Linux – Cannot create new users in Active Directory (Using Samba4 as DC and AD)

I setup Samba version 4.1.17-Ubuntu as domain controller and active directory, and everything seemed to go smoothly, but when I try to use the administrator account on one windows 10 PC domain member to create new user in the AD using Windows active directory users and computers management tool, I get this error:

An error occured, contact your system administrator

(I get the same problem when trying to copy the user as well).

But when I use samba-tool to create a user, it works pefectly.

Here is my smb.conf file:

[global]
        workgroup = EXAMPLE
        realm = EXAMPLE.LOCAL
        netbios name = LINUXSERVER
        server role = active directory domain controller
        dns forwarder = 8.8.8.8
        idmap_ldb:use rfc2307 = yes

[netlogon]
        path = /var/lib/samba/sysvol/example.local/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No [Users]
        directory_mode: parameter = 0700
        read only = no
        path = /Users
        csc policy = documents

[Users]
        directory_mode: parameter = 0700
        read only = no
        path = /Users
        csc policy = documents

Another related problem: I am going to mention this problem too, because it may help finding the causes of the previous problem.
When I try to change the password of any user using the same windows tools, I get an error about that my computer and my user has to have delegate permissions.

And there might be something else doesn't work, but at least till now that is just what I found.

So what I want is to get that windows tool to get working correctly somehow.

What I tried:

I tried to delete the profile of administrator account.
I tried to create a new test account with administrator permissions
using samba-tool and tried to create users from that account with no
success.
I tried to give the administrator user delegate permissions by right
clicking on the domain name and then delegate controller but also
with no success for both errors.
I tried with and without the last block [Users], (I actually don't
understand what does it do exactly).
Leaving and rejoining the domain.

And all of those were with no success, I appreciate any help from you.

Best Answer

OK that was a bug, the problem was solved when I installed samba 4.3.5 (I rebuilt it from the source code). And now everything works like a charm!

Thanks a lot to Grawity for guiding me to this solution.

Upgrade to Samba 4.3.

The problem is related to a buggy and/or incomplete implementation of the "Backup Key" sub-protocol that older Samba versions have. You'll probably notice that Credential Manager was also unusable for the same reason.

Alternatively, use an older OS to manage the directory – e.g. Server 2003 can create user accounts without any problems, since it doesn't use the "Backup Key" protocol for anything yet. (I am not sure about Server 2008.)

Unfortunately, 4.3 is not yet packaged for Ubuntu – still pending in Debian's "unstable" too – however, it's actually easy to build Samba from source code.

As for the [Users] block, it simply defines a shared folder.

In smb.conf, every section except [global] corresponds to a share definition – "netlogon" and "sysvol" are special AD shares, and "Users" is probably a custom one.

Best Answer

Related Solutions

Ldap – What permissions are required for enumerating users groups in Active Directory

Cannot create a new computer account using the Windows active directory interface

Related Topic