[Samba] Samba 4.6.7 AD, Netapp CDOT 9.2 and missing "Domain Users" membership
Giuseppe Ravasio
giuseppe_ravasio at ch.modiano.com
Fri Oct 20 13:02:45 UTC 2017
Hi,
we are testing a new AD domain that will replace our old NT4 one, and we
are setting up a new cifs vserver of our Netapp filer (running Clustered
Dataontap 9.2).
The new AD domain was a clean deployment created using "samba-tool
domain provision --server-role=dc --use-rfc2307 ...".
All seems to work well and the Netapp filer joins the domain without
errors and seems to run fine.
The only issue is that from Netapp point of view every user is member of
various groups but not of the "Domain Users" one (the same for "Backup
operators"). This prevent us to use Domain Users group to set permission
on shares access.
We already fixed the xidNumber:100 issue in idmap.ldb and in fact from
the PDC perspective the user is a "Domain Users" member:
_________________________________________________________________________
root@:# id testuser
uid=3000021(COMPANYAD\testuser) gid=513(COMPANYAD\domain users)
groups=513(COMPANYAD\domain
users),3000021(COMPANYAD\testuser),3000034(COMPANYAD\test_share),3000023(COMPANYAD\noc),3000035(BUILTIN\backup
operators),3000009(BUILTIN\users)
_________________________________________________________________________
but from the netapp one the user has less groups:
_________________________________________________________________________
filer::*> diag secd authentication show-creds -node filer-node2 -vserver
cifs-node1-sata -win-name testuser
UNIX UID: pcuser <> Windows User: COMPANYAD\testuser (Windows Domain User)
GID: pcuser
Supplementary GIDs:
pcuser
Windows Membership:
COMPANYAD\test_share (Windows Domain group)
COMPANYAD\noc (Windows Domain group)
User is also a member of Everyone, Authenticated Users, and Network Users
Privileges (0x2000):
SeChangeNotifyPrivilege
_________________________________________________________________________
We tryed to execute the last command with samba set to debug and it
seems that it's effectively not reporting the group membership:
_________________________________________________________________________
[2017/10/20 12:54:15.922510, 6, pid=21463, effective(0, 0), real(0, 0)]
../lib/util/util_ldb.c:60(gendb_search_v)
gendb_search_v: DC=modianoad,DC=testdomainDC=com NULL -> 1
[2017/10/20 12:54:15.922873, 10, pid=21463, effective(0, 0), real(0, 0),
class=ldb] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
ldb: ldb_trace_response: ENTRY
dn:
<GUID=56d24437-bb0b-40fa-bf73-1ebad28071cd>;<SID=S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-3271483883-1105>;CN=testuser,OU=Test,DC=modianoad,DC=testdomainDC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
badPwdCount: 0
badPasswordTime: 0
lastLogoff: 0
objectSid: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-3271483883-1105
accountExpires: 9223372036854775807
sAMAccountName: testuser
userPrincipalName: testuser at modianoad.modiano.com
displayName: testuserd
userAccountControl: 512
# unicodePwd::: REDACTED SECRET ATTRIBUTE
# supplementalCredentials::: REDACTED SECRET ATTRIBUTE
pwdLastSet: 131498665610000000
memberOf:
<GUID=bcd82010-5add-47ab-95b7-59684911358a>;<SID=S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-3271483883-1121>;CN=test_share,OU=Test,DC=modianoad,DC=testdomainDC=com
memberOf:
<GUID=1a3277cf-62cd-4b0f-bd2a-e898a2b3fff2>;<SID=S-1-5-32-551>;CN=Backup
Operators,CN=Builtin,DC=modianoad,DC=testdomainDC=com
memberOf:
<GUID=50cae1b4-168a-43e6-9fc7-43fa7cd7e8a3>;<SID=S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-3271483883-1111>;CN=noc,CN=Users,DC=modianoad,DC=testdomainDC=com
lastLogonTimestamp: 131528901605870470
primaryGroupID: 513
lastLogon: 131529690266506010
logonCount: 389
msDS-KeyVersionNumber: 95
msDS-User-Account-Control-Computed: 0
msDS-UserPasswordExpiryTimeComputed: 131654185610000000
_________________________________________________________________________
Every hint is welcome! ;-)
Giuseppe
More information about the samba
mailing list