[Samba] Samba + AD Authentication: Restricting access to shares

Rowland penny rpenny at samba.org
Tue Jun 11 20:12:47 UTC 2019

On 11/06/2019 20:45, Goetz, Patrick G via samba wrote:
> Because most of our servers are restricted to specific user groups and
> the AD domain covers the entire university, I need to find a way to
> limit access to samba shares, preferably using AD security groups; i.e.
> I want to do something like:
> [EMdata]
>      comment = TEM Data
>      path = /EMdata
>      valid users = @cns-cryo-emusers
>      guest ok = no
>      writeable = yes
> where cns-cryo-emusers is an AD security group.  Has this been
> implemented in any version of Samba?  Otherwise, is there any way to
> limit access when doing AD authentication?  We don't have any local
> users to limit access to; it's all domain users.  The local accounts are
> strictly used for administrative purposes.
Then do it the way Windows does it, set permissions on the share from 
the 'security' tab on Windows, see here:


Set your share like this:

     comment = TEM Data
     path = /EMdata
     read only = no


More information about the samba mailing list