SMB gateway for retro file sharing

Discussion in 'Retro & Arcade' started by elvis, Apr 24, 2020.

  1. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    43,996
    Location:
    Brisbane


    Security alert! The following guides are dangerous - allowing old and outdated protocols on your home network is dangerous. Caveat, buyer beware, here be dragons, Danger, Will Robinson!

    Moving on...

    Just jotting some notes down here. I build these fairly often for legacy business systems, but they're becoming more and more useful for home users with retro needs. I might do others with FTP and AFP (Apple File Protocol / "AppleTalk") if people want them. These guides can be extended to any remote system (mount Google Drive or DropBox on your Windows98 machine if you like).

    [edit] This post is for SMB.
    HTTP sharing in post 11

    SMB is the "Server Message Block" protocol, and the way most Windows systems share files over a network by default. Also sometimes called CIFS (Common Internet File System). Contrary to popular belief, it didn't start life on Microsoft products (there's a long convoluted history between IBM and their OS/2 product, Sun Micro Sytems, 3Com and Microsoft). More here if you care:
    https://en.wikipedia.org/wiki/LAN_Manager
    https://en.wikipedia.org/wiki/Server_Message_Block

    Anyways, the protocol has evolved extensively over the years, and the SMB we use today in Windows sharing (i.e.: where you browse to \\server\share or search your network for file sharing servers via the GUI) is very different to earlier versions of the protocol.

    The biggest difference today is that "SMB1" is considered utterly broken and A BIG SECURITY RISK. I emphasise this because the instructions below are potentially dangerous, and like all retro computing you should be taking care to isolate network connectivity to old computers, as they are likely vulnerable to all sorts of Internet nasties, and could infect your other systems if you are not careful.

    So, with the safety warning out of the way, SMB1 is deprecated by most new systems - it won't work on recent builds of Windows 10, macOS, ZFS, or a variety of cheap vendor NAS solutions like QNAP, Synology, etc. But this can be tricky if you've got an old system you want to share files with. For example, a Windows 98SE machine, or something like OpenPS2Loader running on a PlayStation 2 with ISO loading over SMB1.

    Thankfully, "Samba" exists. It's an open source SMB server, and allows you to choose legacy protocols if you wish (understanding that these are risky, so they're disabled by default, but you can always re-enable them).

    I won't go into the basics of installing Linux here - I'll leave that to the reader. But what I'm doing here will work in a VM (that's how I've done it to demonstrate), as well as devices like a Raspberry Pi. Linux install guides are everywhere, and we have a dedicated forum on OCAU you can check out to get started. But this assumes you've got a default Linux install somewhere, and can log in and get root/sudo (admin) access.

    I'm testing in Ubuntu 20.04 LTS. But you can use any distro you like. I'll try to point out where commands might differ.

    So first up, here's my Win98SE VM. Lives inside VirtualBox, and has the standard IP stack installed, with an IP address handed to it by DHCP. When attempting to reach my file server on \\192.168.3.254 , the machine fails, as the file server will only respond to SMB2 or higher protocol requests:

    win98_smb_fail.png

    So, I've done a default install of Ubuntu 20.04 LTS in a VM. From there, I install two packages - "cifs-utils" which lets me mount a modern SMB2+ share, and "samba" which is the server that will allow me to re-share that mount with an older system.

    So as root I run:

    Code:
    apt-get install -y cifs-utils samba
    If you're using something like CentOS, you'd need to "yum install" these instead. But that's out of scope for this guide. "apt-get" works on Ubuntu, Mint, Debian and Raspbian distros.

    Once installed, I create a directory for my gateway to mount my actual server. I have a particular share set up there named "os". It's read-only, has no auth on it, and has all my OS drivers, service packs and whatnot in it.

