users = client1
invalid users =
read list = client1
write list = client1
[selinux]
comment = sdc2's selinux in Verbatim STORE N GO
path = /tmp/mnt/sdc2/selinux
dos filetimes = yes
fake directory create times = yes
valid users = client1
invalid users =
read list = client1
write list = client1
[opt]
comment = sdc2's opt in Verbatim STORE N GO
path = /tmp/mnt/sdc2/opt
dos filetimes = yes
fake directory create times = yes
valid users = client1
invalid users =
read list = client1
write list = client1
[boot.bak]
comment = sdc2's boot.bak in Verbatim STORE N GO
path = /tmp/mnt/sdc2/boot.bak
dos filetimes = yes
fake directory create times = yes
valid users = client1
invalid users =
read list = client1
write list = client1
[home]
comment = sdc2's home in Verbatim STORE N GO
path = /tmp/mnt/sdc2/home
dos filetimes = yes
fake directory create times = yes
valid users = client1
invalid users =
read list = client1
write list = client1

 

[cuekay]

and the command "testparm" which I installed upon discovering of its existence and availability via optware generated this:

Load smb config files from /opt/etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
WARNING: The "null passwords" option is deprecated
WARNING: The "use spnego" option is deprecated
Processing section "[entware-ng.arm]"
Processing section "[Media]"
Processing section "[lib]"
Processing section "[sbin]"
Processing section "[root]"
Processing section "[boot]"
Processing section "[srv]"
Processing section "[proc]"
Processing section "[dev]"
Processing section "[usr]"
Processing section "[mnt]"
Processing section "[bin]"
Processing section "[media]"
Processing section "[etc]"
Processing section "[tmp]"
Processing section "[sys]"
Processing section "[var]"
Processing section "[run]"
Processing section "[selinux]"
Processing section "[opt]"
Processing section "[boot.bak]"
Processing section "[home]"
Loaded services file OK.
WARNING: You have some share names that are longer than 12 characters.
These may not be accessible to some older clients.
(Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
  unix charset = UTF8
  display charset = UTF8
  server string = ASUS
  interfaces = br0, 192.168.1.1/255.255.255.0
  bind interfaces only = Yes
  map to guest = Bad User
  null passwords = Yes
  smb passwd file = /etc/samba/smbpasswd
  passdb backend = smbpasswd
  log file = /var/log.samba
  max log size = 5
  use spnego = No
  client use spnego = No
  disable spoolss = Yes
  os level = 255
  preferred master = Yes
  domain master = Yes
  wins support = Yes
  kernel oplocks = No
  host msdfs = No
  idmap config * : backend = tdb
  force create mode = 0777
  force directory mode = 0777
  smb encrypt = No
  max connections = 5
  use sendfile = Yes
  map archive = No
  map readonly = no
  store dos attributes = Yes
  dos filemode = Yes

[boot]
  comment = sdc2's boot in Verbatim STORE N GO
  path = /tmp/mnt/sdc2/boot
  valid users = client1
  read list = client1
  write list = client1
  fake directory create times = Yes

[Media]
  comment = sdc2's media in Verbatim STORE N GO
  path = /tmp/mnt/sdc2/media
  valid users = client1
  read list = client1
  write list = client1
  fake directory create times = Yes

[lib]
  comment = sdc2's lib in Verbatim STORE N GO
  path = /tmp/mnt/sdc2/lib
  valid users = client1
  read list = client1
  write list = client1
  fake directory create times = Yes

[sbin]
  comment = sdc2's sbin in Verbatim STORE N GO
  path = /tmp/mnt/sdc2/sbin
  valid users = client1
  read list = client1
  write list = client1
  fake directory create times = Yes

[root]
  comment = sdc2's root in Verbatim STORE N GO
  path = /tmp/mnt/sdc2/root
  valid users = client1
  read list = client1
  write list = client1
  fake directory create times = Yes

[srv]
  comment = sdc2's srv in Verbatim STORE N GO
  path = /tmp/mnt/sdc2/srv
  valid users = client1
  read list = client1
  write list = client1
  fake directory create times = Yes

[proc]
  comment = sdc2's proc in Verbatim STORE N GO
  path = /tmp/mnt/sdc2/proc
  valid users = client1
  read list = client1
  write list = client1
  fake directory create times = Yes

[dev]
  comment = sdc2's dev in Verbatim STORE N GO
  path = /tmp/mnt/sdc2/dev
  valid users = client1
  read list = client1
  write list = client1
  fake directory create times = Yes

[usr]
  comment = sdc2's usr in Verbatim STORE N GO
  path = /tmp/mnt/sdc2/usr
  valid users = client1
  read list = client1
  write list = client1
  fake directory create times = Yes

[mnt]
  comment = sdc2's mnt in Verbatim STORE N GO
  path = /tmp/mnt/sdc2/mnt
  valid users = client1
  read list = client1
  write list = client1
  fake directory create times = Yes

