Create a Shared Directory on Samba AD DC and Map to Windows/Linux Clients – Part 7

This tutorial will guide you on how to create a shared directory on Samba AD DC system, map this Shared Volume to Windows clients integrated into the domain via GPO and manage share permissions from Windows domain controller perspective.

It will also cover how to access and mount the file share from a Linux machine enrolled into domain using a Samba4 domain account.

Requirements:

  1. Create an Active Directory Infrastructure with Samba4 on Ubuntu

Step 1: Create Samba File Share

1. The process of creating a share on Samba AD DC is a very simple task. First create a directory you want to share via SMB protocol and add the below permissions on the filesystem in order to allow a Windows AD DC admin acount to modify the share permissions accordingly to what permissions Windows clients should see.

Assuming that the new file share on the AD DC would be the /nas directory, run the below commands to assign the correct permissions.

# mkdir /nas
# chmod -R 775 /nas
# chown -R root:"domain users" /nas
# ls -alh | grep nas
Create Samba Shared Directory
Create Samba Shared Directory

2. After you’ve created the directory that will be exported as a share from Samba4 AD DC, you need to add the following statements to samba configuration file in order to make the share available via SMB protocol.

# nano /etc/samba/smb.conf

Go to the bottom of the file and add the following lines:

[nas]
	path = /nas
	read only = no
Configure Samba Shared Directory
Configure Samba Shared Directory

3. The last thing you need to do is to restart Samba AD DC daemon in order to apply the changes by issuing the below command:

# systemctl restart samba-ad-dc.service

Step 2: Manage Samba Share Permissions

4. Since we’re accessing this shared volume from Windows, using domain accounts (users and groups) that are created on Samba AD DC (the share is not meant to be accessed by Linux system users).

The process of managing permissions can be done directly from Windows Explorer, in the same way permissions are managed for any folder in Windows Explorer.

First, log on to Windows machine with a Samba4 AD account with administrative privileges on the domain. In order to access the share from Windows and set the permissions, type the IP address or host name or FQDN of the Samba AD DC machine in Windows Explorer path field, preceded by two back slashes, and the share should be visible.

\\adc1
Or
\2.168.1.254
Or
\\adc1.tecmint.lan
Access Samba Share Directory from Windows
Access Samba Share Directory from Windows

5. To modify permissions just right click on the share and choose Properties. Navigate to Security tab and proceed with altering domain users and group permissions accordingly. Use Advanced button in order to fine tune permissions.

Configure Samba Share Directory Permissions
Configure Samba Share Directory Permissions

Use the below screenshot as an excerpt on how to tune permissions for specific Samba AD DC authenticated accounts.

Manage Samba Share Directory User Permissions
Manage Samba Share Directory User Permissions

6. Other method you can use to manage the share permissions is from Computer Management -> Connect to another computer.

Navigate to Shares, right click on the share you want to modify permissions, choose Properties and move to Security tab. From here you can alter permissions in any way you want just as presented in the previous method using file share permissions.

Connect to Samba Share Directory Machine
Connect to Samba Share Directory Machine
Manage Samba Share Directory Properties
Manage Samba Share Directory Properties
Assign Samba Share Directory Permissions to Users
Assign Samba Share Directory Permissions to Users

Step 3: Map the Samba File Share via GPO

7. To automatically mount the exported samba file share via domain Group Policy, first on a machine with RSAT tools installed, open AD UC utility, right click on your domain name and, then, choose New -> Shared Folder.

Map Samba Share Folder
Map Samba Share Folder

8. Add a name for the shared volume and enter the network path where your share is located as illustrated on the below image. Hit OK when you’ve finished and the share should now be visible on the right plane.

Set Samba Shared Folder Name Location
Set Samba Shared Folder Name Location

9. Next, open Group Policy Management console, expand to your domain Default Domain Policy script and open the file for editing.

On the GPM Editor navigate to User Configuration -> Preferences -> Windows Settings and right click on Drive Maps and choose New -> Mapped Drive.