    I create a directory to mount it into, and mount it up (note the slashes are opposite to Windows notation):

    Code:
    mkdir /mnt/cifs
    mount.cifs //192.168.3.254/os /mnt/cifs
    
    You can pass options to the "mount.cifs" command to send usernames and passwords across if you like. Something like:

    Code:
    mount.cifs -o username=foo,password=bar //server/share /mnt/dir
    
    I'll let the reader experiment with that. However, I can verify the mount is working:
    Code:
    cd /mnt/cifs
    ls -lah
    
    With output:
    Code:
    total 0
    drwxr-xr-x 2 root root 0 Apr 16 14:48 .
    drwxr-xr-x 1 root root 8 Apr 24 10:49 ..
    drwxr-xr-x 2 root root 0 Apr  9 15:59 arch
    drwxr-xr-x 2 root root 0 Mar  7 18:58 colour
    drwxr-xr-x 2 root root 0 Nov 22 15:01 dos
    drwxr-xr-x 2 root root 0 Dec 23 14:14 firmware
    drwxr-xr-x 2 root root 0 Dec  2 12:53 gparted
    drwxr-xr-x 2 root root 0 Jul 26  2019 groovyarcade
    drwxr-xr-x 2 root root 0 Apr 17 21:45 mac
    drwxr-xr-x 2 root root 0 Apr 11 18:40 raspberrypi
    drwxr-xr-x 2 root root 0 Jan 24 13:50 retropie
    drwxr-xr-x 2 root root 0 Nov 26 15:15 sles
    drwxr-xr-x 2 root root 0 Apr 23 23:23 .snapshots
    drwxr-xr-x 2 root root 0 Mar 30 08:27 ubuntu
    drwxr-xr-x 2 root root 0 Apr 24 09:58 windows
    
    Great, all the folders from my server that I'd expect, mount on my gateway box.

    Now, let's re-export them via an older Samba protocol.

    First, edit /etc/samba/smb.conf on the gateway box, and add in under the section titled "[global]" the config:

    Code:
    [global]
    min protocol = CORE
    
    From the Samba man page, the protocols on offer are:
    Code:
               Possible values are :
                      o   CORE: Earliest version. No concept of user names.
                      o   COREPLUS: Slight improvements on CORE for efficiency.
                      o   LANMAN1: First modern version of the protocol. Long filename support.
                      o   LANMAN2: Updates to Lanman1 protocol.
                      o   NT1: Current up to date version of the protocol. Used by Windows NT. Known as CIFS.
                      o   SMB2: Re-implementation of the SMB protocol. Used by Windows Vista and later versions of Windows. SMB2 has sub protocols available.
                                 o   SMB2_02: The earliest SMB2 version.
                                 o   SMB2_10: Windows 7 SMB2 version.
                                 o   SMB2_22: Early Windows 8 SMB2 version.
                                 o   SMB2_24: Windows 8 beta SMB2 version.
                          By default SMB2 selects the SMB2_10 variant.
                      o   SMB3: The same as SMB2. Used by Windows 8. SMB3 has sub protocols available.
                                 o   SMB3_00: Windows 8 SMB3 version. (mostly the same as SMB2_24)
                                 o   SMB3_02: Windows 8.1 SMB3 version.
                                 o   SMB3_10: early Windows 10 technical preview SMB3 version.
                                 o   SMB3_11: Windows 10 technical preview SMB3 version (maybe final).
                          By default SMB3 selects the SMB3_11 variant.
    
    So we're going waaaay back in time to the very first one ever as our minimum accepted. Samba-Server will adjust to whatever a client asks for (so if it asks for more/newer, it'll get it). But all we're doing here is setting the oldest method it will allow. Again, a reminder that this is terribly insecure, so apply usual retro computing cautions.

    Now, at the very bottom of the /etc/samba/smb.conf file, we add in the following share defintion:

    Code:
    [remap]
      comment = remap
      path = /mnt/cifs
      read only = yes
      guest ok = yes
      browseable = yes
    
    You can call it anything you like. I've called mine "remap" here. It's set to no password needed with the "guest ok" command, and read-only. I'll leave read/write options to the reader to play with.

    Now simply enable and restart both NMB (Name Message Block - useful for NetBIOS lookups, although we're avoiding that and using IP here) and SMB (Server Message Block, the actual server):

    Code:
    systemctl enable nmbd
    systemctl enable smbd
    systemctl restart nmbd
    systemctl restart smbd
    
    Verify it's running with "systemctl status smbd" if you like.

