# Samba Server with AD Domain Server



## CoryG (Jun 18, 2021)

Hi, I followed this tutorial and was actually able to get pretty far in making a samba server on FreeBSD with AD as the authentication backend, but I'm running into an issue and don't know where to begin in tracing it out.  The user auth looks good, and it appears to retrieve the groups from the AD server, but for some reason it just thinks every user is a member of Domain Users (incidentally, file and samba permissions involving the Domain Users group work fine,) and doesn't pick up on other groups - even Domain Admins is brought in empty - but all the others - e.g. Accounting, Sales, etc are pulled in just fine aside from being member-less.  Any thoughts on how to resolve this or what information would be needed to resolve it?  I have some of the more obvious files below:

/etc/nsswitch.conf

```
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD$
#
group: files winbind
group_compat: nis
hosts: files dns
netgroup: compat
networks: files
passwd: files winbind
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
```

/usr/local/etc/smb4.conf (very wrong for individual share configs, but that's not the thing blocking it at the moment)

```
[global]
workgroup = DOMAIN
server string = SERVER.DOMAIN.local
security = ads
realm = DOMAIN.local
domain master = no
local master = no
preferred master = no
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
hosts allow = 10.1.1.
interfaces = eth0
use sendfile = true

idmap config * : backend = tdb
idmap config * : range = 100000-299999
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 10000-99999
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
winbind refresh tickets = yes
template homedir = /home/%D/%U
template shell = /bin/false

client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
log file = /var/log/samba4/log.%m
max log size = 500

#obey pam restrictions = yes
root preexec = /usr/local/sbin/mksambauserdir.sh %U

[%U]
comment = User Home
path = /srv/users/%U
browseable = yes
writeable = yes
directory mask = 2770
create mask = 2770
acl allow execute always = true
write cache size = 131072
invalid users = "DOMAIN\domain computers"

[%U shared]
comment = User Home
path = /srv/users_shared/%U
browseable = yes
writeable = yes
directory mask = 2770
create mask = 2770
acl allow execute always = true
write cache size = 131072

[User Shared Folders]
comment = User Shared Folders
path = /srv/users_shared
browseable = yes
public = yes
writeable = no
read list = "Domain Users"
directory mask = 0770
create mask = 0770

[Accounting]
comment = Accounting
path = /srv/departments/accounting
public = yes
writeable = yes
directory mask = 0770
create mask = 0770
read only = no

[Sales]
comment = Sales
path = /srv/departments/sales
public = no
writeable = yes
write list = @accounting
directory mask = 0770
create mask = 0770
```

Please let me know if other info is needed to get an idea of what's going on with it.


----------



## CoryG (Jun 19, 2021)

It seems to work if I set the directory permissions to `777` - and the samba server filters permissions correctly.  This doesn't seem ideal though, as domain users get replicated by samba server and could feasibly log in to the nfs server directly to bypass all the permissioning rules.  Any thoughts on how to make it pull group memberships in correctly instead of just leaving it at `domain users`?


----------

