Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] "hosts allow" not working?
542 views
Skip to first unread message
Carl G. Riches
Apr 23, 2015, 7:30:03 PM4/23/15
to
Wwe are doing some testing in preparation for our migration from Samba 3.6
to Samba 4.x. Because we must share networks with other groups, we want
to use the "hosts allow" parameter in smb.conf to restrict who can connect
to our Samba domain. This works great in 3.6. I'm unable to get it to
work with 4.1.16. That is, I'm unable to join a Windows 7 PC to the Samba
4 domain when "hosts allow" is defined but am able to join the PC when
there is no "hosts allow" line.
Our smb.conf file:
# Global parameters
[global]
workgroup = BIOSTATTEST
realm = biostattest.ad
netbios name = SERVICES2
interfaces = 127.0.0.0/8, 10.108.29.0/24, 10.208.28.0/23
bind interfaces only = Yes
hosts allow = 127 10.208.29. 10.108.29.
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
tls enabled = yes
tls keyfile = /usr/local/samba/private/tls/services2.key
tls certfile = /usr/local/samba/private/tls/services2.crt
tls cafile = /usr/local/samba/private/tls/biostat-ca.crt
log level = 4
[netlogon]
path = /usr/local/samba/var/locks/sysvol/biostattest.ad/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
With the "hosts allow" setting shown, attempting to join a PC to the
domain results in this pop-up message when using the "System" control
panel method:
The RPC Server is unavailable
This method works fine if the "hosts allow" setting is removed from
smb.conf and the Samba daemons are restarted.
The "netdom join" command always fails regardless of the "hosts allow"
setting:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\>netdom join pc-057 /Domain:biostattest.ad /userd:root /passwordd:*
Type the password associated with the domain user:
Access is denied.
The command failed to complete successfully.
C:\>
Not being a Windows person, could someone shed some light on this? I
don't know what is different between Samba 3.6 and 4.1 that could cause
this behavior.
Thanks,
Carl
Carl G. Riches
Department of Biostatistics
Box 357232 voice: 206-616-2725
University of Washington fax: 206-543-3286
Seattle, WA 98195-7232 internet: c...@u.washington.edu
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Klaus Hartnegg
Apr 24, 2015, 4:00:03 AM4/24/15
to
Am 24.04.2015 um 01:02 schrieb Carl G. Riches:
> I'm unable to join a Windows 7 PC
> to the Samba 4 domain when "hosts allow" is defined
> I'm unable to join a Windows 7 PC
> to the Samba 4 domain when "hosts allow" is defined
> hosts allow = 127 10.208.29. 10.108.29.
Maybe the new version insists there must be a dot after the 127.
Carl G. Riches
Apr 24, 2015, 12:30:03 PM4/24/15
to
On Fri, 24 Apr 2015, Klaus Hartnegg wrote:
> Am 24.04.2015 um 01:02 schrieb Carl G. Riches:
>> I'm unable to join a Windows 7 PC
>> to the Samba 4 domain when "hosts allow" is defined
>
>> hosts allow = 127 10.208.29. 10.108.29.
>
> Maybe the new version insists there must be a dot after the 127.
>
I put the dot in, to no avail. I also modified the line to include the
> Am 24.04.2015 um 01:02 schrieb Carl G. Riches:
>> I'm unable to join a Windows 7 PC
>> to the Samba 4 domain when "hosts allow" is defined
>
>> hosts allow = 127 10.208.29. 10.108.29.
>
> Maybe the new version insists there must be a dot after the 127.
>
netmasks:
hosts allow = 127.0.0.0/8 10.208.29.0/23 10.108.29.0/24
and tried specifying specific hosts:
hosts allow = 127.0.0.1 10.208.29.50 10.108.29.77
None of these changes affected the outcome. Is anyone else successfully
using version 4.1.16 with the "hosts allow" configuration? Are there
other configuration options that affect the "hosts allow" option?
Thanks,
Carl
Rowland Penny
Apr 24, 2015, 12:30:03 PM4/24/15
to
On 24/04/15 17:13, Carl G. Riches wrote:
> On Fri, 24 Apr 2015, Klaus Hartnegg wrote:
>
>> Am 24.04.2015 um 01:02 schrieb Carl G. Riches:
>>> I'm unable to join a Windows 7 PC
>>> to the Samba 4 domain when "hosts allow" is defined
>>
>>> hosts allow = 127 10.208.29. 10.108.29.
>>
>> Maybe the new version insists there must be a dot after the 127.
>>
>
> I put the dot in, to no avail. I also modified the line to include
> the netmasks:
>
> hosts allow = 127.0.0.0/8 10.208.29.0/23 10.108.29.0/24
>
> and tried specifying specific hosts:
>
> hosts allow = 127.0.0.1 10.208.29.50 10.108.29.77
>
> None of these changes affected the outcome. Is anyone else
> successfully using version 4.1.16 with the "hosts allow"
> configuration? Are there other configuration options that affect the
> "hosts allow" option?
>
> Thanks,
> Carl
The only one I know is that 127.0.0.1 is always allowed, so you could
> On Fri, 24 Apr 2015, Klaus Hartnegg wrote:
>
>> Am 24.04.2015 um 01:02 schrieb Carl G. Riches:
>>> I'm unable to join a Windows 7 PC
>>> to the Samba 4 domain when "hosts allow" is defined
>>
>>> hosts allow = 127 10.208.29. 10.108.29.