    Find the machine's IP address with "ip a". Mine is 192.168.3.162:
    Code:
    # ip a
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
           valid_lft forever preferred_lft forever
        inet6 ::1/128 scope host
           valid_lft forever preferred_lft forever
    2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
        link/ether 08:00:27:75:c9:f0 brd ff:ff:ff:ff:ff:ff
        inet 192.168.3.162/24 brd 192.168.3.255 scope global dynamic enp0s3
           valid_lft 2732sec preferred_lft 2732sec
        inet6 fe80::a00:27ff:fe75:c9f0/64 scope link
           valid_lft forever preferred_lft forever
    
    Back on the Windows98 box, let's hit the IP of this new server we created:

    win98_smb_works1.png

    win98_smb_works2.png

    win98_smb_works3.png

    We're off and running!

    For extra fun, you can check the status on the Linux box of who's connecting in using what protocols. I can see my Win98 box using the "NT1" version of the protocol:

    Code:
    root@samba-gw:~# smbstatus -vv
    using configfile = /etc/samba/smb.conf
    Samba version 4.11.6-Ubuntu
    PID     Username     Group        Machine                                   Protocol Version  Encryption           Signing
    ----------------------------------------------------------------------------------------------------------------------------------------
    2833    nobody       nogroup      win98 (ipv4:192.168.3.146:1052)           NT1               -                    -
    Service      pid     Machine       Connected at                     Encryption   Signing
    ---------------------------------------------------------------------------------------------
    remap        2833    win98         Fri Apr 24 11:42:42 2020 AEST    -            -
    IPC$         2833    win98         Fri Apr 24 10:52:15 2020 AEST    -            -
    No locked files
    
    And again on my actual Linux server/NAS, where we can see the gateway connecting using a much more modern SMB version 3.11 protocol (the latest version that ships with both Samba and Windows 10 / Server 2016 / Server 2019):
    Code:
    root@server:~# smbstatus -vv
    using configfile = /etc/samba/smb.conf
    Samba version 4.7.6-Ubuntu
    PID     Username     Group        Machine                                   Protocol Version  Encryption           Signing
    ----------------------------------------------------------------------------------------------------------------------------------------
    28269   nobody       nogroup      192.168.3.162 (ipv4:192.168.3.162:39736)  SMB3_11           -                    -
    Service      pid     Machine       Connected at                     Encryption   Signing
    ---------------------------------------------------------------------------------------------
    IPC$         28269   192.168.3.162 Fri Apr 24 10:49:30 2020 AEST    -            -
    os           28269   192.168.3.162 Fri Apr 24 10:49:30 2020 AEST    -            -
    No locked files
    
    So that's the SUPER basics version. From here all sorts of options for you to try (and if people have questions, I can demo more stuff).

    You can mount other things - Google Drive, Dropbox, S3 buckets, BackBlaze backups, etc

    You can share via other protocols - FTP, HTTP, AppleTalk/AFP (Apple Filing Protocol), SFTP, etc.

    [edit]
    HTTP sharing in post 11

    You can try various combinations of read/write permissions (Danger, Will Robinson!).

    And all of these can live concurrently on the same box. No need to set up new instances - they can all co-exist. And again, these can be hosted on a VM or even a Raspberry Pi, as the resources required are extremely low.

    Hope it helps someone out there in retro land.
     
    Last edited: Apr 25, 2020
    bester, Vanne, kbekus and 12 others like this.
  2. HyRax1

    HyRax1 ¡Viva la Resolutión!

    Joined:
    Jun 28, 2001
    Messages:
    7,935
    Location:
    At a desk
    Nice work!
     
    Vanne, baronbaldric and elvis like this.
  3. daehenoc

    daehenoc Member

    Joined:
    Nov 4, 2005
    Messages:
    2,801
    Location:
    Mt Gravatt E, BNE, QLD
    Very nice, thanks elvis!
     
    Vanne and elvis like this.
  4. bolex17

    bolex17 Member

    Joined:
    Feb 11, 2004
    Messages:
    1,244
    Location:
    Adelaide, 5010
    Nice elvis! I need to set up something so my old iMac G3 can access SMB shares. Will have a play around with it.
     
    elvis likes this.
  5. OP
    OP
    elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    43,996
    Location:
    Brisbane
    With older Macs, you can also use "Netatalk":
    http://netatalk.sourceforge.net/

    It will let you mount an AppleTalk afp:// style address, and you can do similar re-export tricks like I did in this guide.

