[Samba] Samba 4.6.7 AD, Netapp CDOT 9.2 and missing "Domain Users" membership

Giuseppe Ravasio giuseppe_ravasio at ch.modiano.com
Fri Oct 20 14:47:43 UTC 2017 

Sorry for eventually wrong AD terminology!

> You haven't fixed the 'xidNumber:100 issue', giving 'Domain Users' the
> ID of '513' is not a good idea and I think you may have just changed
> '100' in idmap.ldb to '513'

>From the AD DC (;-)) shell the user was missing the "Domain Users" group
and we tought that could be a xidNumber mapping even on the Netapp Filer.

So I tried what is suggested in this thread:
https://lists.samba.org/archive/samba/2016-April/thread.html#199609

Maybe I misunderstood the solution and I changed only the mapping in
winbind. Is that so?

>From the AD DC:
> smb.conf
# Global parameters
[global]
	bind interfaces only = Yes
	interfaces = lo ens32:SMB
	netbios name = MODIANODC
	realm = MODIANOAD.MODIANO.COM
	workgroup = MODIANOAD
	dns forwarder = 192.168.100.5
	server role = active directory domain controller
	idmap_ldb:use rfc2307 = yes
	comment = "TEST AD"
	log level = 4
	log file = /var/log/samba/log.samba

	password hash gpg key ids = XXXXXXXXX

	# Needed to join Netapp
	ldap server require strong auth = no
	allow dns updates = nonsecure

        #Disable printing
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes


[netlogon]
	path = /usr/local/samba/var/locks/sysvol/modianoad.modiano.com/scripts
	read only = No

[sysvol]
	path = /usr/local/samba/var/locks/sysvol
	read only = No


> /etc/resolv.conf
domain modianoad.modiano.com
nameserver 192.168.100.51
search modianoad.modiano.com

> /etc/hostname
sambatest1

> /etc/hosts
127.0.0.1	localhost
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.100.50	sambatest1.modiano.com sambatest1
192.168.100.51	MODIANODC.modianoad.modiano.com MODIANODC


> /etc/nsswitch.conf
passwd:         compat winbind
group:          compat winbind
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

> From the AD DC and the netapp
Clustered DataONTAP seems to be missing thoose files, or they are not
accessible via regular system CLI.
There are a lot of CIFS related commands and if you can tell me what
you're looking for I could try searching the docs.

Anyway from Netapp is all working well l(Authentication, groups,
permissions, sharing etc etc) except when we try to use "Domain Users"
(and we think also Backup Operators) in ACLs.
In that case we can set the ACL with a Domain Admins user but the  other
user that has only "Domain Users" permissions cannot access the file
because the system do not see him as member of the group

Thanks
Giuseppe

More information about the samba mailing list