samba - Oct 2017 - Samba 4.6.7 AD, Netapp CDOT 9.2 and missing "Domain Users" membership

Hi,
we are testing a new AD domain that will replace our old NT4 one, and we
are setting up a new cifs vserver of our Netapp filer (running Clustered
Dataontap 9.2).

The new AD domain was a clean deployment created using "samba-tool
domain provision --server-role=dc --use-rfc2307 ...".
All seems to work well and the Netapp filer joins the domain without
errors and seems to run fine.

The only issue is that from Netapp point of view every user is member of
various groups but not of the "Domain Users" one (the same for 
"Backup
operators"). This prevent us to use Domain Users group to set permission
on shares access.

We already fixed the xidNumber:100 issue in idmap.ldb and in fact from
the PDC perspective the user is a "Domain Users" member:


_________________________________________________________________________
root@:# id testuser
uid=3000021(COMPANYAD\testuser) gid=513(COMPANYAD\domain users)
groups=513(COMPANYAD\domain
users),3000021(COMPANYAD\testuser),3000034(COMPANYAD\test_share),3000023(COMPANYAD\noc),3000035(BUILTIN\backup
operators),3000009(BUILTIN\users)
_________________________________________________________________________

but from the netapp one the user has less groups:

_________________________________________________________________________
filer::*> diag secd authentication show-creds -node filer-node2 -vserver
cifs-node1-sata -win-name testuser

 UNIX UID: pcuser <> Windows User: COMPANYAD\testuser (Windows Domain
User)

 GID: pcuser
 Supplementary GIDs:
  pcuser

 Windows Membership:
  COMPANYAD\test_share (Windows Domain group)
  COMPANYAD\noc (Windows Domain group)
 User is also a member of Everyone, Authenticated Users, and Network Users

 Privileges (0x2000):
  SeChangeNotifyPrivilege
_________________________________________________________________________

We tryed to execute the last command with samba set to debug and it
seems that it's effectively not reporting the group membership:

_________________________________________________________________________
[2017/10/20 12:54:15.922510,  6, pid=21463, effective(0, 0), real(0, 0)]
../lib/util/util_ldb.c:60(gendb_search_v)
  gendb_search_v: DC=modianoad,DC=testdomainDC=com NULL -> 1
[2017/10/20 12:54:15.922873, 10, pid=21463, effective(0, 0), real(0, 0),
class=ldb] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
  ldb: ldb_trace_response: ENTRY
  dn:
<GUID=56d24437-bb0b-40fa-bf73-1ebad28071cd>;<SID=S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-3271483883-1105>;CN=testuser,OU=Test,DC=modianoad,DC=testdomainDC=com
  objectClass: top
  objectClass: person
  objectClass: organizationalPerson
  objectClass: user
  badPwdCount: 0
  badPasswordTime: 0
  lastLogoff: 0
  objectSid: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-3271483883-1105
  accountExpires: 9223372036854775807
  sAMAccountName: testuser
  userPrincipalName: testuser at modianoad.modiano.com
  displayName: testuserd
  userAccountControl: 512
  # unicodePwd::: REDACTED SECRET ATTRIBUTE
  # supplementalCredentials::: REDACTED SECRET ATTRIBUTE
  pwdLastSet: 131498665610000000
  memberOf:
<GUID=bcd82010-5add-47ab-95b7-59684911358a>;<SID=S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-3271483883-1121>;CN=test_share,OU=Test,DC=modianoad,DC=testdomainDC=com
  memberOf:
<GUID=1a3277cf-62cd-4b0f-bd2a-e898a2b3fff2>;<SID=S-1-5-32-551>;CN=Backup
Operators,CN=Builtin,DC=modianoad,DC=testdomainDC=com
  memberOf:
<GUID=50cae1b4-168a-43e6-9fc7-43fa7cd7e8a3>;<SID=S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-3271483883-1111>;CN=noc,CN=Users,DC=modianoad,DC=testdomainDC=com
  lastLogonTimestamp: 131528901605870470
  primaryGroupID: 513
  lastLogon: 131529690266506010
  logonCount: 389
  msDS-KeyVersionNumber: 95
  msDS-User-Account-Control-Computed: 0
  msDS-UserPasswordExpiryTimeComputed: 131654185610000000
_________________________________________________________________________

Every hint is welcome! ;-)