[bin]
  comment = sdc2's bin in Verbatim STORE N GO
  path = /tmp/mnt/sdc2/bin
  valid users = client1
  read list = client1
  write list = client1
  fake directory create times = Yes

[etc]
  comment = sdc2's etc in Verbatim STORE N GO
  path = /tmp/mnt/sdc2/etc
  valid users = client1
  read list = client1
  write list = client1
  fake directory create times = Yes

[tmp]
  comment = sdc2's tmp in Verbatim STORE N GO
  path = /tmp/mnt/sdc2/tmp
  valid users = client1
  read list = client1
  write list = client1
  fake directory create times = Yes

[sys]
  comment = sdc2's sys in Verbatim STORE N GO
  path = /tmp/mnt/sdc2/sys
  valid users = client1
  read list = client1
  write list = client1
  fake directory create times = Yes

[var]
  comment = sdc2's var in Verbatim STORE N GO
  path = /tmp/mnt/sdc2/var
  valid users = client1
  read list = client1
  write list = client1
  fake directory create times = Yes

[run]
  comment = sdc2's run in Verbatim STORE N GO
  path = /tmp/mnt/sdc2/run
  valid users = client1
  read list = client1
  write list = client1
  fake directory create times = Yes

[selinux]
  comment = sdc2's selinux in Verbatim STORE N GO
  path = /tmp/mnt/sdc2/selinux
  valid users = client1
  read list = client1
  write list = client1
  fake directory create times = Yes

[opt]
  comment = sdc2's opt in Verbatim STORE N GO
  path = /tmp/mnt/sdc2/opt
  valid users = client1
  read list = client1
  write list = client1
  fake directory create times = Yes

[boot.bak]
  comment = sdc2's boot.bak in Verbatim STORE N GO
  path = /tmp/mnt/sdc2/boot.bak
  valid users = client1
  read list = client1
  write list = client1
  fake directory create times = Yes

[home]
  comment = sdc2's home in Verbatim STORE N GO
  path = /tmp/mnt/sdc2/home
  valid users = client1
  read list = client1
  write list = client1
  fake directory create times = Yes

And this is a sample of the "testparm" output for one of the Linux clients/workstations running Samba 4.4:

Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Processing section "[tmp]"
Global parameter unix charset found in service section!
Unknown parameter encountered: "display charset"
Ignoring unknown parameter "display charset"
Loaded services file OK.
Server role: ROLE_STANDALONE

Press enter to see a dump of your service definitions

# Global parameters
[global]
  netbios name = XUNIL
  server string = Samba Server Version %v
  local master = No
  log file = /var/log/samba/log.%m
  max log size = 50
  name resolve order = wins lmhosts hosts bcast
  security = USER
  wins proxy = Yes
  wins support = Yes
  idmap config * : backend = tdb
  cups options = raw
  hosts allow = 127. 192.168.2.


[homes]
  comment = Home Directories
  browseable = No
  read only = No

[printers]
  comment = All Printers
  path = /var/spool/samba
  browseable = No
  printable = Yes

[tmp]
  comment = Temporary file space
  path = /tmp
  guest ok = Yes
  read only = No

Please note that I added the "client use spnego = no" parameter in response to the closest thing to a lead I had from all this and also by following the advice I found from searching for "spnego samba linux" (which I thought would capture the scope of results I would need). The testparm showed that this is indeed deprecated and the removal of the parameter only showed the same except for the warning of spnego... being deprecated.

Also, since having installed the samba ipkg, I also tried out the included "smbclient" from the router to the Linux clients and found that the hate is mutual between the two:

admin@ASUS:/tmp/home/root# smbclient \\\\XUNIL\\tmp -U client1
WARNING: The "null passwords" option is deprecated
WARNING: The "use spnego" option is deprecated
Enter client1's password:
session setup failed: NT_STATUS_INVALID_PARAMETER

vs. what I get when trying to use smbclient between two of the Linux clients:

admin@XUNILL:/etc/httpd $ smbclient -U client1 \\\\XUNIL\\tmp
Enter client1's password:
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.4.4]
smb: \>

My purpose of this was to generate as many searchable error messages for debugging. This most recent test happened just an hour ago, so I'll probably be searching for threads related to "samba NT_STATUS_INVALID_PARAMETER" as my next leg of research.

 

[cuekay]

TL;DR:
Objective: let my Linux clients/workstations/hosts be able to see more than the "top-level" of my router's share in the same way that my Windows 7/8/10 are capable of doing so.

New angles that I found and tested but failed:
1. I installed the Samba 3.6 ipkg via optware and copied the smb.conf
2. Tested the permutations described in the first series of tests ran with the router's version of Samba (or rather, SMB and NMB since my small network doesn't make use of an Active Directory which would involve the full version of Samba?)

