[clug] samba 3.x and Active Directory integration

Chris Henderson henders254 at gmail.com
Mon Mar 30 11:13:11 GMT 2009

I been trying to figure out files and directory permissions for AD
users on Linux.
I'm not sure whether I need to set the permissions
in the Windows end (something to do with UNIX attribute for each
user?) or the Linux end or both. I want
to manage Linux/ Samba files and directories permission from Windows/
AD so it can be centrally managed.

The AD users can ssh to Linux and mount Samba directories. But seems
like they can't write to the directory.

For example, the directory /mkt/ has 775 permission and is owned by
root and group
mkt (I added group using the groupadd command). In /etc/group I
added AD users to the mkt group.

Now I log on to Windows using AD user name and password and mount
\\server\mkt and it doesn't ask for any user name and password. I then
try to create a file and it says denied. Looks like when I ssh to
Linux using AD
user name, I am in a group called "Domain Users" (this is the default
group in AD)
and it doesn't know about the "mkt" group. id shows I'm a member of
other Windows groups as well.

I can log on using my AD account with smbclient ( smbclient
\\\\server\\mkt -U AD_USER_NAME)

I can see the shares using  smbclient -L server -U <AD_USER_NAME>

How do I tell AD (or Samba?) that if I am a member of the mkt group (on Linux),
let me write to the /mkt directory? Or do I need to add a group in Windows?

I looked at:
http://wiki.samba.org/index.php/Samba_&_Active_Directory - the
Configuring Windows part says: "I am still working on that ... "

Here's my smb.conf:

       workgroup = AD
       security = ADS
       realm = AD.COMPANY.COM
       encrypt passwords = yes
       preferred master = no
       log level = 3
       auth methods = winbind
       winbind enum users = yes
       winbind enum groups = yes
       winbind use default domain = yes
       idmap uid = 100000-200000
       idmap gid = 100000-200000
       netbios name = test
       password server =
       template homedir = /home/%D/%U
       template shell = /bin/bash
       winbind enum groups = Yes
       winbind enum users = Yes

       path = /mkt/
       comment = mkt Data Share
       directory mask = 0770
       read only = no
       available = yes
       browseable = yes
       writable = yes
       guest ok = no
       public = no
       printable = no
       share modes = no
       locking = no

Thanks for any help.

More information about the linux mailing list