[Samba] domain users issue

Mon Feb 12 20:25:47 UTC 2018

Hi,
additional information, creating a new file or folder with full
permission to domain user both are not usable (permission denied),
then if you add permission at level user then works, It seems that
issue is only with domain users as primary group
Thanks

2018-02-12 21:21 GMT+01:00 Trenta sis <trenta.sis at gmail.com>:
> Not possible, I do not have a Windows AD DC, but I don't doubt it
> works, probably because windows has a similar work around to
> 'samba-tool group listmembers Domain\ Users'  --> Correct this command
> returns correctly the users
>
> Can you create a file on the netapp that ends up belonging to
> 'username:Domain Users' ?  --> Correct fiel created without issues
>
> Does 'getent group Domain\ Users' produce output ? --> output:
> # getent group Domain\ Users
> DOMAIN\domain users:x:513:
>
> What version of Samba is running on the netapp and what is its
> smb.conf ? --> Not sure how to check samba versions used by netapp,
> how to check on cdot version of samba used? smb.conf is:
>
> samba pdc used is 4.4.5 and also tried with 4.4.16, but seems that
> with 4.7 i also reproduced
>
> [global]
>
>         bind interfaces only = Yes
>         interfaces = lo eth0 eth0:0
>         netbios name = SERVER
>         realm = DOMAIN.COM
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>         workgroup = DOMAIN
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
>         comment =
>
>         winbind enum users = yes
>         winbind enum groups = yes
>
>         tls enabled = yes
>         tls keyfile = tls/server.pem.nopass.key
>         tls certfile = tls/server.pem.crt
>         tls cafile = tls/server_ca.pem.crt
>
>         tls verify peer = ca_and_name
>         ldap server require strong auth = no
>
>
> [netlogon]
>         path = /usr/local/samba/var/locks/sysvol/domain.es/scripts
>         read only = No
>
> [sysvol]
>         path = /usr/local/samba/var/locks/sysvol
>         read only = No
>
>
> Rowland
>
> 2018-02-12 20:56 GMT+01:00 Trenta sis <trenta.sis at gmail.com>:
>> Is not a permission issue, because if you replace primary group then
>> works, It seems a bug related with priamry group and domain users,
>> then not listed and permission not applied because is not working,
>> tried with native AD windows 2008 and then error not reproduced net
>> group /domain "Domain users" lists correctly users also if they have
>> doamin users as primary groups
>> Thanks
>>
>>
>> 2018-02-12 20:52 GMT+01:00 Trenta sis <trenta.sis at gmail.com>:
>>> Hi,
>>>
>>> If you try net group /domain "Domain Users" in samba domain with
>>> domain users as primary group any user is showed, but If you try the
>>> same in a native AD then users are listed, try this to reproduce the
>>> error
>>> Thanks
>>>
>>>
>>> 2018-02-12 20:24 GMT+01:00 Trenta sis <trenta.sis at gmail.com>:
>>>> Hi Rowland,
>>>>
>>>> Not really sure if that is correct, tried with native AD and domain
>>>> users are showed also if they have domain users as primary group, IT
>>>> seems a samba bug liek It was described here
>>>> https://lists.samba.org/archive/samba/2017-October/211699.html
>>>>
>>>> Any suggestion about how to solve, other groups are working OK, but
>>>> seems that with netapp cdot domain users are not usable, and this is a
>>>> problem...
>>>>
>>>>
>>>> Thanks<div id="DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><br /> <table
>>>> style="border-top: 1px solid #D3D4DE;">
>>>>         <tr>
>>>>       <td style="width: 55px; padding-top: 18px;"><a
>>>> href="http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail"
>>>> target="_blank"><img
>>>> src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-green-avg-v1.png"
>>>> alt="" width="46" height="29" style="width: 46px; height: 29px;"
>>>> /></a></td>
>>>>                 <td style="width: 470px; padding-top: 17px; color: #41424e;
>>>> font-size: 13px; font-family: Arial, Helvetica, sans-serif;
>>>> line-height: 18px;">Libre de virus. <a
>>>> href="http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail"
>>>> target="_blank" style="color: #4453ea;">www.avg.com</a>                 </td>
>>>>         </tr>
>>>> </table>
>>>> <a href="#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2" width="1" height="1"></a></div>
>>>>
>>>> 2018-02-12 17:28 GMT+01:00 Trenta sis <trenta.sis at gmail.com>:
>>>>> Hi,
>>>>>
>>>>> Using a samba 4, and having users configured as primary group domain
>>>>> users (513) we detected that then if you execute net group /domain
>>>>> "Domain Users" then user is not showed in as member of domain users,
>>>>> if you remove from primary group and assign another group then with
>>>>> net group /domain "Domain Users" you can list this user as member.
>>>>>
>>>>> This generates that for example permissions to ahres assigned to
>>>>> doamin users are not working
>>>>>
>>>>> Anybody can give some information where is the issue, reproduced with
>>>>> samba 4.4.5 and 4.4.16
>>>>>
>>>>> thanks