[Samba] User cannot access member server share by name, only by IP

Luke Barone lukebarone at gmail.com
Tue Nov 29 22:18:25 UTC 2022 

I have 2 DCs and a member server, all running on Debian Bullseye, version
4.13.13-Debian. Recently, some users cannot access folders that are being
shared on the member server.

I can run `su -s/bin/bash USERNAME`, then cd into the directory just fine.
>From the Windows workstation, it's not always working. Most recently, I was
able to fix one share by flushing the winbind cache (net cache flush). The
other main share they're using is fixed temporarily by mapping to the IP
address vs the FQDN (or hostname). This is leading me to think this is a
Kerberos issue.

The Windows 10 computers are on the 21H2 patch level, which is working for
other sites in our organization. Checking on both DCs, replication appears
to be working (0 consecutive failures).

I saw a previous message about users being part of a group for permissions,
but it didn't seem to be my *exact* issue. Is it related? We only add users
to the groups, then the groups have permissions on various shares.

DC1 smb.conf (DC2 is the same):

# Global parameters
[global]
        bind interfaces only = Yes
        disable netbios = Yes
        interfaces = lo enp1s0
        ntlm auth = ntlmv1-permitted # needed for wireless
        passdb backend = samba_dsdb
        realm = DOMAIN.CA
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        winbind separator = /
        workgroup = DOMAIN
        rpc_server:tcpip = no
        rpc_daemon:spoolssd = embedded
        rpc_server:spoolss = embedded
        rpc_server:winreg = embedded
        rpc_server:ntsvcs = embedded
        rpc_server:eventlog = embedded
        rpc_server:srvsvc = embedded
        rpc_server:svcctl = embedded
        rpc_server:default = external
        winbindd:use external pipes = true
        idmap_ldb:use rfc2307 = yes
        idmap config * : backend = tdb
        map archive = No
        vfs objects = dfs_samba4 acl_xattr


[netlogon]
        path = /var/lib/samba/sysvol/DOMAIN.ca/scripts
        read only = No


[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

Relevant section on file server:
[global]
        bind interfaces only = Yes
        client signing = required
        dedicated keytab file = /etc/krb5.keytab
        disable netbios = Yes
        interfaces = lo enp1s0
        kerberos method = secrets and keytab
        log file = /var/log/samba/%m.log
        realm = DOMAIN.CA
        security = ADS
        server role = member server
        server signing = required
        template homedir = /home/DOMAIN/%U
        username map = /etc/samba/user.map
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind refresh tickets = Yes
        winbind separator = /
        winbind use default domain = Yes
        workgroup = DOMAIN
        idmap config edge : range = 100000-199999
        idmap config edge : backend = rid
        idmap config * : range = 70000-99999
        idmap config * : backend = tdb
        map acl inherit = Yes
        vfs objects = acl_xattr


[Users]
        path = /home/DOMAIN
        read only = No


[Staff]
        path = /usr/local/share/Staff
        read only = No


[Office]
        path = /usr/local/share/Office
        read only = No

More information about the samba mailing list