[Samba] Unable to set up home share correctly

Udo Willke udo.willke at freenet.de
Thu Oct 13 08:33:20 UTC 2016

Hi everyone,

after some struggling I have finally set up a Samba AD DC and a file 
server more or less successfully. Unfortunately I am failing at one of 
the last steps: the configuration of the home share, where I can't set 
the permissions correctly which, as a consequence, seems to prevent the 
creation of the users' folders on the home share

I am using the standard Samba packages on ubuntu 16.04 LTS 
("2:4.3.11+dfsg-0ubuntu0.16.04") and opted for winbind and the AD 
backend for id mapping of the domain users. My smb.conf of the member 
server looks like this:

      netbios name = FILESERVER
      security = ADS
      workgroup = MYDOMAIN
      realm = MYDOMAIN.LAN

      log level = 5
      log file = /var/log/samba/%m.log

      password server =

      interfaces = lo br0
      bind interfaces only = yes

      dedicated keytab file = /etc/krb5.keytab
      kerberos method = secrets and keytab

      winbind nss info = rfc2307
      winbind trusted domains only = no
      winbind use default domain = no
      winbind enum users  = yes
      winbind enum groups = yes
      winbind refresh tickets = Yes
      winbind cache time = 60

      ;; Default idmap config used for BUILTIN and local accounts/groups
      idmap config * : backend = tdb
      idmap config * : range = 100000-4294967295

      ;; idmap config for domain MYDOMAIN
      idmap config MYDOMAIN : backend = ad
      idmap config MYDOMAIN : schema_mode = rfc2307
      idmap config MYDOMAIN : range = 10000-99999

      vfs objects = acl_xattr
      map acl inherit = yes
      store dos attributes = yes

      load printers = no
      printing = bsd
      printcap name = /dev/null
      disable spoolss = yes

      template homedir = /var/share/samba/homes/%U

      path = /var/share/samba/homes
      guest ok = no
      read only = no
      browseable = yes

      path = /var/share/samba/profiles
      read only = no
      store dos attributes = yes
      create mask = 0600
      directory mask = 0700
      guest ok = no
      profile acls = yes
      csc policy = disable

"interfaces" and "bind interfaces only = yes" is needed because the 
server is dual-homed. By setting the tdb id range to 100000-4294967295, 
I hoped to get the Windows system accounts mapped.

winbind seems to work ok. "getent passwd" and "getent group" show the AD 
users with the uidNumber and gidNumber attributes set on the AD in the 
right range. Example

root at fileserver:/var/share/samba# id MYDOMAIN\\Administrator
uid=10000(MYDOMAIN\administrator) gid=10000(MYDOMAIN\domain admins) 
groups=10000(MYDOMAIN\domain admins),10004(MYDOMAIN\enterprise 
admins),10003(MYDOMAIN\schema admins),10001(MYDOMAIN\domain 

After adding the [home] section to smb.conf  I create the directory as 
described in the Samba wiki

root at fileserver:/var/share/samba# mkdir homes
root at fileserver:/var/share/samba# chgrp MYDOMAIN\\Domain\ Admins homes/
root at fileserver:/var/share/samba# chmod g=rwx homes/
root at fileserver:/var/share/samba# ls -ld homes/
drwxrwxr-x 2 root MYDOMAIN\domain admins 4096 Okt 12 16:05 homes/

Then I continue with the RSAT Tools (German Language Version) on Windows 
7 where I log in as "MYDOMAIN\Administrator" and use the "Computer 
Management" Console to configure the home share.

Here I face two problems on the "Security" tab:

1) When I add the Administrator user, the account is shown as "locked" 
(red dot with cross) but I can set "Full Control"

2) When I add the Creator Owner (in my case, I have to look for 
ERSTELLER-BESITZER) I can check "Full Control", but when I click "Apply" 
all the check marks disappear

Additionally, extra users like "Everyone", "root" or "Creator Group" are 
already listed in the dialogue box without me doing anything.

On the Linux side, the extended permissions of the 
/var/share/samba/homes directory look like this

root at fileserver:/var/share/samba# getfacl homes/
# file: homes/
# owner: MYDOMAIN\134administrator
# group: MYDOMAIN\134domain\040admins

I noticed GIDs 100004 and 100005 are not resolved so I tried to find out why

root at fileserver:/var/share/samba# net idmap dump
dumping id mapping from /var/lib/samba/winbindd_idmap.tdb
GID 100004 S-1-5-11
GID 100005 S-1-5-18
GID 100006 S-1-3-0
USER HWM 100000
GID 100002 S-1-1-0
GID 100007 S-1-5-4
GID 100003 S-1-5-2
GROUP HWM 100008

With wbinfo --sid-to-fullname I find

GID 100004 S-1-5-11 --> NT AUTHORITY\Authenticated Users 5

GID 100005 S-1-5-18 --> NT AUTHORITY\SYSTEM 5

S-1-3-0 is the well-known SID of the Creator Owner (thus known to the 

Finally, when I log into a Windows 7 workstation (previously joined to 
the domain) with my test user account

root at fileserver:/var/share/samba# id MYDOMAIN\\kbudwi
uid=10002(MYDOMAIN\kbudwi) gid=10001(MYDOMAIN\domain users) 

my home folder "kbudwi" is neither created nor mounted.

When I navigate manually to the home base folder by entering 
"\\fileserver\home" into Windows Explorer, I get an empty folder.

When I try to create my home folder manually I get a message box saying 
something like "home: You need permissions to continue the operation" 
(loosely translated from German). I suspect, the missing "Creator Owner" 
rights block the folder creation.

Generally speaking, I am very unsure how to handle the id mapping for 
the ad backend. The documentation (I found) does not specify, whether I 
have to set the Unix UIDs and GIDs on system accounts or on user 
accounts only. Maybe I have messed it up at this level?

Any help would by highly appreciated as I am seriously running out of ideas

Thanks and best regards


More information about the samba mailing list