[Samba] Samba 4.6.7 AD, Netapp CDOT 9.2 and missing "Domain Users" membership

Rowland Penny rpenny at samba.org
Fri Oct 20 13:41:26 UTC 2017

On Fri, 20 Oct 2017 15:02:45 +0200
Giuseppe Ravasio via samba <samba at lists.samba.org> wrote:

> Hi,
> we are testing a new AD domain that will replace our old NT4 one, and
> we are setting up a new cifs vserver of our Netapp filer (running
> Clustered Dataontap 9.2).
> The new AD domain was a clean deployment created using "samba-tool
> domain provision --server-role=dc --use-rfc2307 ...".
> All seems to work well and the Netapp filer joins the domain without
> errors and seems to run fine.
> The only issue is that from Netapp point of view every user is member
> of various groups but not of the "Domain Users" one (the same for
> "Backup operators"). This prevent us to use Domain Users group to set
> permission on shares access.
> We already fixed the xidNumber:100 issue in idmap.ldb and in fact from
> the PDC perspective the user is a "Domain Users" member:
> _________________________________________________________________________
> root@:# id testuser
> uid=3000021(COMPANYAD\testuser) gid=513(COMPANYAD\domain users)
> groups=513(COMPANYAD\domain
> users),3000021(COMPANYAD\testuser),3000034(COMPANYAD\test_share),3000023(COMPANYAD\noc),3000035(BUILTIN\backup
> operators),3000009(BUILTIN\users)
> _________________________________________________________________________

You haven't fixed the 'xidNumber:100 issue', giving 'Domain Users' the
ID of '513' is not a good idea and I think you may have just changed
'100' in idmap.ldb to '513'

You also do NOT have a PDC, this was what you had before, you now have
an AD DC, if you add another DC, that will be another AD DC. 

I think your problems are being caused by misconfiguration and the lack
of libnss_winbind being set up.

Can you post the following files:


From the AD DC and the netapp


More information about the samba mailing list