[Samba] Samba 4.6.7 AD, Netapp CDOT 9.2 and missing "Domain Users" membership

Fri Oct 20 15:48:13 UTC 2017

On Fri, 20 Oct 2017 16:47:43 +0200
Giuseppe Ravasio <giuseppe_ravasio at ch.modiano.com> wrote:

> Sorry for eventually wrong AD terminology!

Don't worry about it, it is just confusing when you call a DC, a PDC,
call it your first DC or anything, just don't call it a PDC ;-)

> 
> > You haven't fixed the 'xidNumber:100 issue', giving 'Domain Users'
> > the ID of '513' is not a good idea and I think you may have just
> > changed '100' in idmap.ldb to '513'
> 
> From the AD DC (;-)) shell the user was missing the "Domain Users"
> group and we tought that could be a xidNumber mapping even on the
> Netapp Filer.
> 
> So I tried what is suggested in this thread:
> https://lists.samba.org/archive/samba/2016-April/thread.html#199609

I really should have said there that using '513' wasn't a good idea ;-)

OK, here is why: On Unix the system users are given an ID from 0 to 999,
the standard users start at 1000. if you give a user or group an ID
like 513, you then need to start the low range for the DOMAIN 'idmap
config' below this. if you don't, then your user or group will be
unknown to Unix. It gets worse if you give Domain Users an ID of
513, unless the low range starts below 513, ALL your users will be
unknown to Unix.

On a DC, Domain Users is mapped to the ID '100' in idmap.ldb, '100'
is the Unix group 'users', so this means that all Unix users will be
members of the Unix group 'users', just as all windows users are
members of Domain Users.

Finally, the IDs you will find on a DC, are only used on that DC,
except for the 'mapped' users and groups e.g. '100' for users.
You will only see IDs in the '3000000' range on a DC (unless you
misconfigure 'idmap config' on a Unix domain member

If you use the winbind 'rid' backend on Unix domain members, you can
get the same IDs on them, but they will still be different IDs to the
DCs.

The only way to get the same IDs everywhere is to use the winbind
'ad' backend, you will need to give your users and groups RFC2307
attributes though. Windows (when using RSAT) starts the IDs at
'10000' and it is suggested to use that start number.

> > /etc/resolv.conf
> domain modianoad.modiano.com
> nameserver 192.168.100.51
> search modianoad.modiano.com
> 
> > /etc/hostname
> sambatest1
> 
> > /etc/hosts
> 127.0.0.1	localhost
> # The following lines are desirable for IPv6 capable hosts
> ::1     localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> 192.168.100.50	sambatest1.modiano.com sambatest1
> 192.168.100.51	MODIANODC.modianoad.modiano.com MODIANODC
> 
> 

Bit confused here (not hard) ;-)
I take it the above three files are from the DC and the netbios name is
'MODIANODC' yet /etc/hostname contains 'sambatest1'

If this is the DC, you don't need '192.168.100.50
sambatest1.modiano.com sambatest1' in /etc/hosts
If it isn't the DC, you don't need the other line.

> Clustered DataONTAP seems to be missing thoose files, or they are not
> accessible via regular system CLI.
> There are a lot of CIFS related commands and if you can tell me what
> you're looking for I could try searching the docs.
> 
> Anyway from Netapp is all working well l(Authentication, groups,
> permissions, sharing etc etc) except when we try to use "Domain Users"
> (and we think also Backup Operators) in ACLs.
> In that case we can set the ACL with a Domain Admins user but the
> other user that has only "Domain Users" permissions cannot access the
> file because the system do not see him as member of the group
> 

Is this 'Netapp' thing running some form of Samba ?
If so it must have a smb.conf somewhere.

Rowland