samba - Nov 2016 - Block samba hosts by domain

Hi everybody,


I'm setting up a Samba under RHEL 7.0, just a simple samba server. But
I'm
having trouble with blocking access to shares, to be specific with domain
block.

I'm using default config in samba.conf, just added the share's config.

While blocking by network range it works. Even when some IPs in the network
172.25.0.X are subdomains of example.com, they are not blocked.

Name resolution is done with a DNS server, which works fine. I mean, each
host can do name resolution to other hosts on example.com domain.

Here is the samba config:

        [global]
                workgroup = TESTGROUP
                server string = Samba Server Version %v
                log file = /var/log/samba/log.%m
                max log size = 50
                security = user
                passdb backend = tdbsam
                load printers = yes
                cups options = raw

        [homes]
                comment = Home Directories
                browseable = no
                writable = yes

        [printers]
                comment = All Printers
                path = /var/spool/samba
                browseable = no
                guest ok = no
                writable = no
                printable = yes

        [data]
                comment = DATA share
                path = /sambadir
                hosts allow = 172.25.0. .example.com
                browsable = yes
                valid users = susan

        [cluster]
                comment = CLUSTER share
                path = /opstack
                valid users = frankenstein



​Thanks in advance.

​

-- 


Erick.


-------------------------------------------
IRC     :   zerick
Blog    : http://zerick.me
About :  http://about.me/zerick
Linux User ID :  549567

PROBABLY its a problem with your reverse dns resolution.

 From the samba server, if you do a host 172.25.0.12 (change as appropriate)
does it
resolve to a hostname in the .example.com domain? If it don't, samba wont
know that it's
uspposed to block the access.

Em 09/11/2016 19:37, Erick Ocrospoma via samba escreveu:
> Hi everybody,
>
>
> I'm setting up a Samba under RHEL 7.0, just a simple samba server. But
I'm
> having trouble with blocking access to shares, to be specific with domain
> block.
>
> I'm using default config in samba.conf, just added the share's
config.
>
> While blocking by network range it works. Even when some IPs in the network
> 172.25.0.X are subdomains of example.com, they are not blocked.
>
> Name resolution is done with a DNS server, which works fine. I mean, each
> host can do name resolution to other hosts on example.com domain.
>
> Here is the samba config:
>
>          [global]
>                  workgroup = TESTGROUP
>                  server string = Samba Server Version %v
>                  log file = /var/log/samba/log.%m
>                  max log size = 50
>                  security = user
>                  passdb backend = tdbsam
>                  load printers = yes
>                  cups options = raw
>
>          [homes]
>                  comment = Home Directories
>                  browseable = no
>                  writable = yes
>
>          [printers]
>                  comment = All Printers
>                  path = /var/spool/samba
>                  browseable = no
>                  guest ok = no
>                  writable = no
>                  printable = yes
>
>          [data]
>                  comment = DATA share
>                  path = /sambadir
>                  hosts allow = 172.25.0. .example.com
>                  browsable = yes
>                  valid users = susan
>
>          [cluster]
>                  comment = CLUSTER share
>                  path = /opstack
>                  valid users = frankenstein
>
>
>
> ​Thanks in advance.
>
> ​
>
-- 

	
Vinicius Silva
SOC


BRA: + 55 51 2117.1000 | 55 11 5521.2021
USA: + 1 888 259.5801
vbs at e-trust.com.br
skype: vinicius.bones.silva

	







	Smiley face

www.e-trust.com.br <http://www.e-trust.com.br/>


Esta mensagem pode conter informações confidenciais ou privilegiadas. Se você
recebeu esta
mensagem por engano, você não deve usar, copiar, divulgar ou tomar qualquer
atitude com
base nestas informações. Solicitamos que você apague a mensagem imediatamente e
avise a
E-TRUST, enviando um e-mail para suporte at e-trust.com.br. Opiniões, conclusões
ou
informações contidas nesta mensagem não necessariamente refletem a posição
oficial da
E-TRUST. Caso assinada digitalmente, a autenticidade desta mensagem pode ser
confirmada
pela Autoridade Certificadora Privada E-TRUST, disponível em www.e-trust.com.br.

This message may contain privileged and confidential information for the use of
the
intended recipients only. If you are not an intended recipient then you should
not
disseminate, copy, or take any action based on its contents. If you have
received this
message in error then please notify E-TRUST by sending an e-mail message to 
suporte at e-trust.com.br immediately. Views and opinions expressed in this
message do not
necessarily reflect the position of E-TRUST. If this message is digitally
signed, its
authenticity can be confirmed by E-TRUST Private Certificate Authority,
available at
www.e-trust.com.br.

