[Samba] User cannot access member server share by name, only by IP
Luke Barone
lukebarone at gmail.com
Tue Nov 29 22:18:25 UTC 2022
I have 2 DCs and a member server, all running on Debian Bullseye, version
4.13.13-Debian. Recently, some users cannot access folders that are being
shared on the member server.
I can run `su -s/bin/bash USERNAME`, then cd into the directory just fine.
>From the Windows workstation, it's not always working. Most recently, I was
able to fix one share by flushing the winbind cache (net cache flush). The
other main share they're using is fixed temporarily by mapping to the IP
address vs the FQDN (or hostname). This is leading me to think this is a
Kerberos issue.
The Windows 10 computers are on the 21H2 patch level, which is working for
other sites in our organization. Checking on both DCs, replication appears
to be working (0 consecutive failures).
I saw a previous message about users being part of a group for permissions,
but it didn't seem to be my *exact* issue. Is it related? We only add users
to the groups, then the groups have permissions on various shares.
DC1 smb.conf (DC2 is the same):
# Global parameters
[global]
bind interfaces only = Yes
disable netbios = Yes
interfaces = lo enp1s0
ntlm auth = ntlmv1-permitted # needed for wireless
passdb backend = samba_dsdb
realm = DOMAIN.CA
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
winbind separator = /
workgroup = DOMAIN
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
map archive = No
vfs objects = dfs_samba4 acl_xattr
[netlogon]
path = /var/lib/samba/sysvol/DOMAIN.ca/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
Relevant section on file server:
[global]
bind interfaces only = Yes
client signing = required
dedicated keytab file = /etc/krb5.keytab
disable netbios = Yes
interfaces = lo enp1s0
kerberos method = secrets and keytab
log file = /var/log/samba/%m.log
realm = DOMAIN.CA
security = ADS
server role = member server
server signing = required
template homedir = /home/DOMAIN/%U
username map = /etc/samba/user.map
winbind enum groups = Yes
winbind enum users = Yes
winbind refresh tickets = Yes
winbind separator = /
winbind use default domain = Yes
workgroup = DOMAIN
idmap config edge : range = 100000-199999
idmap config edge : backend = rid
idmap config * : range = 70000-99999
idmap config * : backend = tdb
map acl inherit = Yes
vfs objects = acl_xattr
[Users]
path = /home/DOMAIN
read only = No
[Staff]
path = /usr/local/share/Staff
read only = No
[Office]
path = /usr/local/share/Office
read only = No
More information about the samba
mailing list