Cannot create new users in Active Directory (Using Samba4 as DC and AD)

Question

I setup Samba version 4.1.17-Ubuntu as domain controller and active directory, and everything seemed to go smoothly, but when I try to use the administrator account on one windows 10 PC domain member to create new user in the AD using Windows active directory users and computers management tool, I get this error:

An error occured, contact your system administrator

(I get the same problem when trying to copy the user as well).

But when I use samba-tool to create a user, it works pefectly.

Here is my smb.conf file:

[global]
        workgroup = EXAMPLE
        realm = EXAMPLE.LOCAL
        netbios name = LINUXSERVER
        server role = active directory domain controller
        dns forwarder = 8.8.8.8
        idmap_ldb:use rfc2307 = yes

[netlogon]
        path = /var/lib/samba/sysvol/example.local/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No [Users]
        directory_mode: parameter = 0700
        read only = no
        path = /Users
        csc policy = documents

[Users]
        directory_mode: parameter = 0700
        read only = no
        path = /Users
        csc policy = documents

Another related problem: I am going to mention this problem too, because it may help finding the causes of the previous problem. When I try to change the password of any user using the same windows tools, I get an error about that my computer and my user has to have delegate permissions.

And there might be something else doesn't work, but at least till now that is just what I found.

So what I want is to get that windows tool to get working correctly somehow.

What I tried:

• I tried to delete the profile of administrator account.
• I tried to create a new test account with administrator permissions using samba-tool and tried to create users from that account with no success.
• I tried to give the administrator user delegate permissions by right clicking on the domain name and then delegate controller but also with no success for both errors.
• I tried with and without the last block [Users], (I actually don't understand what does it do exactly).
• Leaving and rejoining the domain.

And all of those were with no success, I appreciate any help from you.

Answer 1

Upgrade to Samba 4.3.

The problem is related to a buggy and/or incomplete implementation of the "Backup Key" sub-protocol that older Samba versions have. You'll probably notice that Credential Manager was also unusable for the same reason.

Alternatively, use an older OS to manage the directory – e.g. Server 2003 can create user accounts without any problems, since it doesn't use the "Backup Key" protocol for anything yet. (I am not sure about Server 2008.)

Unfortunately, 4.3 is not yet packaged for Ubuntu – still pending in Debian's "unstable" too – however, it's actually easy to build Samba from source code.

---

As for the [Users] block, it simply defines a shared folder.

In smb.conf, every section except [global] corresponds to a share definition – "netlogon" and "sysvol" are special AD shares, and "Users" is probably a custom one.

Answer 2

A workaround with Samba 4.1.17 with Windows 10 clients is to change a registry key:

Add a 32bit DWORD named ProtectionPolicy with value 1 at:

HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb

No restart or logout/login required. With us this resolved an issue with very slow typing in the remote desktop connection window's computer name field, too, and the resetting of passwords in ADUC.