Giuseppe

On Fri, 20 Oct 2017 15:02:45 +0200
Giuseppe Ravasio via samba <samba at lists.samba.org> wrote:
> Hi,
> we are testing a new AD domain that will replace our old NT4 one, and
> we are setting up a new cifs vserver of our Netapp filer (running
> Clustered Dataontap 9.2).
> 
> The new AD domain was a clean deployment created using "samba-tool
> domain provision --server-role=dc --use-rfc2307 ...".
> All seems to work well and the Netapp filer joins the domain without
> errors and seems to run fine.
> 
> The only issue is that from Netapp point of view every user is member
> of various groups but not of the "Domain Users" one (the same for
> "Backup operators"). This prevent us to use Domain Users group to
set
> permission on shares access.
> 
> We already fixed the xidNumber:100 issue in idmap.ldb and in fact from
> the PDC perspective the user is a "Domain Users" member:
> 
> 
> _________________________________________________________________________
> root@:# id testuser
> uid=3000021(COMPANYAD\testuser) gid=513(COMPANYAD\domain users)
> groups=513(COMPANYAD\domain
>
users),3000021(COMPANYAD\testuser),3000034(COMPANYAD\test_share),3000023(COMPANYAD\noc),3000035(BUILTIN\backup
> operators),3000009(BUILTIN\users)
> _________________________________________________________________________
You haven't fixed the 'xidNumber:100 issue', giving 'Domain
Users' the
ID of '513' is not a good idea and I think you may have just changed
'100' in idmap.ldb to '513'

You also do NOT have a PDC, this was what you had before, you now have
an AD DC, if you add another DC, that will be another AD DC. 

I think your problems are being caused by misconfiguration and the lack
of libnss_winbind being set up.

Can you post the following files:

smb.conf
/etc/resolv.conf
/etc/hostname
/etc/hosts
/etc/nsswitch.conf

From the AD DC and the netapp

Rowland

Sorry for eventually wrong AD terminology!
> You haven't fixed the 'xidNumber:100 issue', giving 'Domain
Users' the
> ID of '513' is not a good idea and I think you may have just
changed
> '100' in idmap.ldb to '513'
>From the AD DC (;-)) shell the user was missing the "Domain Users"
group
and we tought that could be a xidNumber mapping even on the Netapp Filer.

So I tried what is suggested in this thread:
https://lists.samba.org/archive/samba/2016-April/thread.html#199609

Maybe I misunderstood the solution and I changed only the mapping in
winbind. Is that so?
>From the AD DC:
> smb.conf
# Global parameters
[global]
	bind interfaces only = Yes
	interfaces = lo ens32:SMB
	netbios name = MODIANODC
	realm = MODIANOAD.MODIANO.COM
	workgroup = MODIANOAD
	dns forwarder = 192.168.100.5
	server role = active directory domain controller
	idmap_ldb:use rfc2307 = yes
	comment = "TEST AD"
	log level = 4
	log file = /var/log/samba/log.samba

	password hash gpg key ids = XXXXXXXXX

	# Needed to join Netapp
	ldap server require strong auth = no
	allow dns updates = nonsecure

        #Disable printing
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes


[netlogon]
	path = /usr/local/samba/var/locks/sysvol/modianoad.modiano.com/scripts
	read only = No

[sysvol]
	path = /usr/local/samba/var/locks/sysvol
	read only = No

> /etc/resolv.conf
domain modianoad.modiano.com
nameserver 192.168.100.51
search modianoad.modiano.com
> /etc/hostname
sambatest1
> /etc/hosts
127.0.0.1	localhost
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.100.50	sambatest1.modiano.com sambatest1
192.168.100.51	MODIANODC.modianoad.modiano.com MODIANODC

> /etc/nsswitch.conf
passwd:         compat winbind
group:          compat winbind
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
> From the AD DC and the netapp
Clustered DataONTAP seems to be missing thoose files, or they are not
accessible via regular system CLI.
There are a lot of CIFS related commands and if you can tell me what
you're looking for I could try searching the docs.

Anyway from Netapp is all working well l(Authentication, groups,
permissions, sharing etc etc) except when we try to use "Domain Users"
(and we think also Backup Operators) in ACLs.
In that case we can set the ACL with a Domain Admins user but the  other
user that has only "Domain Users" permissions cannot access the file
because the system do not see him as member of the group

Thanks
Giuseppe