Samba interfaces only config does not include tailscale0

[n8henrie]

What is the issue?

A good description from another user: https://superuser.com/questions/1757181/binding-samba-to-tailscale-interface-fails-but-works-for-physical-nic

I'm using a NixOS samba host and multiple clients (Arch, MacOS) that have samba working well over non-tailscale interfaces but fail when I attempt over tailscale.

It looks like the issue boils down to this part of my samba config:

interfaces = lo enp0s10 wlp3s0 tailscale0
bind interfaces only = yes

If I attempt to mount a share from Arch:

# PASSWD='verysecret' mount -t cifs -o username=me "//$(tailscale ip -4 nixosserver)/sharename" ./foo
mount error(111): could not connect to 100.x.x.xUnable to find suitable address.

I see in the client's dmesg:

[329826.079778] CIFS: Attempting to mount \\100.x.x.x\sharename
[329826.083746] CIFS: VFS: Error connecting to socket. Aborting operation.
[329826.083756] CIFS: VFS: cifs_mount failed w/return code = -111

I don't see anything in the host's samba (log level 3) or kernel logs.

If I attempt to mount from Finder on MacOS, I get a popup with:

There was a problem connecting to the server “100.x.x.x.
This file server will not allow any additional users to log on. Try to connect again later.

As noted in the SO thread above, on the NixOS server it looks like samba isn't binding to the tailscale interface, even though tailscale0 is in my interfaces list.

If I change nothing nothing other than bind interfaces only = yes in my samba config, the mount command succeeds and everything is fine, from both Arch as well as from MacOS. I've commented and uncommented this line numerous times with no other changes, and it reliably reproduces and resolves the issue.

Steps to reproduce

As per above

Are there any recent changes that introduced the issue?

Not to my knowledge

OS

Linux, macOS

OS version

Arch, NixOS 22.11, MacOS 13

Tailscale version

No response

Bug report

BUG-1dbee491610be854a6911ac6edf8717a53381967af824dede8da40997d41197e-20221229161318Z-2dfa3d281a29428d

[n8henrie]

Using my tailscale ip address (100.x.x.x or 100.x.x.x/32) in my interfaces list also does not work.

[n8henrie]

Post with a little more info by the same users as the SO question: https://codeberg.org/ansible/samba

[DentonGentry]

I'm not sure how much we'll be able to help with this: Samba via Tailscale does work. The specific bind-to-interface feature does not. We're unlikely to be able to build and debug smbd in order to figure out what is going wrong.

[bradfitz]

This is the same class of problem that a lot of software has.

The new tailscale serve stuff in the latest release (in alpha) addresses this in part: you can run OpenSSH or Samba or VNC binding to only the loopback interface and then tell your local tailscaled to map through its port N to localhost:N.

[danobi]

This is the same class of problem that a lot of software has.

Out of curiosity, what is this class of problem?

[adamstac]

This is the same class of problem that a lot of software has.

The new tailscale serve stuff in the latest release (in alpha) addresses this in part: you can run OpenSSH or Samba or VNC binding to only the loopback interface and then tell your local tailscaled to map through its port N to localhost:N.

Can you be more clear on this Brad? I'm hitting up against this issue/concern as well.

I can only mount a Samba share over Tailscale if bind interfaces only is set to no.

bind interfaces only = no

Not sure if there's no information somewhere on this concern, so please point me in the right direction if you can. Thanks!

[FlorentLM]

Can you be more clear on this Brad? I'm hitting up against this issue/concern as well.

I can only mount a Samba share over Tailscale if bind interfaces only is set to no.

bind interfaces only = no

Not sure if there's no information somewhere on this concern, so please point me in the right direction if you can. Thanks!

I had this exact same problem and was not happy using bind interfaces only to no but what Brad mentioned using the newish tailscale serve command (explained here) worked perfectly:

• Set your /etc/samba/smb.conf config to this (only the relevant part):

[global]
 interfaces = lo enp2s0
 bind interfaces only = yes
 smb ports = 445

or replace enp2s0 by eth0 or whatever your physical address is, and change the port to whatever you'd like it to be

• Restart samba:

sudo systemctl restart smbd.service

• Enable the mapping for TCP port 445 in tailscale:

tailscale serve tcp:445 tcp://localhost:445

(you can disable it with tailscale serve tcp:445 tcp://localhost:445 off)

• Enjoy :)

[kjames2001]

Can you be more clear on this Brad? I'm hitting up against this issue/concern as well.
I can only mount a Samba share over Tailscale if bind interfaces only is set to no.

bind interfaces only = no

Not sure if there's no information somewhere on this concern, so please point me in the right direction if you can. Thanks!

I had this exact same problem and was not happy using bind interfaces only to no but what Brad mentioned using the newish tailscale serve command (explained here) worked perfectly:

* Set your `/etc/samba/smb.conf` config to this (only the relevant part):

[global]
 interfaces = lo enp2s0
 bind interfaces only = yes
 smb ports = 445

or replace enp2s0 by eth0 or whatever your physical address is, and change the port to whatever you'd like it to be

* Restart samba:

sudo systemctl restart smbd.service

* Enable the mapping for TCP port 445 in tailscale:

tailscale serve tcp:445 tcp://localhost:445

(you can disable it with tailscale serve tcp:445 tcp://localhost:445 off)

* Enjoy :)

Honestly, the command "tailscale serve tcp:445 tcp://localhost:445" alone saved me.