Creating Home Directories and other shares for AD users in samba

Tim Holmes tholmes at
Wed Jul 20 18:12:06 UTC 2005

Thanks to the great help here and on the SAMBA List, I have gotten samba
to work correctly to do what I need it to, allowing my windows AD users
to access shares on the samba box without having to either create a
local (samba / linux) user or manually authenticate on the share.


I have hit what I am sure is a linux permissions problem:

When my user (timholmes) clicks on the samba server in the My Network
Places window, I see the shares, In this case webroot, homes and

If I enter the timholmes share, it routes me to the directory where the
home folders are supposed to be located, and showes me the one that is
there, in this case it is a local linux user,  but I cannot create a new
folder for myself or anything -- is that a process that must be done
manually, and if so, to what values do I set the owner, group and

If it is supposed to be automatic, how do I make it happen?

Here is my smb.conf file


         workgroup = MCASCHOOL
         realm = MCASCHOOL.NET
         security = ADS
         password server =
         log file = /usr/local/samba/var/%m.log
         preferred master = No
         local master = No
         domain master = No
         wins server =
         idmap uid = 10000-40000
         idmap gid = 10000-40000
         # winbind use default domain = Yes
         winbind enum users = yes
         winbind enum groups = yes
         winbind nested groups = Yes
         socket options = TCP_NODELAY
         socket options = SO_RCVBUF=8192
         spengo = yes

         path = /var/www/html/
         read only = No

        browseable = no
        writeable = yes
        path = /home

[root at Vulcan ~]#

Also, there are some shares --- like the webroot one that multiple users
should have rights to do anything in (for example, the webroot, all of
the teachers in the school should have read, write and execute rights
to, but none of the students should, as well, apache should have read
write and execute rights so that it can serve it etc)

My gut instinct is that it should be owned by apache, and that the group
should be the active directory group teachers (which contains all the
right people) and I am guessing the permissions would look like 775
giving the owner, apache, read, write and execute permissions, the
group, the active directory teachers group, read write and execute -- so
they can edit web pages, and the rest of the world read and execute
permissions so that they can see the pages and execute any scripts etc
in them.  Is this right or am I totally confused?

Thanks a bunch

Timothy A. Holmes
IT Manager / Webmaster / Science Teacher
Medina Christian Academy
A Higher Standard...
Jeremiah 33:3
Jeremiah 29:11
Esther 4:14

More information about the users mailing list