Centos – Issues Accessing Samba Share using FQDN

centossamba

I have a fresh Centos 8 server that I'm setting up for a client, and it's giving me the worst troubles with setting up network shares on the AD DC.

I've scoured google for several hours, and nothing I can dig up helps. A lot of the results are several years old, and I don't think apply to newer versions. After several of these moments, maybe this thread will help somebody in the future.

One issue I've considered is that during domain provisioning my default NETBIOS name was LOCALHOST and I never changed it, so it may be causing issues resolving on other machines. I've tried changing it, but I may not be changing everything correctly as doing so causes connecting to the domain to fail entirely.

Currently I'm able to access my network server using 3 different methods, each with their own error

1. Opening \\OFFICE
Connecting to just the shortname shows all of the files & printers that are being shared, but none of them are able to connect.
Attempting to connect to one of the shares gives the error

\\OFFICE\public is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.

A volume has been accessed for which a file system driver is required that has not yet been loaded.

2. Opening \\office.mydomain.com
Connecting this way allows me to access all of the network printers, however only sysvol and netlogon are accessible drives. Attempting to connect to any of the other drives gives this error

\\office.mydomain.com\public is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.

Element not found.

3. Opening \\192.168.1.2
Attempting to connect using the controllers IP address works for all printers and network shares except for netlogon and sysvol. Attempting to open either of the default drives prompts for a login, which fails even with the OFFICE\administrator account.

My thesis was that the drive shares aren't actually considered part of the domain, but trying to access the locations from a non-domain account prompts for a domain login.

I also spent several hours digging into DNS thinking that could be the issue, but if the NETBIOS being LOCALHOST isn't a problem, I don't have any issues with the shares other than not being able to access the directories. Printers work fine, pinging the server is fine, nslookup returns the correct result, SSH works correctly with the domain. I'm not familiar enough with Samba to know what handles the mapping of the shares, ex. \public

The version of running:

$: smbd -V
Version 4.12.3

All of my directories show up properly

$: smbclient -L localhost -U%

    Sharename       Type      Comment
    ---------       ----      -------
    sysvol          Disk      
    netlogon        Disk      
    public          Disk      
    share1          Disk      
    share2          Disk      
    share3          Disk      
    share4          Disk      
    users           Disk      
    IPC$            IPC       IPC Service (Samba 4.12.3)
    Printer1        Printer   EPSON WF-7520 Series
    Printer2        Printer   EPSON ET-3750 Series
    Printer3        Printer   EPSON ET-3750 Series
    Printer4        Printer   Brother QL-710W
    Printer5        Printer   EPSON ET-3750 Series
SMB1 disabled -- no workgroup available

Below are my configs

smb.conf

# Global parameters
[global]
    # Realm information
    netbios name = LOCALHOST
    realm = OFFICE.MYDOMAIN.COM
    server role = active directory domain controller
    
    disable netbios = no
    smb ports = 139 445
    
    # DNS is controlled by BIND
    server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, s3fs
    
    # Work group
    workgroup = OFFICE
    idmap_ldb:use rfc2307 = yes
    
    # Log from user IPs
    log file = /var/log/samba/%m.log
    #log level = 5
    
    # Printing servers with Cups!
    printing = cups
    printcap name = cups
    load printers = yes
    cups options = raw
    
    # Mapped drive configs
    map archive = no
    map readonly = no
    
    # Home Directories
    logon drive = H:
    logon home = \\office.mydomaincom\users\%U
    
    # Winbindd
    winbind cache time = 10
    winbind nss info = rfc2307
    winbind use default domain = yes
    winbind enum users = yes
    winbind enum groups = yes
    
    template shell = /bin/bash
    template homedir = /home/%D/%U
    
    # WINS
    domain logons = yes
    preferred master = yes
    domain master = yes
    #wins support = yes
    #host msdfs = yes
    time server = yes
    
    # DNS
    dns forwarder = 192.168.1.2
    
    # Enable FreeRADIUS authorization
    ntlm auth = mschapv2-and-ntlmv2-only

# Generic system volume
[sysvol]
    path = /usr/local/samba/var/locks/sysvol
    read only = no

# Net login scripts
[netlogon]
    path = /usr/local/samba/var/locks/sysvol/office.mydomain.com/scripts
    read only = no

# Shared printers
[printers]
    comment = All Printers
    path = /var/spool/samba/
    printable = yes
    create mask = 0600
    browseable = no

# Share for all companies
[public]
    path = /srv/samba/public
    read only = no

[share1]
    path = /srv/samba/share1
    read only = no

[share2]
    path = /srv/samba/share2
    read only = no

[share3]
    path = /srv/samba/share3
    read only = no

[share4]
    path = /srv/samba/share4
    read only = no

# User home directory
[users]
    path = /srv/samba/home
    read only = no

krb5.conf

[libdefaults]
    default_realm = OFFICE.MYDOMAIN.COM
        dns_lookup_realm = true
        dns_lookup_kdc = true

[realms]
OFFICE.MYDOMAIN.COM = {
        default_domain = office.mydomain.com
}

[domain_realm]
    localhost = OFFICE.MYDOMAIN.COM

nsswitch.conf

passwd:     files winbind
group:      files winbind
netgroup:   files winbind
automount:  files winbind
services:   files winbind

# In order of likelihood of use to accelerate lookup.
shadow:     files winbind
hosts:      dns myhostname

aliases:    files
ethers:     files
gshadow:    files
# Allow initgroups to default to the setting for group.
# initgroups: files
networks:   dns
protocols:  files winbind
publickey:  files
rpc:        files

Best Answer

After much more digging and playing around, I figured out that I had two issues at hand.

Firstly was how I was connecting to the server. \\OFFICE, \\office.mydomain.com, and \\192.168.1.2 all connect, however none of them are actually recognized as fully part of the DC. I had to incorporate the NETBIOS name into the FQDN and connect to \\localhost.office.mydomain.com. From here all printers, and shares (Including netlogon and sysvol) were recognized. This might be changeable somewhere else, but this works for my needs.

Secondly was a folder permission issue,

$: ls -ld sysvol/
drwxrwx---+ 9 root BUILTIN\administrators 135 Jul  9 09:24 sysvol/

$: ls -ld /srv/samba
drwxrwx---. 3 root root 22 Jul  9 09:15 /srv/samba

I tested moving my shares into the sysvol share, and had no problems connecting to them at that point. So I checked the permissions on the sysvol share and saw that it was owned by the BUILTIN\administrators group, which my shares are owned by, however the parent folder also needs that permission, otherwise samba won't read the shares properly.

Once I figured out my shares were working while housed inside of sysvol I applied the permissions back to my /srv/samba directory, and moved them back. I'm not 100% on sysvol but I believe storing additional files in that share probably isn't the best idea.