    Ubuntu 20.04 LTS has a nice recent version in its default repos:
    Code:
    root@samba-gw:~# apt-cache show netatalk | grep ^Vers
    Version: 3.1.12~ds-4
    
    There's no real benefit to SMB over AFP (or vice versa) in older Mac OS X builds. But if you're going back to OS9 and earlier, there's no SMB option at all, but if you can get TCP/IP working, AFP will work very nicely.

    If you need help, let me know. I have an old G5 iMac running 10.5 Leopard gathering dust in my basement that I can fire up and write up a howto if you get stuck.
     
    Last edited: Apr 24, 2020
    Rass likes this.
  6. Pierre32

    Pierre32 Member

    Joined:
    Oct 13, 2019
    Messages:
    1,096
    Location:
    Sydney
    Excellent stuff, thanks elvis :thumbup: Hope to put this to use some day.
     
    elvis likes this.
  7. jimbogimp

    jimbogimp Member

    Joined:
    Apr 30, 2002
    Messages:
    957
    Location:
    funny comment
    Onya Elvis for providing the sweet sweet info pool!
     
    elvis likes this.
  8. Hater

    Hater Member

    Joined:
    Nov 19, 2012
    Messages:
    5,474
    Location:
    Canberra
    My NAS is so old it still supports SMBv1.

    I wonder if i'm secretly sitting on a retro sharing goldmine :leet:
     
  9. nic55

    nic55 Member

    Joined:
    Dec 29, 2005
    Messages:
    150
    The security issues are real and it's good to idea to separate this away from your main machine, you can also just enable SMB1 in Windows 10 if that's all you've got. It can be installed under windows features.
     
    baronbaldric and elvis like this.
  10. OP
    OP
    elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    43,996
    Location:
    Brisbane
    It's a bit outside of the scope of this guide, but to help people out, the Ubuntu built in "Uncomplicated FireWall" tool "ufw" can help.

    On Raspbian, you can install ufw with "sudo apt-get install -y ufw"

    Some doco here:
    https://help.ubuntu.com/community/UFW

    For example, running as root (or prefix every command with "sudo" if not root):

    Code:
    ufw allow 22/tcp
    ufw allow from 192.168.3.146
    ufw enable
    
    From top to bottom:

    "ufw allow 22/tcp" - allow all access from any IP on port 22 via the TCP protocol (the SSH default). This ensures I've always got SSH command line access
    "ufw allow from 192.168.3.146" - allow all IP traffic (all protocols and all ports) inbound from the host 192.168.3.146. In my example above, that's my Windows98SE box.
    "ufw enable" - turn on the firewall (the dangerous part - don't lock yourself out!)

    By default outbound traffic is always allowed, so the connections from your Samba gateway to your real NAS or computer are allowed. Inbound, this blocks everything but SSH (for remote admin) and one specific IP for everything.

    At any time, you can see what's going on with "ufw status" or "ufw status verbose".

    There are heftier ways to achieve this (VLANs, NATs, routing and subnetting, multiple interfaces with dedicated cables, etc). Plenty of ways to skin that cat.

    Also as I mentioned at the bottom of the document, consider other options - sharing the file via HTTP with a service like lighttpd means you can browse files in a web browser (even IE5/6) and download them to your Win98 box that way. Considerably more secure than SMB1. I might do a follow up guide on that one later.
     
    Vanne, baronbaldric and Rass like this.
  11. OP
    OP
    elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    43,996
    Location:
    Brisbane
    OK, super quick mini howto. This time HTTP sharing of the same mount point from the first post.

    On your gateway box, run the following as root/sudo to install the lighttpd HTTP server. I much prefer this to Apache, as it's far lighter on system requirements.

    Code:
    apt-get install -y lighttpd
    Now we need to change the "document root" (the default landing page of the http server) and enable directory listings to allow the web server to show files inside a directory.

    First, edit /etc/lighttpd/lighttpd.conf and change the document root directive. The old line will look like this:
    Code:
    server.document-root = "/var/www/html"
    Change it to be our mount point from the first post:
    Code:
    server.document-root  = "/mnt/cifs"
    Save and exit.

