Windows Domain Membership - Share folder to select AD group

I’m just trying to share a folder on our SLES11SP2 server to a select AD group.

  1. Run “Windows Domain Membership”, enter our domain. Check “Also User SMB Information for Linux Authentication” and “Allow Users to Share Their Directories”.
    No problems, used a domain admin and successfully joined our AD domain, reboot SLES11SP2.

  2. Create a new Linux user “testingt1” and we have a group in AD “Testing - Samba1” with users.

  3. Issue this command to map these 2 groups:
    net groupmap add ntgroup=“Testing - Samba1” unixgroup=testing1 type=d

  4. This command shows the new mapping:
    net groupmap list

  5. Create a folder “share-test1” on SLES and owner is “root”, group is “testing1” and others is “none”.
    Right-click for properties of this folder, go to Share tab and select “Share this folder”.

  6. Folder is accessible is visible from a Windows workstation but I cannot get access. If I change that folder’s permission to have “Others” assigned some rights, then I can access the folder. But this means any AD authenticated user could access the share.

Can someone please tell me what I’m missing or point me in the right direction?


Solved using information at this URL:

It turns out that there was no need to map a unix group to an AD group.

These settings in /etc/samba/smb.conf worked for us:

passdb backend = tdbsam
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = No
idmap gid = 10000-20000
idmap uid = 10000-20000
security = ADS
template homedir = /home/%D/%U
template shell = /bin/bash
winbind refresh tickets = yes
usershare max shares = 100
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
allow trusted domains = no
log file = /var/log/samba/samba.log
log level = 2

comment = ShareTestComment
path = /sharing/sharetest1
valid users = @ad-test-group1

Removed this “force group” entry as it wasn’t working for us.

force group = ad-test-group1

writable = yes
read only = no
force create mode = 0660
create mask = 0777
directory mask = 0777
force directory mode = 0770
access based share enum = yes
hide unreadable = yes

In /etc/nsswitch.conf set these two entries:

passwd: compat winbind
group: compat winbind