On 10 November 2016 at 07:51, Vinicius Bones Silva via samba <
samba at lists.samba.org> wrote:
> PROBABLY its a problem with your reverse dns resolution.
>
> From the samba server, if you do a host 172.25.0.12 (change as
> appropriate) does it resolve to a hostname in the .example.com domain? If
> it don't, samba wont know that it's uspposed to block the access.
>
>
>
​Hi,

DNS resolution seems to work fine.​

​[root at server0 ~]# nslookup desktop.example.com
Server:         172.25.0.254
Address:        172.25.0.254#53

Name:   desktop.example.com
Address: 172.25.0.100

[root at server0 ~]# nslookup 172.25.0.100
Server:         172.25.0.254
Address:        172.25.0.254#53

100.0.25.172.in-addr.arpa        name = desktop.example.com.


​Error showed in /var/log/messages while trying to mount share

Nov 10 15:05:34 server0 smbd[3026]: STATUS=daemon 'smbd' finished
starting
up and ready to serve connectionsDenied connection from 172.25.0.100 (172.
25.0.100)
Nov 10 15:06:04 server0 smbd[3028]: STATUS=daemon 'smbd' finished
starting
up and ready to serve connectionsDenied connection from 172.25.0.100
(172.25.0.100)


I also tried by editting /etc/hosts, but same result.


> Em 09/11/2016 19:37, Erick Ocrospoma via samba escreveu:
>
>> Hi everybody,
>>
>>
>> I'm setting up a Samba under RHEL 7.0, just a simple samba server.
But I'm
>> having trouble with blocking access to shares, to be specific with
domain
>> block.
>>
>> I'm using default config in samba.conf, just added the share's
config.
>>
>> While blocking by network range it works. Even when some IPs in the
>> network
>> 172.25.0.X are subdomains of example.com, they are not blocked.
>>
>> Name resolution is done with a DNS server, which works fine. I mean,
each
>> host can do name resolution to other hosts on example.com domain.
>>
>> Here is the samba config:
>>
>>          [global]
>>                  workgroup = TESTGROUP
>>                  server string = Samba Server Version %v
>>                  log file = /var/log/samba/log.%m
>>                  max log size = 50
>>                  security = user
>>                  passdb backend = tdbsam
>>                  load printers = yes
>>                  cups options = raw
>>
>>          [homes]
>>                  comment = Home Directories
>>                  browseable = no
>>                  writable = yes
>>
>>          [printers]
>>                  comment = All Printers
>>                  path = /var/spool/samba
>>                  browseable = no
>>                  guest ok = no
>>                  writable = no
>>                  printable = yes
>>
>>          [data]
>>                  comment = DATA share
>>                  path = /sambadir
>>                  hosts allow = 172.25.0. .example.com
>>                  browsable = yes
>>                  valid users = susan
>>
>>          [cluster]
>>                  comment = CLUSTER share
>>                  path = /opstack
>>                  valid users = frankenstein
>>
>>
>>
>> ​Thanks in advance.
>>
>> ​
>>
>>
> --
>
>
> Vinicius Silva
> SOC
>
>
> BRA: + 55 51 2117.1000 | 55 11 5521.2021
> USA: + 1 888 259.5801
> vbs at e-trust.com.br
> skype: vinicius.bones.silva
>
>
>
>
>
>
>
>
>
>         Smiley face
>
> www.e-trust.com.br <http://www.e-trust.com.br/>
>
>
> Esta mensagem pode conter informações confidenciais ou privilegiadas. Se
> você recebeu esta mensagem por engano, você não deve usar, copiar, divulgar
> ou tomar qualquer atitude com base nestas informações. Solicitamos que você
> apague a mensagem imediatamente e avise a E-TRUST, enviando um e-mail para
> suporte at e-trust.com.br. Opiniões, conclusões ou informações contidas
> nesta mensagem não necessariamente refletem a posição oficial da E-TRUST.
> Caso assinada digitalmente, a autenticidade desta mensagem pode ser
> confirmada pela Autoridade Certificadora Privada E-TRUST, disponível em
> www.e-trust.com.br.
>
> This message may contain privileged and confidential information for the
> use of the intended recipients only. If you are not an intended recipient
> then you should not disseminate, copy, or take any action based on its
> contents. If you have received this message in error then please notify
> E-TRUST by sending an e-mail message to suporte at e-trust.com.br
> immediately. Views and opinions expressed in this message do not
> necessarily reflect the position of E-TRUST. If this message is digitally
> signed, its authenticity can be confirmed by E-TRUST Private Certificate
> Authority, available at www.e-trust.com.br.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba



-- 


Erick.


-------------------------------------------
IRC     :   zerick
Blog    : http://zerick.me
About :  http://about.me/zerick
Linux User ID :  549567