    Next, enable directory listings by running as root/sudo:
    Code:
    lighttpd-enable-mod dir-listing
    You'll get a message saying it was done, and you'll need to reload the service. Let's enable it and restart it:

    Code:
    systemctl enable lighttpd
    systemctl restart lighttpd
    
    Again, check with "systemctl status lighttpd" if you like. Now head to our Windows 98 box and test:

    win98_http_1.png

    win98_http_2.png

    #winning
     
    Last edited: Apr 24, 2020
  12. Rass

    Rass Member

    Joined:
    Jun 27, 2001
    Messages:
    3,122
    Location:
    Brizbekistan
    Awesome guides, Elvis!
     
    elvis likes this.
  13. Daft_Munt

    Daft_Munt Member

    Joined:
    Jan 23, 2003
    Messages:
    7,478
    Location:
    Hobart, The Federal Group
    FYI - there is also a work around to allow for Win 10 PC to access samba share with out a usernames and passwords, which is not a good idea. I had to do it for work recently but it is firewalled to buggery, and write access to the share needs IP whitelisted.
     
    nic55 likes this.
  14. OP
    OP
    elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    43,996
    Location:
    Brisbane
    It's an interesting security question. I think I'd be inclined to to keep my home network secure by default, and try to put a gateway device (RPi, VM, old PC, whatever) in off to the side on a separate network.

    Considering the alternative - grossly reducing the security of my Linux and/or Win10 "daily drive" machines in my house - that's not terribly optimal.

    Retro computing is a real challenge. Keeping old systems around that are insecure isn't a problem as long they're air-gapped. The moment they're on a network, there's very real concern for everything else around them that can be compromised.
     
  15. nic55

    nic55 Member

    Joined:
    Dec 29, 2005
    Messages:
    150
    For a while now Microsoft has disabled Guest access to shares/RDP by default, they've also disabled blank passwords to the same resources, you can bypass them all with local security policies but why bother. You can enable SMB1 server and get access from your Windows 9x system using the same user/pass you logon to your machine with.

    I guess my original point was if all you have is one main machine running windows 10 and want to access some exodos files/etc/whatever from your retro machine it's a straightforward process to enable SMB1 and get to your end goal.
    If you want to run a permanent solution or have the spare hardware lying around to supply your retro needs then Elvis's method is an excellent path to take, especially with the extra firewalling he mentioned. Not trying to detrement the original post at all, just detail a simple solution for people in that position.
     
    Daft_Munt, baronbaldric and elvis like this.
  16. Daft_Munt

    Daft_Munt Member

    Joined:
    Jan 23, 2003
    Messages:
    7,478
    Location:
    Hobart, The Federal Group
    All good. My comment was more about wired shit that has to be done to get things working, recently. 15 years ago I was still working on dos/486 shit, in a corp environment. <has covid nightcap/>

    Edit: when I get time off work, time to get VMs going.
     
    Last edited: Apr 25, 2020
    Vanne and elvis like this.
  17. OP
    OP
    elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    43,996
    Location:
    Brisbane
    Last edited: Apr 26, 2020
    Vanne and baronbaldric like this.
  18. aleckon

    aleckon Member

    Joined:
    Dec 31, 2002
    Messages:
    52
    Location:
    Melbourne
    Thanks Elvis, used your guide to set up a pi zero I had kicking around as a SMB gateway for my old macs.

    Cheers!
     
    elvis likes this.
  19. Daft_Munt

    Daft_Munt Member

    Joined:
    Jan 23, 2003
    Messages:
    7,478
    Location:
    Hobart, The Federal Group
    I am about to do the same now I have purchased a pi from the forums. Now to fix my NAS. Bloody old houses (renos and gardens), sucking up time.
     
    Vanne and elvis like this.
  20. OP
    OP
    elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    43,996
    Location:
    Brisbane
    Been a while since I made this thread, and I'm keen to expand on the idea. Questions:

    1) Has anyone used this? How did it go?

    2) What other guides/protocols do people want to see? Would you like to get to your cloud storage via SMB? Google Drive via AppleTalk? Microsoft OneDrive via FTP? Some other combo?

    3) Would this be better as a guide to run on a Raspberry Pi specifically?

    Just wondering how I make this a little more user-friendly, and more useful in general.
     
    Vanne, Daft_Munt and Myst like this.

Share This Page

Advertisement: