How to set up Samba to allow AD users in AD groups to access Samba shares
This document (7022492) is provided subject to the disclaimer at the end of this document.
SUSE Linux Enterprise Server 11 Service Pack 4 (SLES 11 SP4)
SUSE Linux Enterprise Server 12 Service Pack 2 (SLES 12 SP2)
SUSE Linux Enterprise Server 12 Service Pack 3 (SLES 12 SP3)
How to configure Samba to allow AD users in AD groups to access Samba shares.
AD has a group with users in that group.
The AD group has a GID.
Samba is configured to authenticate AD users.
There is linux group with its own GID.
There is a Samba share that we want to give AD users access to by assigning the directory rights via the AD group.
AD Group: ADG
GID for ADG: 10005
AD user in ADG: adtest
Domain name: AD199
Linux Group: temp_local
GID for temp_local: 10003
Samba Share: linuxaccess
The share definition in the /etc/samba/smb.conf file:
path = /tmp/access
read only = No
In the [Global] section of the /etc/samba/smb.conf file you might also want to set the following:
winbind use default domain = yes
That way you can use the short user name adtest instead of domain/adtest
Restart the samba services after making changes to smb.conf and the winbind service if any winbind changes were made.
A quick way of doing this is “rcsmb restart; rcnmb; restart; rcwinbind restart” or “for i in rcsmb rcnmb rcwinbind; do $i restart; done”
Check that we can retrieve adtest the user from AD:
Posix file system permissions
server:/tmp # ll access
drwxrwx--- 1 root temp_local 18 Dec 13 16:38 GROUP_TEMP_LOCAL/
The owner is root and the group is the local linux group named temp_local.
server:/tmp/access # getfacl GROUP_TEMP_LOCAL/
# file: GROUP_TEMP_LOCAL/
# owner: root
# group: temp_local
In other words 770
Use YaST > Users and Groups > to change the GID of the temp_local linux group from 10003 to match the GID of the AD group named ADG which has a GID of 10005.
Show that the change was successful:
cat /etc/group | grep temp_local
Alternatively, doing an ‘id adtest’ shows the following:
Windows - DOS box
From a Windows machine DOS box accessing the linuxaccess share with the adtest user:
net use * \\samba_serverIP\samba_share /User:username<enter>
Example: net use * \\10.1.1.1\linuxaccess /User:adtest<enter>
Provide the password<enter>
The above should provide something similar to the following:
Drive Z: is now connected to \\10.1.1.1\linuxaccess.
Do a dir command to get a directory listing of this share.
Windows - Map Network Drive
Open File Explorer
Right click on “This PC” and select “Map network drive…”
Select the desired drive and on the “Folder:” enter \\samba_serverIP\linuxaccess
Click the box to check “Connect using different credentials” and select Finish.
User name: AD199\adtest
Password: <enter password>
Fom a Linux machine accessing the linuxaccess share with the adtest user:
smbclient //serverIP/linuxaccess -uadtest<enter>
Provide the password<enter>
Do a dir command to get a directory listing.
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7022492
- Creation Date:20-DEC-17
- Modified Date:21-DEC-17
- SUSESUSE Linux Enterprise Server