samba - Sep 2023 - Some users cannot access shares with FQDN, but can with IP or hostname

On Thu, 21 Sep 2023 15:57:38 -0700
Luke Barone via samba <samba at lists.samba.org> wrote:
> Hi List,
> 
> I have a Samba setup on Debian Bookworm, 2 DCs (dc1/dc2) and a file
> server (fs1). We host our shares on FS1, and apply security level
> permissions through the Windows File Explorer.
> 
> I have a user who is part of the group allowed to access the share,
> but keeps getting Access Denied errors if using the FQDN in the path
> (i.e. \\ fs1.example.com\Sharename),
Now that just might be a typo, but if it isn't, then it shouldn't work.
Lower down your realm is 'EXAMPLE.AD.CA' on the fileserver, and
'AD.EXAMPLE.CA' on the DCs, hopefully one should be correct, in which
case, to access the share it should be something like
\\fs1.example.ad.ca\Sharename

Do you want to try again, but this time, please use the same
sanitisation everywhere.

Rowland

Hi Rowland,

Yes, that was a sanitization error on my part. I am accessing it through
"\\
fs1.example.ad.something.ca\Sharename", and the domain is "
example.ad.something.ca". I'll try Steven's suggestion above and
report
back if it's working now (I'm waiting for the user to come into the work
site).

Re-sanitized:

FS1:

[global]
        server role = member server
        security = ADS
        workgroup = EXAMPLE
        realm = EXAMPLE.AD.SOMEWHERE.CA

        interfaces = lo enp1s0
        bind interfaces only = yes

        log file = /var/log/samba/%m.log
        log level = 1

        idmap config * : backend = tdb
        idmap config * : range = 70000-99999

        # Use idmap_rid for domain accounts
        idmap config EXAMPLE : backend = rid
        idmap config EXAMPLE : range = 100000-199999

        # Configure winbind
        winbind nss info = template
        template shell = /bin/false
        template homedir = /home/example/%U
        winbind separator = /
        winbind use default domain = yes
        winbind enum users = Yes
        winbind enum groups = yes

        # Enable extended ACLs globally
        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes

        client signing = mandatory
        server signing = mandatory

        # Turn off NetBIOS, since our clients don't need it
        disable netbios = yes

[Users]
path = /home/example
writeable = yes

[Staff]
path = /usr/local/share/Staff
writeable = yes

DC1:

[global]
        bind interfaces only = Yes
        disable netbios = Yes
        interfaces = lo enp1s0
        netbios name = DC1
        realm = EXAMPLE.AD.SOMEWHERE.CA
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        winbind separator = /
        workgroup = EXAMPLE
        idmap_ldb:use rfc2307 = yes
        dns forwarder = 1.2.3.4
        ntlm auth = mschapv2-and-ntlmv2-only
        log level = 1 auth_json_audit:5
        dns zone transfer clients allow = 127.0.0.0/8 ::1/128

[netlogon]
        path = /var/lib/samba/sysvol/example.ad.somewhere.ca/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

On Thu, Sep 21, 2023 at 11:14?PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Thu, 21 Sep 2023 15:57:38 -0700
> Luke Barone via samba <samba at lists.samba.org> wrote:
>
> > Hi List,
> >
> > I have a Samba setup on Debian Bookworm, 2 DCs (dc1/dc2) and a file
> > server (fs1). We host our shares on FS1, and apply security level
> > permissions through the Windows File Explorer.
> >
> > I have a user who is part of the group allowed to access the share,
> > but keeps getting Access Denied errors if using the FQDN in the path
> > (i.e. \\ fs1.example.com\Sharename),
>
> Now that just might be a typo, but if it isn't, then it shouldn't
work.
> Lower down your realm is 'EXAMPLE.AD.CA' on the fileserver, and
> 'AD.EXAMPLE.CA' on the DCs, hopefully one should be correct, in
which
> case, to access the share it should be something like
> \\fs1.example.ad.ca\Sharename
>
> Do you want to try again, but this time, please use the same
> sanitisation everywhere.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>