[Samba] Unable to set up home share correctly

Rowland Penny rpenny at samba.org
Fri Oct 14 13:04:34 UTC 2016

On Fri, 14 Oct 2016 14:32:52 +0200
Udo Willke via samba <samba at lists.samba.org> wrote:

> Hello Rowland,
> Am 13.10.2016 um 18:25 schrieb Rowland Penny via samba:
> > It sounds like you don't have IDMU installed, not sure if you can
> > install it on 2012.
> are you trying to say that I should install "Identity Management for 
> Unix" on a Windows Server 2012? If yes, I am afraid we have a 
> misunderstanding here: I don't use any Windows Server in my set-up.
> I use a Fileserver with two network interfaces, one connected to a 
> private network, the other connected to our university network. A
> Samba AD DC is supposed to manage a small Windows Domain in the
> private net. The fileserver also serves as a gateway to the Windows 7
> workstations in the private net. Fileserver and AD DC are both
> running ubuntu 16.04 and have the respective Samba packages
> installed. For testing I have set up two Windows 7 Instances on ESXi
> inside the private net, one with the RSAT Tools installed and one as
> a user PC.
> Update: I spent the morning setting up a fresh member server 
> ("FILESERVER2") for testing inside the private net (with 1 NIC only, 
> thereby reducing complexity) I think, I have made all the necessary 
> steps and did not forget to grant the SeDiskOperatorPrivilege rights
> to the Domain Admins
> root at fileserver2:/var/log/samba# net rpc rights list 'MYDOMAIN\Domain 
> Admins' -U'MYDOMAIN\Administrator' -S addc01
> Enter MYDOMAIN\Administrator's password:
> SeDiskOperatorPrivilege
> Now I'm stuck in the RSAT Computer Management Console where I am
> denied access to the share configuration. On the navigation tree in
> the left window "Local users and groups" is shown as locked (and I
> remember this went only away after I assigned a uidNumber to the
> Adminstrator account and made it a member of the Domain Admins Unix
> Group). Can't tell if this is a useful hint.

I could have sworn you mentioned a 2012 server, so if you are
authenticating the fileserver to a Samba AD DC, did you provision the
DC with '--use-rfc2307' ?
Not a problem if you didn't, see here:


The 'Administrator' is always a member of 'Domain Admins'

Did you remember to add the 'user.map' line to smb.conf ?


More information about the samba mailing list