[Samba] Some users cannot access shares with FQDN, but can with IP or hostname

Luke Barone lukebarone at gmail.com
Fri Sep 22 17:46:37 UTC 2023


Hurrah, it worked! Good catch!

On Fri, Sep 22, 2023 at 10:40 AM Luke Barone <lukebarone at gmail.com> wrote:

> Hi Rowland,
>
> Yes, that was a sanitization error on my part. I am accessing it through
> "\\fs1.example.ad.something.ca\Sharename", and the domain is "
> example.ad.something.ca". I'll try Steven's suggestion above and report
> back if it's working now (I'm waiting for the user to come into the work
> site).
>
> Re-sanitized:
>
> FS1:
>
> [global]
>         server role = member server
>         security = ADS
>         workgroup = EXAMPLE
>         realm = EXAMPLE.AD.SOMEWHERE.CA
>
>         interfaces = lo enp1s0
>         bind interfaces only = yes
>
>         log file = /var/log/samba/%m.log
>         log level = 1
>
>         idmap config * : backend = tdb
>         idmap config * : range = 70000-99999
>
>         # Use idmap_rid for domain accounts
>         idmap config EXAMPLE : backend = rid
>         idmap config EXAMPLE : range = 100000-199999
>
>         # Configure winbind
>         winbind nss info = template
>         template shell = /bin/false
>         template homedir = /home/example/%U
>         winbind separator = /
>         winbind use default domain = yes
>         winbind enum users = Yes
>         winbind enum groups = yes
>
>         # Enable extended ACLs globally
>         vfs objects = acl_xattr
>         map acl inherit = yes
>         store dos attributes = yes
>
>         client signing = mandatory
>         server signing = mandatory
>
>         # Turn off NetBIOS, since our clients don't need it
>         disable netbios = yes
>
> [Users]
> path = /home/example
> writeable = yes
>
> [Staff]
> path = /usr/local/share/Staff
> writeable = yes
>
> DC1:
>
> [global]
>         bind interfaces only = Yes
>         disable netbios = Yes
>         interfaces = lo enp1s0
>         netbios name = DC1
>         realm = EXAMPLE.AD.SOMEWHERE.CA
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
>         winbind separator = /
>         workgroup = EXAMPLE
>         idmap_ldb:use rfc2307 = yes
>         dns forwarder = 1.2.3.4
>         ntlm auth = mschapv2-and-ntlmv2-only
>         log level = 1 auth_json_audit:5
>         dns zone transfer clients allow = 127.0.0.0/8 ::1/128
>
> [netlogon]
>         path = /var/lib/samba/sysvol/example.ad.somewhere.ca/scripts
>         read only = No
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>
> On Thu, Sep 21, 2023 at 11:14 PM Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
>> On Thu, 21 Sep 2023 15:57:38 -0700
>> Luke Barone via samba <samba at lists.samba.org> wrote:
>>
>> > Hi List,
>> >
>> > I have a Samba setup on Debian Bookworm, 2 DCs (dc1/dc2) and a file
>> > server (fs1). We host our shares on FS1, and apply security level
>> > permissions through the Windows File Explorer.
>> >
>> > I have a user who is part of the group allowed to access the share,
>> > but keeps getting Access Denied errors if using the FQDN in the path
>> > (i.e. \\ fs1.example.com\Sharename),
>>
>> Now that just might be a typo, but if it isn't, then it shouldn't work.
>> Lower down your realm is 'EXAMPLE.AD.CA' on the fileserver, and
>> 'AD.EXAMPLE.CA' on the DCs, hopefully one should be correct, in which
>> case, to access the share it should be something like
>> \\fs1.example.ad.ca\Sharename
>>
>> Do you want to try again, but this time, please use the same
>> sanitisation everywhere.
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>


More information about the samba mailing list