How do I control AD Group to access my samba share?

andrin · June 14, 2017, 5:18pm

Brief description of the problem

Hello

I would like to allow a AD group to access my samba share. The Webgui only has an option to add single admin user accounts. I tried to work with the “valid users” option from samba. This didn’t work.

Detailed step by step instructions to reproduce the problem

You can’t allow a security group to access the share. Only users which are added to the “admin users” from the WebGui are able to access the share.

Screenshot

Log:


  check_ntlm_password:  Checking password for unmapped user []\[andrin@x]@[WINPC] with the new password interface
[2017/06/14 19:27:35.736332,  3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [NAS01]\[andrin@x]@[WINPC]
[2017/06/14 19:27:35.736409,  3] ../source3/auth/check_samsec.c:400(check_sam_security)
  check_sam_security: Couldn't find user 'andrin@x' in passdb.
[2017/06/14 19:27:35.736428,  3] ../source3/auth/auth_winbind.c:60(check_winbind_security)
  check_winbind_security: Not using winbind, requested domain [NAS01] was for this SAM.
[2017/06/14 19:27:35.736440,  2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [andrin@x] -> [andrin@x] FAILED with error NT_STATUS_NO_SUCH_USER

Thank you for your support

andrin · June 14, 2017, 5:39pm

Solution: Use the “old” username logon style:
Domain\user -> works
user@domain -> doesen’t work

Apparently every user which is member of the same domain is able to connect to the share.
It would be nice if you could restrict it to members of a certain group.

Is there a way to use the “new” username logon name to connect?

Flyer · June 15, 2017, 2:10pm

Hi @andrin,
adding valid users = @your_domain_group to samba share options should solve

Suggestion: avoid Domain users group and create an ad hoc group

Mirko

andrin · June 16, 2017, 12:56pm

What do you mean by [quote=“Flyer, post:3, topic:3374”]
ad hoc group
[/quote]

I need to use MS AD Groups.

Flyer · June 17, 2017, 6:28pm

Hi @andrin you’re right, my suggestion was to have a single word group instead of default MS AD groups like “Domain Users” to avoid handling space on groups names

M.

andrin · June 18, 2017, 3:19pm

Yes makes sense. I set the Permissions via ACL’s on the top directory. So this issue is solved for me.

Is there any way to make the “new” username style working (like andrin@domain.local)?

Thank you