Hi,
I am trying to restrict smb share to known windows hostnames.
But if I set windows computer hostname to “hosts allow” in share settings, I cannot access share anymore even hostname is correct.
Is there something special in which format hostname should write?
I know that I could allow ip addresses instead of hostnames but I don’t want to do that.
Firstly which version are you running?
Secondly I assume you have already setup access permissions for specific users? The host allow specifies allowed systems but permissions must still be set correctly.
I am running latest stable 13.0-U6.2 core.
Yes, I have configured users and rights and I can access share until I setup allowed hostname (my windows workstation hostname).
Should hostname include domain name albeit my computer is not ad joined.?
Maybe there is some windows workgroup domain name?
In windows command prompt hostname command returns only computer name.
Historical post but I believe you may have the same issue:
Recommendation from the post:
Try setting
hostname lookups = yesas an auxiliary parameter under Services->SMB, restart the SMB services, and try again.
I tried setting that parameter but it didnot help.
I also tested all possible combinations of hostname. Samba log looks like that:
root@FILESERVER[/var/log/samba4]# cat auth_audit.log
{“timestamp”: “2024-09-12T05:58:09.168215-0700”, “type”: “Authentication”, “Authentication”: {“version”: {“major”: 1, “minor”: 2}, “eventId”: 4625, “logonId”: “0”, “logonType”: 3, “status”: “NT_STATUS_NO_SUCH_USER”, “localAddress”: “ipv4:192.168.0.90:445”, “remoteAddress”: “ipv4:192.168.0.125:58678”, “serviceDescription”: “SMB2”, “authDescription”: null, “clientDomain”: “.”, “clientAccount”: “ismo”, “workstation”: “WORK-PC”, “becameAccount”: null, “becameDomain”: null, “becameSid”: null, “mappedAccount”: “ismo”, “mappedDomain”: “.”, “netlogonComputer”: null, “netlogonTrustAccount”: null, “netlogonNegotiateFlags”: “0x00000000”, “netlogonSecureChannelType”: 0, “netlogonTrustAccountSid”: null, “passwordType”: “NTLMv2”, “duration”: 3271}}
I can’t see any mention of hostname here. Workstation name is there and it is correct.
Maybe I need switch to use ip addresses :roll_eyes
Can you ping the TrueNAS hostname from your client computer?
I.e. does basic name resolution work regardless of what the SMB share settings are?
Yes, I can ping truenas with hostname from windows computer.
But I can’t ping my workstation from truenas with hostname.
Both machines have my firewall as first dns server.
Is there any setting in truenas that would help with dns resolution?
This is not possible anymore with TrueNAS SCALE, as auxiliary parameters are greyed out? TrueNAS default seems to be hostname lookups = no.
So what is the recommended method to use hosts allow with domain names in a persistent way, to not need to hard-code IPs?
Use a router that lets you define hosts to locally resolve, it’s fairly basic DNS functionality but isn’t always available in ISP-provided gear.
Hey @neofusion ,
To clarify: My network DNS works already and can (reverse)-resolve DNS requests for local domain. The problem is TrueNAS, which per default does not allow domain names in my network share > Edit SMB > Hosts allow.
Is this a CORE thing?
I can connect to my TrueNAS CE server’s SMB shares with a hostname just fine. Albeit from a MacOS client. Nothing custom setup on the CE server related to SMB or hosts.
Edit: I see I misunderstood the issue. You are trying to limit access. Please ignore my post.
I think the issue is that they wish to lock shares down to authorised host names as well as having the requirement to authenticate to the share. I guess an extra layer of security to limit access to specific machines on the network.
2 Likes
Yes, exactly @Johnny_Fartpants .
Setting an IP address works, but domain names are better manageable for network administration and human-readable for documentation purposes.
In the popup for “Hosts allow” they also state "Enter a list of allowed hostnames or IP addresses. " (emphasis by my; or do they mean old netBIOS names?).
I found What is the official way of modifying auxsmbconf field of smb share now? , which is related and recommends to use the command line with cli. But isn’t this tool legacy, too, so I would need to use another command midclt?
And with both solutions there are probably issues with persistence and visibility in web-interface.
I can’t believe they disabled all Samba auxiliary parameters, without providing any alternatives to admins - oh dear.