Map Samba Share Folder in Windows
Map Samba Share Folder in Windows

10. On the new window search and add the network location for the share by pressing the right button with three dots, check Reconnect checkbox, add a label for this share, choose the letter for this drive and hit OK button to save and apply configuration.

Configure Network Location for Samba Share Directory
Configure Network Location for Samba Share Directory

11. Finally, in order to force and apply GPO changes on your local machine without a system restart, open a Command Prompt and run the following command.

gpupdate /force
Apply GPO Changes
Apply GPO Changes

12. After the policy has been successfully applied on your machine, open Windows Explorer and the shared network volume should be visible and accessible, depending on what permissions you’ve granted for the share on previous steps.

The share will be visible for other clients on your network after they reboot or re-login onto their systems if the group policy will not forced from command line.

Samba Shared Network Volume on Windows
Samba Shared Network Volume on Windows

Step 4: Access the Samba Shared Volume from Linux Clients

13. Linux users from machines that are enrolled into Samba AD DC can also access or mount the share locally by authenticating into the system with a Samba account.

First, they need to assure that the following samba clients and utilities are installed on their systems by issuing the below command.

$ sudo apt-get install smbclient cifs-utils

14. In order to list the exported shares your domain provides for a specific domain controller machine use the below command:

$ smbclient –L your_domain_controller –U%
or
$ smbclient –L \\adc1 –U%
List Samba Share Directory in Linux
List Samba Share Directory in Linux

15. To interactively connect to a samba share from command line with a domain account use the following command:

$ sudo smbclient //adc/share_name -U domain_user

On command line you can list the content of the share, download or upload files to the share or perform other tasks. Use ? to list all available smbclient commands.

Connect Samba Share Directory in Linux
Connect Samba Share Directory in Linux

16. To mount a samba share on a Linux machine use the below command.

$ sudo mount //adc/share_name /mnt -o username=domain_user
Mount Samba Share Directory in Linux
Mount Samba Share Directory in Linux

Replace the host, share name, mount point and domain user accordingly. Use mount command piped with grep to filter only by cifs expression.

As some final conclusions, shares configured on a Samba4 AD DC will work only with Windows access control lists (ACL), not POSIX ACLs.

Configure Samba as a Domain member with file shares in order to achieve other capabilities for a network share. Also, on an Additional Domain Controller configure Windbindd daemonStep Two – before you start exporting network shares.

Matei Cezar
I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

24 thoughts on “Create a Shared Directory on Samba AD DC and Map to Windows/Linux Clients – Part 7”

  1. Hello! I cannot figure out, how to create and map Linux users home directories in samba, what should I do if I need to access my Linux home folder from different computers?

    Reply
  2. This command didn’t work to me:

    # chown -R root:"domain users" /nas
    

    Then I edited /etc/nsswitch.conf like this:

    passwd: compat winbind
    group: compat winbind
    hosts: files dns winbind
    

    I hop1e it helps someone!

    Reply
  3. Hi,

    Could any one tell me if it is possible to apply the windows acl’s when mounting a cifs share to Linux (centos/rhel), mean we can grant access to more users/groups in addition to uid/gid (owner of the share), so there is any solution to bypass this issue as long as the posix acl (setfacl) are not permitted.

    ps: The current cifs-utils package has two binaries, getcifsacl and setcifsacl but unfortunately this work with SID’s (alternative of uid in windows) , so any one have ever tried or test this ?

    joining the AD with winbind or sssd could solve this ?

    Reply
  4. Sir, thank you for this guide. I’ve been following your guide from Part 1. And I was so amazed by it, I manage also to use the domain accounts to login like PAM. however, I got stuck with file share I followed exactly from this guide, I can klist, and use smbclient (I am using Ubuntu 16.04 btw); but on windows ( \\lab.mis\ ), when I go to Properties on my shared folder “\\lab.mis\LAB\” , there was no Security TAB. please help.. thanks

    Reply
  5. This is great but how can I add a Linux fileserver to the AD domain and serve it’s files via samba? Eg. a separate roaming home folder server, a NAS that joins the domain and serves files on it’s own (not via the dc)

    Reply
  6. Perfectly, good job.

