[Samba] Some users cannot access shares with FQDN, but can with IP or hostname

Luke Barone lukebarone at gmail.com
Fri Sep 22 17:40:18 UTC 2023 

Hi Rowland,

Yes, that was a sanitization error on my part. I am accessing it through "\\
fs1.example.ad.something.ca\Sharename", and the domain is "
example.ad.something.ca". I'll try Steven's suggestion above and report
back if it's working now (I'm waiting for the user to come into the work
site).

Re-sanitized:

FS1:

[global]
        server role = member server
        security = ADS
        workgroup = EXAMPLE
        realm = EXAMPLE.AD.SOMEWHERE.CA

        interfaces = lo enp1s0
        bind interfaces only = yes

        log file = /var/log/samba/%m.log
        log level = 1

        idmap config * : backend = tdb
        idmap config * : range = 70000-99999

        # Use idmap_rid for domain accounts
        idmap config EXAMPLE : backend = rid
        idmap config EXAMPLE : range = 100000-199999

        # Configure winbind
        winbind nss info = template
        template shell = /bin/false
        template homedir = /home/example/%U
        winbind separator = /
        winbind use default domain = yes
        winbind enum users = Yes
        winbind enum groups = yes

        # Enable extended ACLs globally
        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes

        client signing = mandatory
        server signing = mandatory

        # Turn off NetBIOS, since our clients don't need it
        disable netbios = yes

[Users]
path = /home/example
writeable = yes

[Staff]
path = /usr/local/share/Staff
writeable = yes

DC1:

[global]
        bind interfaces only = Yes
        disable netbios = Yes
        interfaces = lo enp1s0
        netbios name = DC1
        realm = EXAMPLE.AD.SOMEWHERE.CA
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        winbind separator = /
        workgroup = EXAMPLE
        idmap_ldb:use rfc2307 = yes
        dns forwarder = 1.2.3.4
        ntlm auth = mschapv2-and-ntlmv2-only
        log level = 1 auth_json_audit:5
        dns zone transfer clients allow = 127.0.0.0/8 ::1/128

[netlogon]
        path = /var/lib/samba/sysvol/example.ad.somewhere.ca/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

On Thu, Sep 21, 2023 at 11:14 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Thu, 21 Sep 2023 15:57:38 -0700
> Luke Barone via samba <samba at lists.samba.org> wrote:
>
> > Hi List,
> >
> > I have a Samba setup on Debian Bookworm, 2 DCs (dc1/dc2) and a file
> > server (fs1). We host our shares on FS1, and apply security level
> > permissions through the Windows File Explorer.
> >
> > I have a user who is part of the group allowed to access the share,
> > but keeps getting Access Denied errors if using the FQDN in the path
> > (i.e. \\ fs1.example.com\Sharename),
>
> Now that just might be a typo, but if it isn't, then it shouldn't work.
> Lower down your realm is 'EXAMPLE.AD.CA' on the fileserver, and
> 'AD.EXAMPLE.CA' on the DCs, hopefully one should be correct, in which
> case, to access the share it should be something like
> \\fs1.example.ad.ca\Sharename
>
> Do you want to try again, but this time, please use the same
> sanitisation everywhere.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list