[Samba] Shares not accessible when using FQDN

Rowland Penny rpenny at samba.org
Wed Aug 30 10:47:46 UTC 2017

On Wed, 30 Aug 2017 12:20:04 +0200 (CEST)
Gaetan SLONGO <gslongo at it-optics.com> wrote:

> Hi Rowland My test SMB have several test lines and is dirty, for sure
> not correct :-) Could you share your setup to achieve this ? 

This is my working smb.conf (note: I use Samba 4.6.x)

    workgroup = SAMDOM
    security = ADS

    # Uncomment the next two lines if you require a keytab for dovecot etc
    #dedicated keytab file = /etc/krb5.keytab
    #kerberos method = secrets and keytab
    server string = Samba 4 Client %h

    winbind use default domain = yes
    winbind expand groups = 4
    winbind refresh tickets = Yes
    winbind offline logon = yes

    ## map ids outside of domain to tdb files.
    idmap config *:backend = tdb
    idmap config *:range = 2000-9999
    ## map ids from the domain  the ranges may not overlap !
    idmap config SAMDOM : backend = ad
    idmap config SAMDOM : schema_mode = rfc2307
    idmap config SAMDOM : unix_nss_info = yes
    idmap config SAMDOM : range = 10000-999999
    # uncomment next two lines if not storing shell & unixhomedir in AD
    #template shell = /bin/bash
    #template homedir = /home/%U

    domain master = no
    local master = no
    preferred master = no
    os level = 20
    map to guest = bad user
    host msdfs = no

    # user Administrator workaround, without it you are unable to set privileges
    username map = /etc/samba/user.map

    # For ACL support on domain member
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

    # Share Setting Globally
    unix extensions = no
    reset on zero vc = yes
    veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
    hide unreadable = yes

    # disable printing completely
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

    # logging
    log level = 0

If you using a version of Samba before 4.6.0, you should remove:

    idmap config SAMDOM : unix_nss_info = yes

and replace it with:

    winbind nss info = rfc2307

For this to work, all my users have a uidNumber attribute containing a
unique number inside the 'SAMDOM' range set in smb.conf (10000-999999)
and 'Domain Users' has a gidNumber inside the same range (note: you can
start the uidNumbers & gidNumbers at the same number, there is no need
to use different start numbers)

I also have a user.map, which contains this:

!root = SAMDOM\Administrator SAMDOM\administrator Administrator

NOTE 'SAMDOM' is my workgroup name and 'SAMDOM.EXAMPLE.COM' is my realm
name, you should replace them with yours.


More information about the samba mailing list