The Linux workstations can browse and share between the Windows workstations; they all belong to the same "workgroup" as configured and the Windows clients can browse through the router to their heart's content.

No love exists between the Linux clients and the router, though.

I'd be grateful for any help by way of an smb.conf for both the server and client. Or more specifically, I'd appreciate an smb.conf from someone who HAS been able to get their Asus router and Linux clients to share nicely.

The degree to which I didn't know anything about Samba was revealed in the last week as I was struggling with just getting the Linux shares going, which I just learned between last Wednesday and yesterday -- it ultimately was resolved by copying the smb.conf file from one of the Linux clients to the other ones. As edifying as it may be, I feel as a layperson, I paid my dues to get something as simple (or as demonstrated, not so simple) working, which I circumvented by not using my router for file sharing.

I'm still keen to know but keen to spend my time in a less random but focused manner. That is, I'm not super interested in going through the "faulty" and "working" copies of the clients' smb.conf line by line to find the typo or whatever it was that made one work vs the other. As of now, I'm thinking that it's not simply hardware specific but scenario based.

Anyway, I put these thoughts up here so that hopefully someone with a similar setup and similar frustrations can pick up from where I left off or where a vet can just end the guesswork with a "you dummy, the solution was [blank] this whole time." Thanks again and again, Merlin, as hitting the learning curve this hard only touches on the caliber of know-how one needs to fork an entire firmware build and while I appreciated your work before, my appreciation has grown in orders of magnitude after this ordeal!

Main reference used: https://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html

 

[cuekay]

ok....immediately upon hitting reply, I found the problem in my smb.conf on the server side to be "use spnego = no", leaving intact "client use spnego = no" and doing so got me this:

Enter admin's password:
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.24]

So yeah, just as much as luck has gotten me into this mess (I don't remember typing in the offending code), it's gotten me out! Hopefully, if this bad smb.conf is making its rounds a search for "use spnego samba" will lead folks here. Seriously, I do not know where I got that smb.conf from as I, to this day, don't know what that line means and does.

 

[sfx2000]

You might want to review the Samba config file - also do a testparm -s on the shell...

Might also consider the two command lines below

nmblookup -A <serverip>

and

smbclient -U <smbuser> -L \\<samba server name>

These go a long way to sorting out what's going on with that server...

 

[sfx2000]

I'd appreciate an smb.conf from someone who HAS been able to get their Asus router and Linux clients to share nicely.

You'll need to create or change the user/groups...

$ cat /etc/samba/smb.conf

[global]

# uncomment the line below for better performance on some platforms
# on gigabit ethernet, with an untuned kernel we're seeing about 115MB/Sec on large files
# socket options = TCP_NODELAY
workgroup = WORKGROUP
netbios name = SERVERNAME
security = user
hosts allow = 192.168.1.0/24
restrict anonymous = 2

[share]
comment = Home File Server
path = /sharepoint
force user = fileserver901
force group = fileserver901
read only = no
browsable = yes
create mask = 0755

 

[sfx2000]

And we use samba to manage/create samba user accounts...

smbpasswd -a <sambauser>

and follow the prompts to set the smbpasswd

should work with just about any version of samba

 

[cuekay]

sfx2000: thanks. I will note all of that for managing my samba. I have a tendency to stick with boilerplate templates and only get into troubleshooting once a seemingly minor adjustment completely breaks my setup and then sends me off into becoming an "expert-lite" in the subject.

Thanks also for filtering out the signal from noise. These kind of troubleshooting tips prove more invaluable for casual users like myself who are used to things working out of the box than reading the commented out notes in the conf. I'm sure I'll capably learn which parameters and directives in a configuration I can and can't do without in detail, but your streamlined smb.conf definitely lets me know that I don't need half the stuff I put up.

Plus the security advice you gave is also up my alley since I personally am interested in that since I've read that smb over LAN might be OK, but it being an unencrypted protocol can be disastrous in the wild wild WAN. And I'm not sure if I will open myself up to these vulnerabilities in a material way if I decide to setup an OpenVPN and preserve the smb stuff to be tunneled between the public and private clients, but hopefully the practices that you described above with the presumably security-based features in OpenVPN will suffice in keeping a tight seal between hq and the client on the road.

 

[sfx2000]

Plus the security advice you gave is also up my alley since I personally am interested in that since I've read that smb over LAN might be OK, but it being an unencrypted protocol can be disastrous in the wild wild WAN.

We limit the scope to the LAN, and we enforce a smbuser/smbpasswd...

The downside is that all files are owned by the same user - to any smbuser allowed can access all files on that share.

With WAN/VPN, I don't worry about the WAN, as we limit the Samba scope to the LAN users - but one should never, ever share SMB ports over the WAN in any event...

If you're VPN is set up right, you'll have access to the shares... but you'll need to login to the VPN first, which is another security layer on top of what we've already done.