Create a Shared Directory on Samba AD DC and Map to Windows/Linux Clients – Part 7

This tutorial will guide you on how to create a shared directory on Samba AD DC system, map this Shared Volume to Windows clients integrated into the domain via GPO and manage share permissions from Windows domain controller perspective.

It will also cover how to access and mount the file share from a Linux machine enrolled into domain using a Samba4 domain account.


  1. Create an Active Directory Infrastructure with Samba4 on Ubuntu

Step 1: Create Samba File Share

1. The process of creating a share on Samba AD DC is a very simple task. First create a directory you want to share via SMB protocol and add the below permissions on the filesystem in order to allow a Windows AD DC admin acount to modify the share permissions accordingly to what permissions Windows clients should see.

Assuming that the new file share on the AD DC would be the /nas directory, run the below commands to assign the correct permissions.

# mkdir /nas
# chmod -R 775 /nas
# chown -R root:"domain users" /nas
# ls -alh | grep nas
Create Samba Shared Directory

Create Samba Shared Directory

2. After you’ve created the directory that will be exported as a share from Samba4 AD DC, you need to add the following statements to samba configuration file in order to make the share available via SMB protocol.

# nano /etc/samba/smb.conf

Go to the bottom of the file and add the following lines:

	path = /nas
	read only = no
Configure Samba Shared Directory

Configure Samba Shared Directory

3. The last thing you need to do is to restart Samba AD DC daemon in order to apply the changes by issuing the below command:

# systemctl restart samba-ad-dc.service

Step 2: Manage Samba Share Permissions

4. Since we’re accessing this shared volume from Windows, using domain accounts (users and groups) that are created on Samba AD DC (the share is not meant to be accessed by Linux system users).

The process of managing permissions can be done directly from Windows Explorer, in the same way permissions are managed for any folder in Windows Explorer.

First, log on to Windows machine with a Samba4 AD account with administrative privileges on the domain. In order to access the share from Windows and set the permissions, type the IP address or host name or FQDN of the Samba AD DC machine in Windows Explorer path field, preceded by two back slashes, and the share should be visible.

Access Samba Share Directory from Windows

Access Samba Share Directory from Windows

5. To modify permissions just right click on the share and choose Properties. Navigate to Security tab and proceed with altering domain users and group permissions accordingly. Use Advanced button in order to fine tune permissions.

Configure Samba Share Directory Permissions

Configure Samba Share Directory Permissions

Use the below screenshot as an excerpt on how to tune permissions for specific Samba AD DC authenticated accounts.

Manage Samba Share Directory User Permissions

Manage Samba Share Directory User Permissions

6. Other method you can use to manage the share permissions is from Computer Management -> Connect to another computer.

Navigate to Shares, right click on the share you want to modify permissions, choose Properties and move to Security tab. From here you can alter permissions in any way you want just as presented in the previous method using file share permissions.

Connect to Samba Share Directory Machine

Connect to Samba Share Directory Machine

Manage Samba Share Directory Properties

Manage Samba Share Directory Properties

Assign Samba Share Directory Permissions to Users

Assign Samba Share Directory Permissions to Users

Step 3: Map the Samba File Share via GPO

7. To automatically mount the exported samba file share via domain Group Policy, first on a machine with RSAT tools installed, open AD UC utility, right click on your domain name and, then, choose New -> Shared Folder.

Map Samba Share Folder

Map Samba Share Folder

8. Add a name for the shared volume and enter the network path where your share is located as illustrated on the below image. Hit OK when you’ve finished and the share should now be visible on the right plane.

Set Samba Shared Folder Name Location

Set Samba Shared Folder Name Location

9. Next, open Group Policy Management console, expand to your domain Default Domain Policy script and open the file for editing.

On the GPM Editor navigate to User Configuration -> Preferences -> Windows Settings and right click on Drive Maps and choose New -> Mapped Drive.

Map Samba Share Folder in Windows

Map Samba Share Folder in Windows

10. On the new window search and add the network location for the share by pressing the right button with three dots, check Reconnect checkbox, add a label for this share, choose the letter for this drive and hit OK button to save and apply configuration.

