[Samba] Some users cannot access shares with FQDN, but can with IP or hostname
Luke Barone
lukebarone at gmail.com
Fri Sep 22 17:46:37 UTC 2023
Hurrah, it worked! Good catch!
On Fri, Sep 22, 2023 at 10:40 AM Luke Barone <lukebarone at gmail.com> wrote:
> Hi Rowland,
>
> Yes, that was a sanitization error on my part. I am accessing it through
> "\\fs1.example.ad.something.ca\Sharename", and the domain is "
> example.ad.something.ca". I'll try Steven's suggestion above and report
> back if it's working now (I'm waiting for the user to come into the work
> site).
>
> Re-sanitized:
>
> FS1:
>
> [global]
> server role = member server
> security = ADS
> workgroup = EXAMPLE
> realm = EXAMPLE.AD.SOMEWHERE.CA
>
> interfaces = lo enp1s0
> bind interfaces only = yes
>
> log file = /var/log/samba/%m.log
> log level = 1
>
> idmap config * : backend = tdb
> idmap config * : range = 70000-99999
>
> # Use idmap_rid for domain accounts
> idmap config EXAMPLE : backend = rid
> idmap config EXAMPLE : range = 100000-199999
>
> # Configure winbind
> winbind nss info = template
> template shell = /bin/false
> template homedir = /home/example/%U
> winbind separator = /
> winbind use default domain = yes
> winbind enum users = Yes
> winbind enum groups = yes
>
> # Enable extended ACLs globally
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
>
> client signing = mandatory
> server signing = mandatory
>
> # Turn off NetBIOS, since our clients don't need it
> disable netbios = yes
>
> [Users]
> path = /home/example
> writeable = yes
>
> [Staff]
> path = /usr/local/share/Staff
> writeable = yes
>
> DC1:
>
> [global]
> bind interfaces only = Yes
> disable netbios = Yes
> interfaces = lo enp1s0
> netbios name = DC1
> realm = EXAMPLE.AD.SOMEWHERE.CA
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
> winbind separator = /
> workgroup = EXAMPLE
> idmap_ldb:use rfc2307 = yes
> dns forwarder = 1.2.3.4
> ntlm auth = mschapv2-and-ntlmv2-only
> log level = 1 auth_json_audit:5
> dns zone transfer clients allow = 127.0.0.0/8 ::1/128
>
> [netlogon]
> path = /var/lib/samba/sysvol/example.ad.somewhere.ca/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> On Thu, Sep 21, 2023 at 11:14 PM Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
>> On Thu, 21 Sep 2023 15:57:38 -0700
>> Luke Barone via samba <samba at lists.samba.org> wrote:
>>
>> > Hi List,
>> >
>> > I have a Samba setup on Debian Bookworm, 2 DCs (dc1/dc2) and a file
>> > server (fs1). We host our shares on FS1, and apply security level
>> > permissions through the Windows File Explorer.
>> >
>> > I have a user who is part of the group allowed to access the share,
>> > but keeps getting Access Denied errors if using the FQDN in the path
>> > (i.e. \\ fs1.example.com\Sharename),
>>
>> Now that just might be a typo, but if it isn't, then it shouldn't work.
>> Lower down your realm is 'EXAMPLE.AD.CA' on the fileserver, and
>> 'AD.EXAMPLE.CA' on the DCs, hopefully one should be correct, in which
>> case, to access the share it should be something like
>> \\fs1.example.ad.ca\Sharename
>>
>> Do you want to try again, but this time, please use the same
>> sanitisation everywhere.
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
More information about the samba
mailing list