Giuseppe Ravasio
2017-Oct-23 07:11 UTC
[Samba] Samba 4.6.7 AD, Netapp CDOT 9.2 and missing "Domain Users" membership
On 10/20/2017 05:48 PM, Rowland Penny via samba wrote:>> So I tried what is suggested in this thread: >> https://lists.samba.org/archive/samba/2016-April/thread.html#199609 > > I really should have said there that using '513' wasn't a good idea ;-)ok I'll revert to 100 ;-)> The only way to get the same IDs everywhere is to use the winbind > 'ad' backend, you will need to give your users and groups RFC2307 > attributes though. Windows (when using RSAT) starts the IDs at > '10000' and it is suggested to use that start number.This means that even if I deployed the Domain with "--use-rfc2307" the RFC2037 attributes are not already populated?> If this is the DC, you don't need '192.168.100.50 > sambatest1.modiano.com sambatest1' in /etc/hostsYep sorry for not trashing the line... We are using an IP alias for ssh access and another one for samba. so the sambatest1 is just the entry for the other ip alias.>> Clustered DataONTAP seems to be missing thoose files, or they are not >> accessible via regular system CLI. >> There are a lot of CIFS related commands and if you can tell me what >> you're looking for I could try searching the docs. >> >> Anyway from Netapp is all working well l(Authentication, groups, >> permissions, sharing etc etc) except when we try to use "Domain Users" >> (and we think also Backup Operators) in ACLs. >> In that case we can set the ACL with a Domain Admins user but the >> other user that has only "Domain Users" permissions cannot access the >> file because the system do not see him as member of the group >> > > Is this 'Netapp' thing running some form of Samba ? > If so it must have a smb.conf somewhere.As far as I know Netapp OS is not running some form of Samba. And as usual they do not officially support Samba as DC :-( Thanks Giuseppe
Rowland Penny
2017-Oct-23 07:29 UTC
[Samba] Samba 4.6.7 AD, Netapp CDOT 9.2 and missing "Domain Users" membership
On Mon, 23 Oct 2017 09:11:23 +0200 Giuseppe Ravasio <giuseppe_ravasio at ch.modiano.com> wrote:> On 10/20/2017 05:48 PM, Rowland Penny via samba wrote: > >> So I tried what is suggested in this thread: > >> https://lists.samba.org/archive/samba/2016-April/thread.html#199609 > > > > I really should have said there that using '513' wasn't a good > > idea ;-) > > ok I'll revert to 100 ;-) > > > The only way to get the same IDs everywhere is to use the winbind > > 'ad' backend, you will need to give your users and groups RFC2307 > > attributes though. Windows (when using RSAT) starts the IDs at > > '10000' and it is suggested to use that start number. > > This means that even if I deployed the Domain with "--use-rfc2307" the > RFC2037 attributes are not already populated? >All that using '--use-rfc2307' does is allow the use of rfc2307 attributes such as 'uidNumber' and 'gidNumber', it does not populate any of the rfc2307 attributes. DCs works slightly different from Unix domain members, they use 'xidNumber' attributes in idmap.ldb, these attributes are only used on the DC and nowhere else. These 'xidNumber' attributes can be overridden by using rfc2307 attributes Rowland
Giuseppe Ravasio
2017-Oct-23 08:04 UTC
[Samba] Samba 4.6.7 AD, Netapp CDOT 9.2 and missing "Domain Users" membership
On 10/23/2017 09:29 AM, Rowland Penny via samba wrote:> All that using '--use-rfc2307' does is allow the use of rfc2307 > attributes such as 'uidNumber' and 'gidNumber', it does not > populate any of the rfc2307 attributes. > > DCs works slightly different from Unix domain members, they use > 'xidNumber' attributes in idmap.ldb, these attributes are only used on > the DC and nowhere else. These 'xidNumber' attributes can be > overridden by using rfc2307 attributesThanks. Even if is now clear that RFC2307 is not related to my problem, this is a very useful clarification! Giuseppe
Possibly Parallel Threads
- Samba 4.6.7 AD, Netapp CDOT 9.2 and missing "Domain Users" membership
- Samba 4.6.7 AD, Netapp CDOT 9.2 and missing "Domain Users" membership
- Samba 4.6.7 AD, Netapp CDOT 9.2 and missing "Domain Users" membership
- Samba 4.6.7 AD, Netapp CDOT 9.2 and missing "Domain Users" membership
- Samba 4.6.7 AD, Netapp CDOT 9.2 and missing "Domain Users" membership