[Samba] Some users cannot access shares with FQDN, but can with IP or hostname
Luke Barone
lukebarone at gmail.com
Fri Sep 22 17:40:18 UTC 2023
Hi Rowland,
Yes, that was a sanitization error on my part. I am accessing it through "\\
fs1.example.ad.something.ca\Sharename", and the domain is "
example.ad.something.ca". I'll try Steven's suggestion above and report
back if it's working now (I'm waiting for the user to come into the work
site).
Re-sanitized:
FS1:
[global]
server role = member server
security = ADS
workgroup = EXAMPLE
realm = EXAMPLE.AD.SOMEWHERE.CA
interfaces = lo enp1s0
bind interfaces only = yes
log file = /var/log/samba/%m.log
log level = 1
idmap config * : backend = tdb
idmap config * : range = 70000-99999
# Use idmap_rid for domain accounts
idmap config EXAMPLE : backend = rid
idmap config EXAMPLE : range = 100000-199999
# Configure winbind
winbind nss info = template
template shell = /bin/false
template homedir = /home/example/%U
winbind separator = /
winbind use default domain = yes
winbind enum users = Yes
winbind enum groups = yes
# Enable extended ACLs globally
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
client signing = mandatory
server signing = mandatory
# Turn off NetBIOS, since our clients don't need it
disable netbios = yes
[Users]
path = /home/example
writeable = yes
[Staff]
path = /usr/local/share/Staff
writeable = yes
DC1:
[global]
bind interfaces only = Yes
disable netbios = Yes
interfaces = lo enp1s0
netbios name = DC1
realm = EXAMPLE.AD.SOMEWHERE.CA
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
winbind separator = /
workgroup = EXAMPLE
idmap_ldb:use rfc2307 = yes
dns forwarder = 1.2.3.4
ntlm auth = mschapv2-and-ntlmv2-only
log level = 1 auth_json_audit:5
dns zone transfer clients allow = 127.0.0.0/8 ::1/128
[netlogon]
path = /var/lib/samba/sysvol/example.ad.somewhere.ca/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
On Thu, Sep 21, 2023 at 11:14 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Thu, 21 Sep 2023 15:57:38 -0700
> Luke Barone via samba <samba at lists.samba.org> wrote:
>
> > Hi List,
> >
> > I have a Samba setup on Debian Bookworm, 2 DCs (dc1/dc2) and a file
> > server (fs1). We host our shares on FS1, and apply security level
> > permissions through the Windows File Explorer.
> >
> > I have a user who is part of the group allowed to access the share,
> > but keeps getting Access Denied errors if using the FQDN in the path
> > (i.e. \\ fs1.example.com\Sharename),
>
> Now that just might be a typo, but if it isn't, then it shouldn't work.
> Lower down your realm is 'EXAMPLE.AD.CA' on the fileserver, and
> 'AD.EXAMPLE.CA' on the DCs, hopefully one should be correct, in which
> case, to access the share it should be something like
> \\fs1.example.ad.ca\Sharename
>
> Do you want to try again, but this time, please use the same
> sanitisation everywhere.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list