samba - Feb 2018 - domain users issue

Hi,

Using a samba 4, and having users configured as primary group domain
users (513) we detected that then if you execute net group /domain
"Domain Users" then user is not showed in as member of domain users,
if you remove from primary group and assign another group then with
net group /domain "Domain Users" you can list this user as member.

This generates that for example permissions to ahres assigned to
doamin users are not working

Anybody can give some information where is the issue, reproduced with
samba 4.4.5 and 4.4.16

thanks

On Mon, 12 Feb 2018 17:28:23 +0100
Trenta sis via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> Using a samba 4, and having users configured as primary group domain
> users (513) we detected that then if you execute net group /domain
> "Domain Users" then user is not showed in as member of domain
users,
> if you remove from primary group and assign another group then with
> net group /domain "Domain Users" you can list this user as
member.
> 
> This generates that for example permissions to ahres assigned to
> doamin users are not working
> 
> Anybody can give some information where is the issue, reproduced with
> samba 4.4.5 and 4.4.16
> 
> thanks
> 
To be honest, I have never tried to run this command on windows, but
your problem is probably because membership of Domain Users is a bit
special. All users are, by default, members of Domain Users, but the
groups object does not show any members and the users do not have a
'memberOf' attribute pointing to Domain Users.

Or another way of saying the above, you have nothing to worry about,
unless you have done something silly like changing the users
'primaryGroupID' attribute.

Rowland

Hi Rowland,

Not really sure if that is correct, tried with native AD and domain
users are showed also if they have domain users as primary group, IT
seems a samba bug liek It was described here
https://lists.samba.org/archive/samba/2017-October/211699.html

Any suggestion about how to solve, other groups are working OK, but
seems that with netapp cdot domain users are not usable, and this is a
problem...


Thanks<div id="DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><br
/> <table
style="border-top: 1px solid #D3D4DE;">
	<tr>
      <td style="width: 55px; padding-top: 18px;"><a
href="http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail"
target="_blank"><img
src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-green-avg-v1.png"
alt="" width="46" height="29" style="width:
46px; height: 29px;"
/></a></td>
		<td style="width: 470px; padding-top: 17px; color: #41424e;
font-size: 13px; font-family: Arial, Helvetica, sans-serif;
line-height: 18px;">Libre de virus. <a
href="http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail"
target="_blank" style="color:
#4453ea;">www.avg.com</a> 		</td>
	</tr>
</table>
<a href="#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2" width="1"
height="1"></a></div>

2018-02-12 17:28 GMT+01:00 Trenta sis <trenta.sis at
gmail.com>:
> Hi,
>
> Using a samba 4, and having users configured as primary group domain
> users (513) we detected that then if you execute net group /domain
> "Domain Users" then user is not showed in as member of domain
users,
> if you remove from primary group and assign another group then with
> net group /domain "Domain Users" you can list this user as
member.
>
> This generates that for example permissions to ahres assigned to
> doamin users are not working
>
> Anybody can give some information where is the issue, reproduced with
> samba 4.4.5 and 4.4.16
>
> thanks

On Mon, 12 Feb 2018 20:24:01 +0100
Trenta sis via samba <samba at lists.samba.org> wrote:
> Hi Rowland,
> 
> Not really sure if that is correct, tried with native AD and domain
> users are showed also if they have domain users as primary group, IT
> seems a samba bug liek It was described here
> https://lists.samba.org/archive/samba/2017-October/211699.html
> 
> Any suggestion about how to solve, other groups are working OK, but
> seems that with netapp cdot domain users are not usable, and this is a
> problem...
> 
I ran the command on a win7 machine and it didn't show ANY users as
members of Domain Users, yet every user is definitely a member of Domain
Users.

If I run (on a DC): samba-tool group listmembers Domain\ Users

I get a list of all members, but 'listmembers' uses this filter:

(|(primaryGroupID=%s)(memberOf=%s))

Which means use either the contents of the 'primaryGroupID' attribute
OR any 'memberOf' attributes.

If a member of Domain Users (i.e. Every AD user) cannot read a file in
a share that has the group permissions for Domain Users, then the
problem is more than likely to be on the netapp.

Rowland

Hi,

If you try net group /domain "Domain Users" in samba domain with
domain users as primary group any user is showed, but If you try the
same in a native AD then users are listed, try this to reproduce the
error
Thanks


2018-02-12 20:24 GMT+01:00 Trenta sis <trenta.sis at
gmail.com>:
> Hi Rowland,
>
> Not really sure if that is correct, tried with native AD and domain
> users are showed also if they have domain users as primary group, IT
> seems a samba bug liek It was described here
> https://lists.samba.org/archive/samba/2017-October/211699.html
>
> Any suggestion about how to solve, other groups are working OK, but
> seems that with netapp cdot domain users are not usable, and this is a
> problem...
>
>
> Thanks<div id="DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><br
/> <table
> style="border-top: 1px solid #D3D4DE;">
>         <tr>
>       <td style="width: 55px; padding-top: 18px;"><a
>
href="http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail"
> target="_blank"><img
>
src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-green-avg-v1.png"
> alt="" width="46" height="29"
style="width: 46px; height: 29px;"
> /></a></td>
>                 <td style="width: 470px; padding-top: 17px; color:
#41424e;
> font-size: 13px; font-family: Arial, Helvetica, sans-serif;
> line-height: 18px;">Libre de virus. <a
>
href="http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail"
> target="_blank" style="color:
#4453ea;">www.avg.com</a>                 </td>
>         </tr>
> </table>
> <a href="#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"
width="1" height="1"></a></div>
>
> 2018-02-12 17:28 GMT+01:00 Trenta sis <trenta.sis at gmail.com>:
>> Hi,
>>
>> Using a samba 4, and having users configured as primary group domain
>> users (513) we detected that then if you execute net group /domain
>> "Domain Users" then user is not showed in as member of domain
users,
>> if you remove from primary group and assign another group then with
>> net group /domain "Domain Users" you can list this user as
member.
>>
>> This generates that for example permissions to ahres assigned to
>> doamin users are not working
>>
>> Anybody can give some information where is the issue, reproduced with
>> samba 4.4.5 and 4.4.16
>>
>> thanks