How do I control AD Group to access my samba share?

Brief description of the problem


I would like to allow a AD group to access my samba share. The Webgui only has an option to add single admin user accounts. I tried to work with the “valid users” option from samba. This didn’t work.

Detailed step by step instructions to reproduce the problem

You can’t allow a security group to access the share. Only users which are added to the “admin users” from the WebGui are able to access the share.



check_ntlm_password: Checking password for unmapped user []\[andrin@x]@[WINPC] with the new password interface [2017/06/14 19:27:35.736332, 3] ../source3/auth/auth.c:181(auth_check_ntlm_password) check_ntlm_password: mapped user is: [NAS01]\[andrin@x]@[WINPC] [2017/06/14 19:27:35.736409, 3] ../source3/auth/check_samsec.c:400(check_sam_security) check_sam_security: Couldn't find user 'andrin@x' in passdb. [2017/06/14 19:27:35.736428, 3] ../source3/auth/auth_winbind.c:60(check_winbind_security) check_winbind_security: Not using winbind, requested domain [NAS01] was for this SAM. [2017/06/14 19:27:35.736440, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password) check_ntlm_password: Authentication for user [andrin@x] -> [andrin@x] FAILED with error NT_STATUS_NO_SUCH_USER

Thank you for your support

Solution: Use the “old” username logon style:
Domain\user -> works
user@domain -> doesen’t work

Apparently every user which is member of the same domain is able to connect to the share.
It would be nice if you could restrict it to members of a certain group.

Is there a way to use the “new” username logon name to connect?

Hi @andrin,
adding valid users = @your_domain_group to samba share options should solve

Suggestion: avoid Domain users group and create an ad hoc group


What do you mean by [quote=“Flyer, post:3, topic:3374”]
ad hoc group

I need to use MS AD Groups.

Hi @andrin you’re right, my suggestion was to have a single word group instead of default MS AD groups like “Domain Users” to avoid handling space on groups names


Yes makes sense. I set the Permissions via ACL’s on the top directory. So this issue is solved for me.

Is there any way to make the “new” username style working (like andrin@domain.local)?

Thank you