Samba, hosts allow = .example.com

samba

I'm trying to limit access to a Samba share to hosts on the .example.com domain. But when I try to connect from a host on that domain I get denied.

smb.conf

[share1]
...
valid users = ralph
hosts allow = .example.com

Samba log

check_ntlm_password:  authentication for user [ralph] -> [ralph] -> [ralph] succeeded
Denied connection from 10.234.56.1 (10.234.56.1)

There is a reverse DNS record in place for that IP address. That leaves me wondering if the Samba server is actually checking the reverse record to see if the host is on that domain.

If I remove the hosts allow statement the share works as expected. I have restarted the nmb service every time I restarted the smb service.

Which component is responsible for performing the PTR record lookup?

Best Answer

The DNS resolving does not seem to work. Add the first three triplets instead of a domain as the hosts allow:

hosts allow = 10.234.56

restart samba and try again to login.

If DNS needs to be used then some additional configuration is required in Samba:

7.3.4.4 dns proxy

If you want the domain name service (DNS) to be used if a name isn't found in WINS, you can
set the following option:

[global]
    dns proxy = yes

Also check the following:

7.3.4.5 name resolve order

The global name resolve order option specifies the order of services that Samba will use
in attempting name resolution. The default order is to use the LMHOSTS file, followed by
standard Unix name resolution methods (some combination of /etc/hosts, DNS, and NIS), then 
query a WINS server, and finally use broadcasting to determine the address of a NetBIOS name.
You can override this option by specifying something like the following:

[global]
    name resolve order = lmhosts wins hosts bcast
Related Topic