Configure Network Location for Samba Share Directory

Configure Network Location for Samba Share Directory

11. Finally, in order to force and apply GPO changes on your local machine without a system restart, open a Command Prompt and run the following command.

gpupdate /force
Apply GPO Changes

Apply GPO Changes

12. After the policy has been successfully applied on your machine, open Windows Explorer and the shared network volume should be visible and accessible, depending on what permissions you’ve granted for the share on previous steps.

The share will be visible for other clients on your network after they reboot or re-login onto their systems if the group policy will not forced from command line.

Samba Shared Network Volume on Windows

Samba Shared Network Volume on Windows

Step 4: Access the Samba Shared Volume from Linux Clients

13. Linux users from machines that are enrolled into Samba AD DC can also access or mount the share locally by authenticating into the system with a Samba account.

First, they need to assure that the following samba clients and utilities are installed on their systems by issuing the below command.

$ sudo apt-get install smbclient cifs-utils

14. In order to list the exported shares your domain provides for a specific domain controller machine use the below command:

$ smbclient –L your_domain_controller –U%
$ smbclient –L \adc1 –U%
List Samba Share Directory in Linux

List Samba Share Directory in Linux

15. To interactively connect to a samba share from command line with a domain account use the following command:

$ sudo smbclient //adc/share_name -U domain_user

On command line you can list the content of the share, download or upload files to the share or perform other tasks. Use ? to list all available smbclient commands.

Connect Samba Share Directory in Linux

Connect Samba Share Directory in Linux

16. To mount a samba share on a Linux machine use the below command.

$ sudo mount //adc/share_name /mnt -o username=domain_user
Mount Samba Share Directory in Linux

Mount Samba Share Directory in Linux

Replace the host, share name, mount point and domain user accordingly. Use mount command piped with grep to filter only by cifs expression.

As some final conclusions, shares configured on a Samba4 AD DC will work only with Windows access control lists (ACL), not POSIX ACLs.

Configure Samba as a Domain member with file shares in order to achieve other capabilities for a network share. Also, on an Additional Domain Controller configure Windbindd daemonStep Two – before you start exporting network shares.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

Matei Cezar

I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide
The Complete Linux System Administrator Bundle
Become an Ethical Hacker Bonus Bundle

You may also like...

24 Responses

  1. Sergey says:

    Hello! I cannot figure out, how to create and map Linux users home directories in samba, what should I do if I need to access my Linux home folder from different computers?

  2. Fausto says:

    This command didn’t work to me:

    # chown -R root:"domain users" /nas

    Then I edited /etc/nsswitch.conf like this:

    passwd: compat winbind
    group: compat winbind
    hosts: files dns winbind

    I hop1e it helps someone!

  3. latif says:


    Could any one tell me if it is possible to apply the windows acl’s when mounting a cifs share to Linux (centos/rhel), mean we can grant access to more users/groups in addition to uid/gid (owner of the share), so there is any solution to bypass this issue as long as the posix acl (setfacl) are not permitted.

    ps: The current cifs-utils package has two binaries, getcifsacl and setcifsacl but unfortunately this work with SID’s (alternative of uid in windows) , so any one have ever tried or test this ?

    joining the AD with winbind or sssd could solve this ?

  4. Kai says:

    Thanks for this guide, very clear and easy to follow.

  5. Andrew Third says:

    Sir, thank you for this guide. I’ve been following your guide from Part 1. And I was so amazed by it, I manage also to use the domain accounts to login like PAM. however, I got stuck with file share I followed exactly from this guide, I can klist, and use smbclient (I am using Ubuntu 16.04 btw); but on windows ( \\lab.mis\ ), when I go to Properties on my shared folder “\\lab.mis\LAB\” , there was no Security TAB. please help.. thanks

  6. Matei Cezar says:

    Use this guide to add a now machine into the AD Then, create shares as explained here.

  7. Robert Moggach says:

    This is great but how can I add a Linux fileserver to the AD domain and serve it’s files via samba? Eg. a separate roaming home folder server, a NAS that joins the domain and serves files on it’s own (not via the dc)

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.