My Favorites

Close

Please to see your favorites.

  • Bookmark
  • Email Document
  • Printer Friendly
  • Favorite
  • Rating:

How to set up Samba to allow AD users in AD groups to access Samba shares

This document (7022492) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 11 Service Pack 4 (SLES 11 SP4)

SUSE Linux Enterprise Server 12 Service Pack 2 (SLES 12 SP2)

SUSE Linux Enterprise Server 12 Service Pack 3 (SLES 12 SP3)


Situation

How to configure Samba to allow AD users in AD groups to access Samba shares.


AD has a group with users in that group.

The AD group has a GID.

Samba is configured to authenticate AD users.

There is linux group with its own GID.

There is a Samba share that we want to give AD users access to by assigning the directory rights via the AD group.

Resolution

Configurration:

AD Group:            ADG

GID for ADG:      10005

AD user in ADG:  adtest

Domain name:      AD199


Linux Group:              temp_local

GID for temp_local:   10003


Samba Share:         linuxaccess


The share definition in the /etc/samba/smb.conf file:

[linuxaccess]

     path = /tmp/access

     read only = No


In the [Global] section of the /etc/samba/smb.conf file you might also want to set the following:

     winbind use default domain = yes

That way you can use the short user name adtest instead of domain/adtest

Restart the samba services after making changes to smb.conf and the winbind service if any winbind changes were made.

A quick way of doing this is “rcsmb restart; rcnmb; restart; rcwinbind restart” or “for i in rcsmb rcnmb rcwinbind; do $i restart; done”

Check that we can retrieve adtest the user from AD:

wbinfo -u

administrator

guest

adtest


Posix file system permissions

server:/tmp # ll access

total 0

drwxrwx--- 1 root temp_local 18 Dec 13 16:38 GROUP_TEMP_LOCAL/

The owner is root and the group is the local linux group named temp_local.

server:/tmp/access # getfacl GROUP_TEMP_LOCAL/

# file: GROUP_TEMP_LOCAL/

# owner: root

# group: temp_local

user::rwx

group::rwx

other::---

In other words 770

Use YaST > Users and Groups > to change the GID of the temp_local linux group from 10003 to match the GID of the AD group named ADG which has a GID of 10005.

Show that the change was successful:

cat /etc/group | grep temp_local

temp_local:x:10005:

Alternatively, doing an ‘id adtest’ shows the following:

id adtest

uid=10000(adtest) gid=10005(temp_local) groups=10005(temp_local)

Test cases:


Windows - DOS box

From a Windows machine DOS box accessing the linuxaccess share with the adtest user:

net use * \\samba_serverIP\samba_share /User:username<enter>

Example: net use * \\10.1.1.1\linuxaccess /User:adtest<enter>

Provide the password<enter>

The above should provide something similar to the following:

Drive Z: is now connected to \\10.1.1.1\linuxaccess.

Type Z:<enter>

Do a dir command to get a directory listing of this share.


Windows - Map Network Drive

Open File Explorer

Right click on “This PC” and select “Map network drive…”

Select the desired drive and on the “Folder:” enter \\samba_serverIP\linuxaccess

Click the box to check “Connect using different credentials” and select Finish.

User name: AD199\adtest

Password: <enter password>

OK


Linux

Fom a Linux machine accessing the linuxaccess share with the adtest user:

smbclient //serverIP/linuxaccess -uadtest<enter>

Provide the password<enter>

Do a dir command to get a directory listing.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7022492
  • Creation Date:20-DEC-17
  • Modified Date:21-DEC-17
    • SUSESUSE Linux Enterprise Server

Did this document solve your problem? Provide Feedback

< Back to Support Search

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center