[Samba] Samba 4.6.7 AD, Netapp CDOT 9.2 and missing "Domain Users" membership

Giuseppe Ravasio giuseppe_ravasio at ch.modiano.com
Fri Oct 20 13:02:45 UTC 2017


Hi,
we are testing a new AD domain that will replace our old NT4 one, and we
are setting up a new cifs vserver of our Netapp filer (running Clustered
Dataontap 9.2).

The new AD domain was a clean deployment created using "samba-tool
domain provision --server-role=dc --use-rfc2307 ...".
All seems to work well and the Netapp filer joins the domain without
errors and seems to run fine.

The only issue is that from Netapp point of view every user is member of
various groups but not of the "Domain Users" one (the same for  "Backup
operators"). This prevent us to use Domain Users group to set permission
on shares access.

We already fixed the xidNumber:100 issue in idmap.ldb and in fact from
the PDC perspective the user is a "Domain Users" member:


_________________________________________________________________________
root@:# id testuser
uid=3000021(COMPANYAD\testuser) gid=513(COMPANYAD\domain users)
groups=513(COMPANYAD\domain
users),3000021(COMPANYAD\testuser),3000034(COMPANYAD\test_share),3000023(COMPANYAD\noc),3000035(BUILTIN\backup
operators),3000009(BUILTIN\users)
_________________________________________________________________________

but from the netapp one the user has less groups:

_________________________________________________________________________
filer::*> diag secd authentication show-creds -node filer-node2 -vserver
cifs-node1-sata -win-name testuser

 UNIX UID: pcuser <> Windows User: COMPANYAD\testuser (Windows Domain User)

 GID: pcuser
 Supplementary GIDs:
  pcuser

 Windows Membership:
  COMPANYAD\test_share (Windows Domain group)
  COMPANYAD\noc (Windows Domain group)
 User is also a member of Everyone, Authenticated Users, and Network Users

 Privileges (0x2000):
  SeChangeNotifyPrivilege
_________________________________________________________________________

We tryed to execute the last command with samba set to debug and it
seems that it's effectively not reporting the group membership:

_________________________________________________________________________
[2017/10/20 12:54:15.922510,  6, pid=21463, effective(0, 0), real(0, 0)]
../lib/util/util_ldb.c:60(gendb_search_v)
  gendb_search_v: DC=modianoad,DC=testdomainDC=com NULL -> 1
[2017/10/20 12:54:15.922873, 10, pid=21463, effective(0, 0), real(0, 0),
class=ldb] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
  ldb: ldb_trace_response: ENTRY
  dn:
<GUID=56d24437-bb0b-40fa-bf73-1ebad28071cd>;<SID=S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-3271483883-1105>;CN=testuser,OU=Test,DC=modianoad,DC=testdomainDC=com
  objectClass: top
  objectClass: person
  objectClass: organizationalPerson
  objectClass: user
  badPwdCount: 0
  badPasswordTime: 0
  lastLogoff: 0
  objectSid: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-3271483883-1105
  accountExpires: 9223372036854775807
  sAMAccountName: testuser
  userPrincipalName: testuser at modianoad.modiano.com
  displayName: testuserd
  userAccountControl: 512
  # unicodePwd::: REDACTED SECRET ATTRIBUTE
  # supplementalCredentials::: REDACTED SECRET ATTRIBUTE
  pwdLastSet: 131498665610000000
  memberOf:
<GUID=bcd82010-5add-47ab-95b7-59684911358a>;<SID=S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-3271483883-1121>;CN=test_share,OU=Test,DC=modianoad,DC=testdomainDC=com
  memberOf:
<GUID=1a3277cf-62cd-4b0f-bd2a-e898a2b3fff2>;<SID=S-1-5-32-551>;CN=Backup
Operators,CN=Builtin,DC=modianoad,DC=testdomainDC=com
  memberOf:
<GUID=50cae1b4-168a-43e6-9fc7-43fa7cd7e8a3>;<SID=S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-3271483883-1111>;CN=noc,CN=Users,DC=modianoad,DC=testdomainDC=com
  lastLogonTimestamp: 131528901605870470
  primaryGroupID: 513
  lastLogon: 131529690266506010
  logonCount: 389
  msDS-KeyVersionNumber: 95
  msDS-User-Account-Control-Computed: 0
  msDS-UserPasswordExpiryTimeComputed: 131654185610000000
_________________________________________________________________________

Every hint is welcome! ;-)

Giuseppe



More information about the samba mailing list