2

I setup Samba version 4.1.17-Ubuntu as domain controller and active directory, and everything seemed to go smoothly, but when I try to use the administrator account on one windows 10 PC domain member to create new user in the AD using Windows active directory users and computers management tool, I get this error:

An error occured, contact your system administrator

(I get the same problem when trying to copy the user as well).

But when I use samba-tool to create a user, it works pefectly.

Here is my smb.conf file:

[global]
        workgroup = EXAMPLE
        realm = EXAMPLE.LOCAL
        netbios name = LINUXSERVER
        server role = active directory domain controller
        dns forwarder = 8.8.8.8
        idmap_ldb:use rfc2307 = yes

[netlogon]
        path = /var/lib/samba/sysvol/example.local/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No [Users]
        directory_mode: parameter = 0700
        read only = no
        path = /Users
        csc policy = documents

[Users]
        directory_mode: parameter = 0700
        read only = no
        path = /Users
        csc policy = documents

Another related problem: I am going to mention this problem too, because it may help finding the causes of the previous problem. When I try to change the password of any user using the same windows tools, I get an error about that my computer and my user has to have delegate permissions.

And there might be something else doesn't work, but at least till now that is just what I found.

So what I want is to get that windows tool to get working correctly somehow.

What I tried:

  • I tried to delete the profile of administrator account.
  • I tried to create a new test account with administrator permissions using samba-tool and tried to create users from that account with no success.
  • I tried to give the administrator user delegate permissions by right clicking on the domain name and then delegate controller but also with no success for both errors.
  • I tried with and without the last block [Users], (I actually don't understand what does it do exactly).
  • Leaving and rejoining the domain.

And all of those were with no success, I appreciate any help from you.

Mohammed Noureldin
  • 541
  • 1
  • 11
  • 25
  • 1
    Active Directory is a specific brand of LDAP with extensions and additional features. Samba is _not_ active directory. Samba can be a domain controller and _ldap_ directory, but it's not quite the same thing as Active Directory. – Joel Coel Feb 23 '16 at 21:30
  • That is not completely true, Samba 4 has really the ability to be an almost full Active directory on windows server alternative. – Mohammed Noureldin Feb 23 '16 at 22:00
  • Yes, it can do _almost_ all of the same things... but it has differences, too. It's similar, but it's not Active Directory. Don't be surprised the banded AD tool doesn't work like you'd want. – Joel Coel Feb 23 '16 at 22:03
  • All the people who use Samba say that it can really be dependable active directory alternative. – Mohammed Noureldin Feb 23 '16 at 22:18
  • Oh, it can. But an alternative isn't necessarily a 100% drop-in replacement. It has some of it's own ways of accomplishing the same things, just doesn't do a few things that Active Directory does, and will do a few things that Active Directory won't. It's like saying an Android phone can replace an iPhone. – Joel Coel Feb 23 '16 at 22:20
  • Could you please mention some of the features which I cannot use in Samba? (I think really that Android can replace iPhone :D) – Mohammed Noureldin Feb 23 '16 at 22:23
  • 1
    And Samba can replace Active Directory... but there are differences. It's not so much about able to not able, or has the feature or not, but about how you go about setting things up, and what tools you need. – Joel Coel Feb 23 '16 at 22:57
  • If you want active directory you need to use Active directory. Any directory can replace AD as long as you don't need anything specific to AD. Case in point is your question. – Jim B Feb 24 '16 at 00:14

1 Answers1

0

OK that was a bug, the problem was solved when I installed samba 4.3.5 (I rebuilt it from the source code). And now everything works like a charm!

Thanks a lot to Grawity for guiding me to this solution.

Upgrade to Samba 4.3.

The problem is related to a buggy and/or incomplete implementation of the "Backup Key" sub-protocol that older Samba versions have. You'll probably notice that Credential Manager was also unusable for the same reason.

Alternatively, use an older OS to manage the directory – e.g. Server 2003 can create user accounts without any problems, since it doesn't use the "Backup Key" protocol for anything yet. (I am not sure about Server 2008.)

Unfortunately, 4.3 is not yet packaged for Ubuntu – still pending in Debian's "unstable" too – however, it's actually easy to build Samba from source code.

As for the [Users] block, it simply defines a shared folder.

In smb.conf, every section except [global] corresponds to a share definition – "netlogon" and "sysvol" are special AD shares, and "Users" is probably a custom one.

Mohammed Noureldin
  • 541
  • 1
  • 11
  • 25