    Just only add
    mkdir /MBPOS \System

    and
    /etc/samba/smb.conf
    [MBPOS System]
    path = /MBPOS System

    Reply
  7. Nice article! I can’t load PAM module from samba winbind. Using version 4.6.4 from a source I linked pam_winbind, so library to /lib/x86_64-linux-gnu/security/ but pam-auth-update found only unix authentication profile. On the other hand, winbindd is working correctly and i can use domain acl’s in chown actions, so, shares is working good.

    Reply
  8. Like other commentators,

    # chown -R root:"domain users" /data
    

    I get a chown: invalid group:´root:domain users´

    Whereas I get this output.

    root@srv:/# wbinfo -g
    INTRANET\cert publishers
    INTRANET\ras and ias servers
    INTRANET\allowed rodc password replication group
    INTRANET\denied rodc password replication group
    INTRANET\dnsadmins
    INTRANET\enterprise read-only domain controllers
    INTRANET\domain admins
    INTRANET\domain users
    INTRANET\domain guests
    INTRANET\domain computers
    INTRANET\domain controllers
    INTRANET\schema admins
    INTRANET\enterprise admins
    INTRANET\group policy creator owners
    INTRANET\read-only domain controllers
    INTRANET\dnsupdateproxy
    

    This because ubuntu can not find ‘domain users’ as Unix group. Now the question is how to import or map these groups as Unix group?

    I am also using Ubuntu – Server 16.04.2 LTS

    Reply
  9. Is it possible to manage a Directories with spaces on Samba4 AD DC to Windows Clients?

    For example: MBE System (Directory)

    Reply
  10. Hi, Nick. Although I don’t have a solution for the issue I had this problem installing the DC on a virtual Machine using Virtual Box.

    I reinstalled on a physical machine and I didn’t have this problem. Everything ran perfectly.

    So I assume this is some issue related to it being on a VM.

    Unfortunately I didn’t find a solution to the exact problem.

    Reply
  11. Hi Matei,

    I am having a similar issue to Shawn, where it will not let me set up permissions to the file for domain users. When I type:

    # chown -R root:"domain users" /share
    

    I get a chown: invalid group:´root:domain users´

    The issue is that I can’t get domain users to be accepted as a group. Winbind does not seem to be working, and I can’t seem to change it since this is the primary AD DC. What steps should I take to get groups to authenticate to a share, and allow them access to it?

    Reply
  12. IMO this article shouldn’t be before the one about joining domain members. Hosting file shares and user home directories on a DC is convenient but not good practice from a network design perspective.

    The DC should specialize in controlling the domain (directory queries, authentication, serving GPOs) and not be burdened by other things. Better to create a separate Samba or Windows share server which authenticates against the DC.

    Reply
    • Did you read the final sentences from this guide? Quotes: “Configure Samba as a Domain member with file shares in order to achieve other capabilities for a network share”

      Reply
  13. Hi I wanted to firstly say thank you for this tutorial. Excellent!

    I am having problems right in the beginning with this:

    # chown -R root:"domain users" /data
    

    I get a chown: invalid group:´root:domain users´

    I cant seem to get around it?

    Reply
    • What’s the ouput of wbinfo command for groups? how are groups displayed? with domain counterpart or alone? What distributin are you using?

      Reply
      • Hi Matei,

        Running wbinfo -g shows me a list of groups including domain users. They are shown with my DOMAIN\group

        So in the case for the group looking to chown it is listed as follows: SPT\domain users.

        I am using Ubuntu 16.04.2

        Reply
  14. Linux hosts can be integrated into a samba AD DC and can fully use the authentication mechanism provided by the domain controller. But this is limited mostly on authentication only, other services or features of an AD (group policy for example) won’t apply in any way to Linux systems.

    Reply
  15. Awesome man I was looking forward to this article. Question are you planing on creating an article to fully integrate Linux workstations into Active Directory authentication and all the other AD features like group policies etc. I know it will be very limited but what I am totally looking for is a centralized authentication mechanism for Windows and Linux.

    Reply

Got something to say? Join the discussion.

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.