[Samba] domain users issue

Trenta sis trenta.sis at gmail.com
Mon Feb 12 20:21:27 UTC 2018

Not possible, I do not have a Windows AD DC, but I don't doubt it
works, probably because windows has a similar work around to
'samba-tool group listmembers Domain\ Users'  --> Correct this command
returns correctly the users

Can you create a file on the netapp that ends up belonging to
'username:Domain Users' ?  --> Correct fiel created without issues

Does 'getent group Domain\ Users' produce output ? --> output:
# getent group Domain\ Users
DOMAIN\domain users:x:513:

What version of Samba is running on the netapp and what is its
smb.conf ? --> Not sure how to check samba versions used by netapp,
how to check on cdot version of samba used? smb.conf is:

samba pdc used is 4.4.5 and also tried with 4.4.16, but seems that
with 4.7 i also reproduced


        bind interfaces only = Yes
        interfaces = lo eth0 eth0:0
        netbios name = SERVER
        realm = DOMAIN.COM
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
        workgroup = DOMAIN
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        comment =

        winbind enum users = yes
        winbind enum groups = yes

        tls enabled = yes
        tls keyfile = tls/server.pem.nopass.key
        tls certfile = tls/server.pem.crt
        tls cafile = tls/server_ca.pem.crt

        tls verify peer = ca_and_name
        ldap server require strong auth = no

        path = /usr/local/samba/var/locks/sysvol/domain.es/scripts
        read only = No

        path = /usr/local/samba/var/locks/sysvol
        read only = No


2018-02-12 20:56 GMT+01:00 Trenta sis <trenta.sis at gmail.com>:
> Is not a permission issue, because if you replace primary group then
> works, It seems a bug related with priamry group and domain users,
> then not listed and permission not applied because is not working,
> tried with native AD windows 2008 and then error not reproduced net
> group /domain "Domain users" lists correctly users also if they have
> doamin users as primary groups
> Thanks
> 2018-02-12 20:52 GMT+01:00 Trenta sis <trenta.sis at gmail.com>:
>> Hi,
>> If you try net group /domain "Domain Users" in samba domain with
>> domain users as primary group any user is showed, but If you try the
>> same in a native AD then users are listed, try this to reproduce the
>> error
>> Thanks
>> 2018-02-12 20:24 GMT+01:00 Trenta sis <trenta.sis at gmail.com>:
>>> Hi Rowland,
>>> Not really sure if that is correct, tried with native AD and domain
>>> users are showed also if they have domain users as primary group, IT
>>> seems a samba bug liek It was described here
>>> https://lists.samba.org/archive/samba/2017-October/211699.html
>>> Any suggestion about how to solve, other groups are working OK, but
>>> seems that with netapp cdot domain users are not usable, and this is a
>>> problem...
>>> Thanks<div id="DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><br /> <table
>>> style="border-top: 1px solid #D3D4DE;">
>>>         <tr>
>>>       <td style="width: 55px; padding-top: 18px;"><a
>>> href="http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail"
>>> target="_blank"><img
>>> src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-green-avg-v1.png"
>>> alt="" width="46" height="29" style="width: 46px; height: 29px;"
>>> /></a></td>
>>>                 <td style="width: 470px; padding-top: 17px; color: #41424e;
>>> font-size: 13px; font-family: Arial, Helvetica, sans-serif;
>>> line-height: 18px;">Libre de virus. <a
>>> href="http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail"
>>> target="_blank" style="color: #4453ea;">www.avg.com</a>                 </td>
>>>         </tr>
>>> </table>
>>> <a href="#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2" width="1" height="1"></a></div>
>>> 2018-02-12 17:28 GMT+01:00 Trenta sis <trenta.sis at gmail.com>:
>>>> Hi,
>>>> Using a samba 4, and having users configured as primary group domain
>>>> users (513) we detected that then if you execute net group /domain
>>>> "Domain Users" then user is not showed in as member of domain users,
>>>> if you remove from primary group and assign another group then with
>>>> net group /domain "Domain Users" you can list this user as member.
>>>> This generates that for example permissions to ahres assigned to
>>>> doamin users are not working
>>>> Anybody can give some information where is the issue, reproduced with
>>>> samba 4.4.5 and 4.4.16
>>>> thanks

More information about the samba mailing list