[Samba] Valid Users Does Not Like My AD Group or Syntax

E R fasteddieinaustin at gmail.com
Sat Jan 28 00:07:50 UTC 2023

I am working on replacing an undocumented Samba server with one I have
setup after very helpful wiki.  I am just having an issue with using an
Active Directory security group with the setting "valid users" to limit
access to the share.  I would like to use an existing security group on the
Windows side to control access to the share, if possible.  Server 2012 R2
forest and OS on Windows side. I have taken pains to only use WinBind on
RHEL as Red Hat weenies will point you to using tools like "realm" that
introduce SSSD that I do not want to use.

valid user = MYDOMAIN\myuserid
If I use the above syntax for my user account I can gain access to the
share just as I expect.

valid user = +MYDOMAIN\"MySecurityGroup"
The above syntax does not work (I am a member of the group).  I also tried
omitting the quotes around the group name since I do not have a space in
the name.  I also tried using the alternate syntax that you can use on
Windows like MySecurityGroup at domain.com.

getent group MYDOMAIN\\MySecurityGroup
The above command does return my group from AD.

chown root:MySecurityGroup somefile.txt
This above command does update the permissions so that the group is used
and displays on the ls command.

SID +MYDOMAIN\MySecurityGroup is not in a valid format
I upped the log level to 3 and I see the above message.

IDMAP Setting:
idmap config * : backend = autorid
idmap config * : range = 100000-19999999
idmap config * : rangesize = 1000000

More information about the samba mailing list