[Samba] Configuring Samba as a file server to use AD authentication

Michael A Weber mweber.subscriptions01 at gmail.com
Wed Aug 24 21:13:53 UTC 2016

> On Aug 23, 2016, at 4:58 PM, Kyle Manel via samba <samba at lists.samba.org> wrote:
> Hello,
> I am attempting to install Samba as a file server within an Active Directory domain to use the AD server for group authentication.
> I have worked through various guides, but all leave me unable to authenticate into the samba shares using my organizations existing user groups in Active Directory.
> I need the following configuration:
> Share - users : description
> Admin - Admin : This share is exclusive to its user group
> Media - media users : This share is exclusive to its user group and the Admin group
> Junk - all users : This share is accessible to everyone
> There are 3 different user groups that will be using this server, Admin, Media and Everyone.
> I have a Microsoft Active Directory Server (2012R2) operating as my AD server, and an Ubuntu server operating for Samba.
> I would like:
> users to be authenticated each access to the share,
> the process of adding/removing users to be done by the AD server.
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

My apologies as I did not originally send this reply to the group.  Also, I wasn’t aware of issues with AD2012, and I’ve edited my response, below.


Having recently been through similar (although my AD DC is a samba box as well), you need to setup your samba file server as a domain member server.  This way, you can easily control access to the shares via group membership, etc in AD.

The way to do it is to follow this guide without deviation:

https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member <https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member>

This is what I did, and it works.

There is a part in the guide which is about setting up the smb.conf for your file server.  At the end of that file snippet, there is a comment that says “# Just adding the following three lines is not enough!!” and it’s true.  You have to determine how you are going to setup the idmap and create your configuration.  My recommendation is to use the first comment line below that, or setting up idmap for ad, and that is another document in the wiki which you will find here:

https://wiki.samba.org/index.php/Idmap_config_ad <https://wiki.samba.org/index.php/Idmap_config_ad>

EDIT:  Per response from Rowland Penny, the above recommendation of idmap_config_ad is incorrect, and idmap_config_rid should be used instead:

https://wiki.samba.org/index.php/Idmap_config_rid <https://wiki.samba.org/index.php/Idmap_config_rid>

Once you setup the smb.conf file, then you can continue on the first wiki page linked above and, as I said, follow it directly.  If you don’t get the values that the instructions tell you that you should get, something is wrong and needs to be corrected.

If your samba server is built on a *nix flavor that uses SELinux, please visit your system log file to diagnose any errors encountered and resolve those along the way until you get the system functioning as you’d like.

Once you have it functioning without errors and joined to your domain, you can now manage it.  You’ll have to setup the shares via the smb.conf file, which is all documented here (and I recommend using Windows ACLs since it feels to me like you’re using Windows workstations to access the file shares):

https://wiki.samba.org/index.php/Shares_with_Windows_ACLs <https://wiki.samba.org/index.php/Shares_with_Windows_ACLs>

then reload the configuration with the command:

smbcontrol all reload-config

and then the shares should be visible and accessible on your network.

I can’t say anything except that this recent file server build for me was the first time I’ve built a samba box since 2004, and following the instructions exactly and determining why I couldn’t get the values listed in the wiki are what made everything work for me.

Good luck, stick to the wiki pages (and there are more of them, you can access by clicking “User Documentation” in the left pane of those pages linked above), and you’ll get it going.  I know the documentation sometimes is rather rough around the edges, but it does tell you what you need to make it work.


More information about the samba mailing list