[Samba] Samba 4.6.7 AD, Netapp CDOT 9.2 and missing "Domain Users" membership
giuseppe_ravasio at ch.modiano.com
Fri Oct 20 14:47:43 UTC 2017
Sorry for eventually wrong AD terminology!
> You haven't fixed the 'xidNumber:100 issue', giving 'Domain Users' the
> ID of '513' is not a good idea and I think you may have just changed
> '100' in idmap.ldb to '513'
>From the AD DC (;-)) shell the user was missing the "Domain Users" group
and we tought that could be a xidNumber mapping even on the Netapp Filer.
So I tried what is suggested in this thread:
Maybe I misunderstood the solution and I changed only the mapping in
winbind. Is that so?
>From the AD DC:
# Global parameters
bind interfaces only = Yes
interfaces = lo ens32:SMB
netbios name = MODIANODC
realm = MODIANOAD.MODIANO.COM
workgroup = MODIANOAD
dns forwarder = 192.168.100.5
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
comment = "TEST AD"
log level = 4
log file = /var/log/samba/log.samba
password hash gpg key ids = XXXXXXXXX
# Needed to join Netapp
ldap server require strong auth = no
allow dns updates = nonsecure
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
path = /usr/local/samba/var/locks/sysvol/modianoad.modiano.com/scripts
read only = No
path = /usr/local/samba/var/locks/sysvol
read only = No
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
192.168.100.50 sambatest1.modiano.com sambatest1
192.168.100.51 MODIANODC.modianoad.modiano.com MODIANODC
passwd: compat winbind
group: compat winbind
hosts: files dns
protocols: db files
services: db files
ethers: db files
rpc: db files
> From the AD DC and the netapp
Clustered DataONTAP seems to be missing thoose files, or they are not
accessible via regular system CLI.
There are a lot of CIFS related commands and if you can tell me what
you're looking for I could try searching the docs.
Anyway from Netapp is all working well l(Authentication, groups,
permissions, sharing etc etc) except when we try to use "Domain Users"
(and we think also Backup Operators) in ACLs.
In that case we can set the ACL with a Domain Admins user but the other
user that has only "Domain Users" permissions cannot access the file
because the system do not see him as member of the group
More information about the samba