>>
>> Maybe the new version insists there must be a dot after the 127.
>>
>
> I put the dot in, to no avail. I also modified the line to include
> the netmasks:
>
> hosts allow = 127.0.0.0/8 10.208.29.0/23 10.108.29.0/24
>
> and tried specifying specific hosts:
>
> hosts allow = 127.0.0.1 10.208.29.50 10.108.29.77
>
> None of these changes affected the outcome. Is anyone else
> successfully using version 4.1.16 with the "hosts allow"
> configuration? Are there other configuration options that affect the
> "hosts allow" option?
>
> Thanks,
> Carl
try removing it, don't know if this will make it work, but it shouldn't
harm anything.
Carl G. Riches
Apr 24, 2015, 7:10:03 PM4/24/15
to
On Fri, 24 Apr 2015, Rowland Penny wrote:
> On 24/04/15 17:13, Carl G. Riches wrote:
>> On Fri, 24 Apr 2015, Klaus Hartnegg wrote:
>>
>>> Am 24.04.2015 um 01:02 schrieb Carl G. Riches:
>>>> I'm unable to join a Windows 7 PC
>>>> to the Samba 4 domain when "hosts allow" is defined
>>>
>>>> hosts allow = 127 10.208.29. 10.108.29.
>>>
>>> Maybe the new version insists there must be a dot after the 127.
>>>
>>
>> I put the dot in, to no avail. I also modified the line to include the
>> netmasks:
>>
>> hosts allow = 127.0.0.0/8 10.208.29.0/23 10.108.29.0/24
>>
>> and tried specifying specific hosts:
>>
>> hosts allow = 127.0.0.1 10.208.29.50 10.108.29.77
>>
>> None of these changes affected the outcome. Is anyone else successfully
>> using version 4.1.16 with the "hosts allow" configuration? Are there other
>> configuration options that affect the "hosts allow" option?
>>
>> Thanks,
>> Carl
>
> The only one I know is that 127.0.0.1 is always allowed, so you could try
> removing it, don't know if this will make it work, but it shouldn't harm
> anything.
>
I tried that setting and one other today:
> On 24/04/15 17:13, Carl G. Riches wrote:
>> On Fri, 24 Apr 2015, Klaus Hartnegg wrote:
>>
>>> Am 24.04.2015 um 01:02 schrieb Carl G. Riches:
>>>> I'm unable to join a Windows 7 PC
>>>> to the Samba 4 domain when "hosts allow" is defined
>>>
>>>> hosts allow = 127 10.208.29. 10.108.29.
>>>
>>> Maybe the new version insists there must be a dot after the 127.
>>>
>>
>> I put the dot in, to no avail. I also modified the line to include the
>> netmasks:
>>
>> hosts allow = 127.0.0.0/8 10.208.29.0/23 10.108.29.0/24
>>
>> and tried specifying specific hosts:
>>
>> hosts allow = 127.0.0.1 10.208.29.50 10.108.29.77
>>
>> None of these changes affected the outcome. Is anyone else successfully
>> using version 4.1.16 with the "hosts allow" configuration? Are there other
>> configuration options that affect the "hosts allow" option?
>>
>> Thanks,
>> Carl
>
> The only one I know is that 127.0.0.1 is always allowed, so you could try
> removing it, don't know if this will make it work, but it shouldn't harm
> anything.
>
- I changed the setting to this:
hosts allow =
(it's an empty value). I could join the PC to the domain.
- I changed the setting to this:
hosts allow = 10.208.29. 10.108.29.
I could _not_ join the domain--got the "RPC Server is unavailable"
message.
Would it make sense to capture the network traffic between the client and
server? If so, what are the ports I should be looking at, and what sort
of messages would be passed during a domain join session?
Thanks,
Carl
Klaus Hartnegg
Apr 26, 2015, 9:30:04 AM4/26/15
to
Am 24.04.2015 um 18:13 schrieb Carl G. Riches:
> Is anyone else successfully
> using version 4.1.16 with the "hosts allow" configuration?
Yes.
> Is anyone else successfully
> using version 4.1.16 with the "hosts allow" configuration?
Is it possible that your machines talk to each other via IPv6? Then they
would use different IP addresses.
Klaus
Carl G. Riches
Apr 27, 2015, 2:50:03 PM4/27/15
to
On Sun, 26 Apr 2015, Klaus Hartnegg wrote:
> Am 24.04.2015 um 18:13 schrieb Carl G. Riches:
>> Is anyone else successfully
>> using version 4.1.16 with the "hosts allow" configuration?
>
> Yes.
>
> Is it possible that your machines talk to each other via IPv6? Then they
> would use different IP addresses.
>
IPv6 is not an option for us at this time.
> Am 24.04.2015 um 18:13 schrieb Carl G. Riches:
>> Is anyone else successfully
>> using version 4.1.16 with the "hosts allow" configuration?
>
> Yes.
>
> Is it possible that your machines talk to each other via IPv6? Then they
> would use different IP addresses.
>
Carl
0 new messages