-   Linux - Server (
-   -   Samba 4: share directory for AD group (

mac.tieu 01-20-2013 02:22 AM

Samba 4: share directory for AD group

I've just installed samba 4 on CentOS 6.3 then follow configuration guide at Samba4/HOWTO/Join a domain as a DC. Everything is going right except I can't share directory to AD group.

- 'getent passwd' show as:


- 'getent group'

Enterprise Read-only Domain Controllers:*:3000008:
Domain Admins:*:3000009:
Domain Users:*:100:
Domain Guests:*:3000002:
Domain Computers:*:3000010:
Domain Controllers:*:3000011:
Schema Admins:*:3000012:
Enterprise Admins:*:3000013:
Group Policy Creator Owners:*:3000014:
Read-only Domain Controllers:*:3000015:

- smb.conf

        workgroup = ADDOMAIN
        realm =
        netbios name = LINUX-DC
        server role = active directory domain controller
        path = /usr/local/samba/var/locks/sysvol/
        read only = No
        path = /usr/local/samba/var/locks/sysvol
        read only = No

        path = /tmp/writers
        valid users = @"ADDOMAIN\Writers"
        write list = @"ADDOMAIN\Writers"

- Administrator is member of Writer group.

[root@linux-dc ~]# id administrator
uid=0(root) gid=100(users) groups=0(root),100(users),3000014(Group Policy Creator Owners),3000013(Enterprise Admins),3000009(Domain Admins),3000012(Schema Admins),3000020(Writers)

Problem is: member of group Writers can not access 'test' resource. If I change 'valid users' to: "valid users = ADDOMAIN\Administrator" then I can access sharing directory.
Could you help me to explain what I am doing wrong with this configuration?

Thanks in advanced,
Mac Tieu.

Ser Olmy 01-21-2013 11:12 AM

This could be a winbind separator issue. After all, the backslash is usually the escape character in Unix/Linux.

You could try escaping the backslash, like this:

valid users = @"ADDOMAIN\\Writers"
If that doesn't work, you could try changing the separator to, say, the "+" character with

winbind separator = +
in the "globals" section and

valid users = @"ADDOMAIN+Writers"
on the share.

mac.tieu 01-22-2013 10:38 AM


I've replaced separator to '+' as you guided but no success. After configed log level to 3 in smb.conf to examine log file, I can now access sharing resource by using group SID like:

valid users = 'S-1-5-21-1233234322-3234673423-5678456734-3457'
Is there any way to use group name instead of 'complex' SID string?

Thanks so much!

celsomagela 05-28-2014 12:48 PM

I tested now, in Samba4 with internal dns: valid users = +"cmpc.leg\adm" and so is working perfectly.(cmpc.leg=realm and adm=group)

All times are GMT -5. The time now is 11:35 PM.