How to secure samba share access using 'valid users' parameters along with local samba groups with security=ads.

Solution Verified - Updated -


  • Red Hat Enterprise Linux 5/6/7
  • samba
  • winbind


  • How do I secure samba share access using 'valid users' paramters along with local samba groups when system is joined to AD and winbind is used ?


Solution 1:

1] Add a local group(non UNIX) in samba database The group gid will be allocated out of the winbind range.

# net sam createlocalgroup <local_group_name>


# net sam createlocalgroup tgroup

2] Add a member to a local group. The group can be specified only by name, the member can be specified by name or SID.

Note: If required add AD users as well as local users in this group.

# net sam addmem <local_group_name> <ad_user_name>


# net sam addmem tgroup  EXAMPLE\\aduser

3] Change group of the shared path to local group as below.

# chgrp -R "<local_group_name>" /<share>


# chgrp -R "RHEL6\\tgroup" /share

4] Run following command to list group members.

# net sam listmem <local_group_name>


# net sam listmem tgroup

5] Add the local group in file smb.conf as below.

valid users = +tgroup

Note: Restart of samba service is required after above change.

Solution 2:

Another workaround would be to mention an AD group directly in "valid users":

valid users = +"DOMAIN\adgroup"

Diagnostic Steps

1] Have a look at following test:

[root@rhel6 ~]# getent passwd -s 'winbind' aduser  

[root@rhel6 ~]# net sam createlocalgroup localgroup  
Created local group localgroup with RID 1001 <---------------------  

[root@rhel6 ~]# net sam addmem localgroup EXAMPLE\\aduser  
Added EXAMPLE\aduser to RHEL6\localgroup <---------------------  

[root@rhel6 ~]# id aduser  
uid=1001109(EXAMPLE\aduser) gid=1000513(EXAMPLE\domain users) groups=1000513(EXAMPLE\domain users),3001000(RHEL6\localgroup),2000001(BUILTIN\users)  

[root@rhel6 ~]# groups EXAMPLE\\aduser  
EXAMPLE\aduser :EXAMPLE\domain users RHEL6\localgroup BUILTIN\users <------------------  

2] Samba configuration looks like:

[root@rhel6 ]# cat /etc/samba/smb.conf  
workgroup = EXAMPLE

security = ADS  
winbind enum users = Yes  
winbind enum groups = Yes  
winbind use default domain = No  
idmap config * : backend = autorid  
idmap config * : range = 1000000-19999999  
idmap config * : rangesize = 1000000  
template shell = /bin/bash  
winbind use default domain = yes  

comment = Test Share  
path = /share  
read only = no  
public = yes  
valid users = +localgroup  <----

3] I tried to access the share and it was successful .

# smbclient //`hostname`/share -U EXAMPLE\\aduser%testing123
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 3.6.23-24.el6_7]  
smb: \> ls  
. D 0 Fri Mar 25 03:23:34 2016  
.. DR 0 Fri Mar 25 03:23:12 2016  
a.txt 0 Fri Mar 25 03:23:34 2016  

34300 blocks of size 262144. 27613 blocks available  
smb: \>  

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.


needs to be updated to reflect modern rhel7 + rhel8

also, you have garbage like winbind use default domain = no and then winbind use default domain = yes in the same smb.conf file.

Subject/Title of this article has "parameters" misspelled.

Hello Jay,

Thank you for reporting this, I've corrected it and re-published the article.

  • Akshay S | Red Hat