samba - Apr 2015 - "hosts allow" not working?

Wwe are doing some testing in preparation for our migration from Samba 3.6 
to Samba 4.x.  Because we must share networks with other groups, we want 
to use the "hosts allow" parameter in smb.conf to restrict who can
connect
to our Samba domain.  This works great in 3.6.  I'm unable to get it to 
work with 4.1.16.  That is, I'm unable to join a Windows 7 PC to the Samba 
4 domain when "hosts allow" is defined but am able to join the PC when
there is no "hosts allow" line.

Our smb.conf file:

# Global parameters
[global]
         workgroup = BIOSTATTEST
         realm = biostattest.ad
         netbios name = SERVICES2
         interfaces = 127.0.0.0/8, 10.108.29.0/24, 10.208.28.0/23
         bind interfaces only = Yes
         hosts allow = 127 10.208.29. 10.108.29.
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate
         idmap_ldb:use rfc2307 = yes
         tls enabled = yes
         tls keyfile = /usr/local/samba/private/tls/services2.key
         tls certfile = /usr/local/samba/private/tls/services2.crt
         tls cafile = /usr/local/samba/private/tls/biostat-ca.crt
         log level = 4

[netlogon]
         path = /usr/local/samba/var/locks/sysvol/biostattest.ad/scripts
         read only = No

[sysvol]
         path = /usr/local/samba/var/locks/sysvol
         read only = No


With the "hosts allow" setting shown, attempting to join a PC to the 
domain results in this pop-up message when using the "System" control 
panel method:

   The RPC Server is unavailable

This method works fine if the "hosts allow" setting is removed from 
smb.conf and the Samba daemons are restarted.

The "netdom join" command always fails regardless of the "hosts
allow"
setting:

   Microsoft Windows [Version 6.1.7601]
   Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

   C:\>netdom join pc-057 /Domain:biostattest.ad /userd:root /passwordd:*
   Type the password associated with the domain user:

   Access is denied.

   The command failed to complete successfully.


   C:\>


Not being a Windows person, could someone shed some light on this?  I 
don't know what is different between Samba 3.6 and 4.1 that could cause 
this behavior.

Thanks,
Carl

Carl G. Riches
Department of Biostatistics
Box 357232                      voice:     206-616-2725
University of Washington        fax:       206-543-3286
Seattle, WA  98195-7232         internet:  cgr at u.washington.edu

Am 24.04.2015 um 01:02 schrieb Carl G. Riches:
> I'm unable to join a Windows 7 PC
> to the Samba 4 domain when "hosts allow" is defined
> hosts allow = 127 10.208.29. 10.108.29.
Maybe the new version insists there must be a dot after the 127.

On Fri, 24 Apr 2015, Klaus Hartnegg wrote:
> Am 24.04.2015 um 01:02 schrieb Carl G. Riches:
>> I'm unable to join a Windows 7 PC
>> to the Samba 4 domain when "hosts allow" is defined
>
>> hosts allow = 127 10.208.29. 10.108.29.
>
> Maybe the new version insists there must be a dot after the 127.
>
I put the dot in, to no avail.  I also modified the line to include the 
netmasks:

   hosts allow = 127.0.0.0/8 10.208.29.0/23 10.108.29.0/24

and tried specifying specific hosts:

   hosts allow = 127.0.0.1 10.208.29.50 10.108.29.77

None of these changes affected the outcome.  Is anyone else successfully 
using version 4.1.16 with the "hosts allow" configuration?  Are there 
other configuration options that affect the "hosts allow" option?

Thanks,
Carl