[Samba] Block samba hosts by domain

Erick Ocrospoma zipper1790 at gmail.com
Thu Nov 10 20:11:26 UTC 2016 

On 10 November 2016 at 07:51, Vinicius Bones Silva via samba <
samba at lists.samba.org> wrote:

> PROBABLY its a problem with your reverse dns resolution.
>
> From the samba server, if you do a host 172.25.0.12 (change as
> appropriate) does it resolve to a hostname in the .example.com domain? If
> it don't, samba wont know that it's uspposed to block the access.
>
>
>
​Hi,

DNS resolution seems to work fine.​

​[root at server0 ~]# nslookup desktop.example.com
Server:         172.25.0.254
Address:        172.25.0.254#53

Name:   desktop.example.com
Address: 172.25.0.100

[root at server0 ~]# nslookup 172.25.0.100
Server:         172.25.0.254
Address:        172.25.0.254#53

100.0.25.172.in-addr.arpa        name = desktop.example.com.


​Error showed in /var/log/messages while trying to mount share

Nov 10 15:05:34 server0 smbd[3026]: STATUS=daemon 'smbd' finished starting
up and ready to serve connectionsDenied connection from 172.25.0.100 (172.
25.0.100)
Nov 10 15:06:04 server0 smbd[3028]: STATUS=daemon 'smbd' finished starting
up and ready to serve connectionsDenied connection from 172.25.0.100
(172.25.0.100)


I also tried by editting /etc/hosts, but same result.



> Em 09/11/2016 19:37, Erick Ocrospoma via samba escreveu:
>
>> Hi everybody,
>>
>>
>> I'm setting up a Samba under RHEL 7.0, just a simple samba server. But I'm
>> having trouble with blocking access to shares, to be specific with domain
>> block.
>>
>> I'm using default config in samba.conf, just added the share's config.
>>
>> While blocking by network range it works. Even when some IPs in the
>> network
>> 172.25.0.X are subdomains of example.com, they are not blocked.
>>
>> Name resolution is done with a DNS server, which works fine. I mean, each
>> host can do name resolution to other hosts on example.com domain.
>>
>> Here is the samba config:
>>
>>          [global]
>>                  workgroup = TESTGROUP
>>                  server string = Samba Server Version %v
>>                  log file = /var/log/samba/log.%m
>>                  max log size = 50
>>                  security = user
>>                  passdb backend = tdbsam
>>                  load printers = yes
>>                  cups options = raw
>>
>>          [homes]
>>                  comment = Home Directories
>>                  browseable = no
>>                  writable = yes
>>
>>          [printers]
>>                  comment = All Printers
>>                  path = /var/spool/samba
>>                  browseable = no
>>                  guest ok = no
>>                  writable = no
>>                  printable = yes
>>
>>          [data]
>>                  comment = DATA share
>>                  path = /sambadir
>>                  hosts allow = 172.25.0. .example.com
>>                  browsable = yes
>>                  valid users = susan
>>
>>          [cluster]
>>                  comment = CLUSTER share
>>                  path = /opstack
>>                  valid users = frankenstein
>>
>>
>>
>> ​Thanks in advance.
>>
>>>>
>>
> --
>
>
> Vinicius Silva
> SOC
>
>
> BRA: + 55 51 2117.1000 | 55 11 5521.2021
> USA: + 1 888 259.5801
> vbs at e-trust.com.br
> skype: vinicius.bones.silva
>
>
>
>
>
>
>
>
>
>         Smiley face
>
> www.e-trust.com.br <http://www.e-trust.com.br/>
>
>
> Esta mensagem pode conter informações confidenciais ou privilegiadas. Se
> você recebeu esta mensagem por engano, você não deve usar, copiar, divulgar
> ou tomar qualquer atitude com base nestas informações. Solicitamos que você
> apague a mensagem imediatamente e avise a E-TRUST, enviando um e-mail para
> suporte at e-trust.com.br. Opiniões, conclusões ou informações contidas
> nesta mensagem não necessariamente refletem a posição oficial da E-TRUST.
> Caso assinada digitalmente, a autenticidade desta mensagem pode ser
> confirmada pela Autoridade Certificadora Privada E-TRUST, disponível em
> www.e-trust.com.br.
>
> This message may contain privileged and confidential information for the
> use of the intended recipients only. If you are not an intended recipient
> then you should not disseminate, copy, or take any action based on its
> contents. If you have received this message in error then please notify
> E-TRUST by sending an e-mail message to suporte at e-trust.com.br
> immediately. Views and opinions expressed in this message do not
> necessarily reflect the position of E-TRUST. If this message is digitally
> signed, its authenticity can be confirmed by E-TRUST Private Certificate
> Authority, available at www.e-trust.com.br.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba




-- 


Erick.


-------------------------------------------
IRC     :   zerick
Blog    : http://zerick.me
About :  http://about.me/zerick
Linux User ID :  549567

More information about the samba mailing list