2

I'm trying to limit access to a Samba share to hosts on the .example.com domain. But when I try to connect from a host on that domain I get denied.

smb.conf

[share1] ... valid users = ralph hosts allow = .example.com

Samba log

check_ntlm_password: authentication for user [ralph] -> [ralph] -> [ralph] succeeded Denied connection from 10.234.56.1 (10.234.56.1)

There is a reverse DNS record in place for that IP address. That leaves me wondering if the Samba server is actually checking the reverse record to see if the host is on that domain.

If I remove the hosts allow statement the share works as expected. I have restarted the nmb service every time I restarted the smb service.

Which component is responsible for performing the PTR record lookup?

Improve this question
2
  • What do the logs say? Commented Jun 29, 2015 at 21:35
  • I included the samba log output in the question. Is there another log that would be of interest? Commented Jun 29, 2015 at 21:36

2 Answers 2

Reset to default
3

In order for host allow entries using hostnames to work you need to enable

hostname lookups = yes

In the global configuration of smb.conf.

None of the WINS settings were required for me to get this working. Testing with the nmb service disabled the share continued to work.

Improve this answer
2

The DNS resolving does not seem to work. Add the first three triplets instead of a domain as the hosts allow:

hosts allow = 10.234.56

restart samba and try again to login.

If DNS needs to be used then some additional configuration is required in Samba:

7.3.4.4 dns proxy

If you want the domain name service (DNS) to be used if a name isn't found in WINS, you can set the following option: [global] dns proxy = yes

Also check the following:

7.3.4.5 name resolve order

The global name resolve order option specifies the order of services that Samba will use in attempting name resolution. The default order is to use the LMHOSTS file, followed by standard Unix name resolution methods (some combination of /etc/hosts, DNS, and NIS), then query a WINS server, and finally use broadcasting to determine the address of a NetBIOS name. You can override this option by specifying something like the following: [global] name resolve order = lmhosts wins hosts bcast
Improve this answer
5
  • This works for the specific test, but I need to make it work based on the hostname .example.com Commented Jun 29, 2015 at 21:47
  • DNS resolution seems fine, forward and backward. If I dig -x 10.234.56.1 I get the answer of 1.56.234.10.in-addr.arpa. 86400 IN PTR host.example.com. from the same system that is hosting the share. Commented Jun 29, 2015 at 22:06
  • No, but I just tried and got the same error. The Samba docs are pretty clear on the leading '.' syntax so I didn't think to change it. Commented Jun 29, 2015 at 22:27
  • @xdaxdb I have updated the answer Commented Jun 29, 2015 at 22:33
  • Thanks but that is not working. Commented Jun 29, 2015 at 23:07

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.