[Samba] "hosts allow" not working?

Carl G. Riches cgr at u.washington.edu
Thu Apr 23 17:02:43 MDT 2015 

Wwe are doing some testing in preparation for our migration from Samba 3.6 
to Samba 4.x.  Because we must share networks with other groups, we want 
to use the "hosts allow" parameter in smb.conf to restrict who can connect 
to our Samba domain.  This works great in 3.6.  I'm unable to get it to 
work with 4.1.16.  That is, I'm unable to join a Windows 7 PC to the Samba 
4 domain when "hosts allow" is defined but am able to join the PC when 
there is no "hosts allow" line.

Our smb.conf file:

# Global parameters
[global]
         workgroup = BIOSTATTEST
         realm = biostattest.ad
         netbios name = SERVICES2
         interfaces = 127.0.0.0/8, 10.108.29.0/24, 10.208.28.0/23
         bind interfaces only = Yes
         hosts allow = 127 10.208.29. 10.108.29.
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
         idmap_ldb:use rfc2307 = yes
         tls enabled = yes
         tls keyfile = /usr/local/samba/private/tls/services2.key
         tls certfile = /usr/local/samba/private/tls/services2.crt
         tls cafile = /usr/local/samba/private/tls/biostat-ca.crt
         log level = 4

[netlogon]
         path = /usr/local/samba/var/locks/sysvol/biostattest.ad/scripts
         read only = No

[sysvol]
         path = /usr/local/samba/var/locks/sysvol
         read only = No


With the "hosts allow" setting shown, attempting to join a PC to the 
domain results in this pop-up message when using the "System" control 
panel method:

   The RPC Server is unavailable

This method works fine if the "hosts allow" setting is removed from 
smb.conf and the Samba daemons are restarted.

The "netdom join" command always fails regardless of the "hosts allow" 
setting:

   Microsoft Windows [Version 6.1.7601]
   Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

   C:\>netdom join pc-057 /Domain:biostattest.ad /userd:root /passwordd:*
   Type the password associated with the domain user:

   Access is denied.

   The command failed to complete successfully.


   C:\>


Not being a Windows person, could someone shed some light on this?  I 
don't know what is different between Samba 3.6 and 4.1 that could cause 
this behavior.

Thanks,
Carl

Carl G. Riches
Department of Biostatistics
Box 357232                      voice:     206-616-2725
University of Washington        fax:       206-543-3286
Seattle, WA  98195-7232         internet:  cgr at u.washington.edu

More information about the samba mailing list