Samba file shares to ADS users

This came about after making a mistake in purchasing discussed in my blog. I got some guidance from this article (primarily aimed at gentoo but I was able to convert the small amount I needed) entitled How To Integrate Samba (File Sharing) Using Active Directory For Authentication. And the rest I referenced from my memory and my book Linux in a windows world.

Samba is fully documented on the samba site. Most FAQs and situations are covered in-depth in the samba HowTos.

To summarize (or my quick guide on samba shares) samba shares are surprisingly easy to add. first edit your smb.conf:

/etc/samba/smb.conf

and then to add a share with the name "myshare1" so that everybody has access to it using the directory /home/myshare1 you only need to add this to the end of the file:

[myshare1]
   path = /home/myshare1

And you are done. Its nice to add a comment:

[myshare1]
   path = /home/myshare1
   comment = My first share

So we now have this:

[myshare1]
   available = yes
   path = /home/myshare1
   comment = My first share
   browseable = yes
   writeable = yes

So now I have a share that all users can read and write to. But I only want it for staff, no students allowed so now I need to control access

Remembering to add in the AD stuff (this confused me at first) you just add a line like below:

[myshare1]
   available = yes
   path = /home/myshare1
   comment = My first share
   browseable = yes
   writeable = yes
   valid users = @DOMAIN+staff

Now only staff can look at and change these files.

But what about a share staff can add files to and change files but students can only look at? Just add this option:

Note that the students have to be in the valid users also

[myshare1]
   available = yes
   path = /home/myshare1
   comment = My first share
   browseable = yes
   writeable = yes
   valid users = @DOMAIN+staff @DOMAIN+students
   read list = @DOMAIN+students

Homes

There is a share called homes. This is a default which allows users to access their home directory (which they can copy files to similar to the FTP for web site stuff). If you don't want this then just put in the "available = no" setting and it wont bother you. The same goes for all the other default shares. If you want to use this with the domain users then the share has to look something like this:

[homes]
   available = yes
   inherit acls = Yes
   comment = Home Directories
   browseable = no
   writeable = yes
   valid users = @DOMAIN+staff @DOMAIN+students

a few notes on how this is different from normal shares:

Server name

Lastly you may wish to change the name that your users see. "Samba 3.0.20b-3.4-SUSE (ServerName)" isn't pretty and in most cases it may confuse people. To solve this you can change the "server string" option.

You can also add a comment or description using the "comment" option. Both of these can be added to the "general" section of your smb.conf file. example below:

server string = rockhopper
comment = file server

The NAS bit

The reason I looked into this was due to a NAS box not doing ADS authentication. It had good authentication etc... but couldn't use my ADS user names and passwords.

My solution was:

Easier said than done...

First I had to get the server to mount the NAS box on boot. This was done by adding the following to /etc/fstab:

//nas01/share  /mnt/nas01     smbfs   <line break not in file>
username=nasuser,password=naspassword,rw,_netdev,auto 0 0

Then I had to share the box but with those mount settings only root has access to the file system (and for some reason I couldn't get other users access properly). For this I just add the last two lines to the samba configuration of the share so that write access actually works:

[myshare1]
   available = yes
   path = /mnt/nas01/myshare1
   comment = My first share
   browseable = yes
   writeable = yes
   valid users = @DOMAIN+staff @DOMAIN+students
   read list = @DOMAIN+students
   force user = root
   force group = root

This is not needed if you are sharing a normal share. This is only for my unusual situation