1

I installed Tailscale client v1.34.0 and Samba v4.15.9 on Ubuntu 22.04.1 with the intention to improve security for a Samba share by limiting access to my tailnet. To that effect, I configured Samba to bind only to the Tailscale interface by resetting these two lines in /etc/samba/smb.conf:

interfaces = lo tailscale0
bind interfaces only = yes

After restarting the smbd.service, we can inspect the relevant port bindings:

$ sudo netstat -plnt4 | grep smb
tcp     0     0 127.0.0.1:139       0.0.0.0:*     LISTEN     990922/smbd
tcp     0     0 127.0.0.1:445       0.0.0.0:*     LISTEN     990922/smbd

(notice that none of them are related to Tailscale).

And predictably, this did not work. With these settings, attempting to connect to the Samba share from a Tailscale-connected client fails immediately (I tested from Android using FX Files and from another Ubuntu server using smbclient), that is, before authenticating. For example, on Linux with smbclient I get the following error:

$ smbclient -L //100.24.22.20//
do_connect: Connection to 100.24.22.20 failed (Error NT_STATUS_CONNECTION_REFUSED)

I noticed no new entries in the Samba log directory /var/log/samba/.

If we abandon our attempt to restrict Samba to Tailscale (bind interfaces only = no ) the LAN clients can connect, and inspecting our port bindings show that we are indeed listening on all interfaces:

$ sudo netstat -plnt4 | grep smb
tcp     0    0 0.0.0.0:139      0.0.0.0:*    LISTEN     1009947/smbd
tcp     0    0 0.0.0.0:445      0.0.0.0:*    LISTEN     1009947/smbd

I think what really demonstrates that something is wrong with the Tailscale-Samba interaction specifically, is that setting (of course we use the correct device name, here using eth0 for illustration):

   interfaces = lo eth0
   bind interfaces only = yes

results in:

$ sudo netstat -plnt4 | grep smb
tcp     0     0 127.0.0.1:139        0.0.0.0:*    LISTEN     988279/smbd
tcp     0     0 127.0.0.1:445        0.0.0.0:*    LISTEN     988279/smbd
tcp     0     0 192.168.1.11:445     0.0.0.0:*    LISTEN     988279/smbd
tcp     0     0 192.168.1.11:139     0.0.0.0:*    LISTEN     988279/smbd

and connecting to the Samba share works fine from a client on the LAN.

This leads me to conclude that the bind interfaces functionality in Samba config appears to work and has an effect. But for some reason, when binding to the Tailscale interface, all Samba connections fail.

Could this actually be a Tailscale bug? If not, does anyone have an idea what could be the cause?

For reference, my complete samba config file:

[global]

   workgroup = FSONE
   server string = %h server (Samba, Ubuntu)

   interfaces = lo tailscale0
   bind interfaces only = yes

   log file = /var/log/samba/log.%m
   max log size = 1000
   logging = file
   panic action = /usr/share/samba/panic-action %d

   server role = standalone server
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = never

[MOUNTS]
path = "/media"
available = yes
valid users = solarchemist
browsable = yes
read only = no
writable = yes

As for previous work, all I have found on the web is this one-year-old question on Reddit, and this SO answer that fleetingly mention Tailscale in combination with Samba. Neither of them were quite pertinent.

parsley72
  • 1,034
  • 5
  • 17
  • 36
solarchemist
  • 111
  • 3
  • Similar issue, NixOS server, Arch client. Kept getting `mount error(111): could not connect to 100.x.x.x Unable to find suitable address.` when trying to mount via tailscale, changing nothing but the ip address to a non-tailscale address worked fine. Had `tailscale0` in samba interfaces. Commenting out `bind interfaces only` on the server allowed a connection. – n8henrie Dec 29 '22 at 16:01
  • https://github.com/tailscale/tailscale/issues/6856 – n8henrie Dec 29 '22 at 16:13

0 Answers0