Giuseppe Ravasio
2017-Oct-20 14:47 UTC
[Samba] Samba 4.6.7 AD, Netapp CDOT 9.2 and missing "Domain Users" membership
Sorry for eventually wrong AD terminology!> You haven't fixed the 'xidNumber:100 issue', giving 'Domain Users' the > ID of '513' is not a good idea and I think you may have just changed > '100' in idmap.ldb to '513'>From the AD DC (;-)) shell the user was missing the "Domain Users" groupand we tought that could be a xidNumber mapping even on the Netapp Filer. So I tried what is suggested in this thread: https://lists.samba.org/archive/samba/2016-April/thread.html#199609 Maybe I misunderstood the solution and I changed only the mapping in winbind. Is that so?>From the AD DC: > smb.conf# Global parameters [global] bind interfaces only = Yes interfaces = lo ens32:SMB netbios name = MODIANODC realm = MODIANOAD.MODIANO.COM workgroup = MODIANOAD dns forwarder = 192.168.100.5 server role = active directory domain controller idmap_ldb:use rfc2307 = yes comment = "TEST AD" log level = 4 log file = /var/log/samba/log.samba password hash gpg key ids = XXXXXXXXX # Needed to join Netapp ldap server require strong auth = no allow dns updates = nonsecure #Disable printing load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes [netlogon] path = /usr/local/samba/var/locks/sysvol/modianoad.modiano.com/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No> /etc/resolv.confdomain modianoad.modiano.com nameserver 192.168.100.51 search modianoad.modiano.com> /etc/hostnamesambatest1> /etc/hosts127.0.0.1 localhost # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters 192.168.100.50 sambatest1.modiano.com sambatest1 192.168.100.51 MODIANODC.modianoad.modiano.com MODIANODC> /etc/nsswitch.confpasswd: compat winbind group: compat winbind shadow: compat gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis> From the AD DC and the netappClustered DataONTAP seems to be missing thoose files, or they are not accessible via regular system CLI. There are a lot of CIFS related commands and if you can tell me what you're looking for I could try searching the docs. Anyway from Netapp is all working well l(Authentication, groups, permissions, sharing etc etc) except when we try to use "Domain Users" (and we think also Backup Operators) in ACLs. In that case we can set the ACL with a Domain Admins user but the other user that has only "Domain Users" permissions cannot access the file because the system do not see him as member of the group Thanks Giuseppe
Rowland Penny
2017-Oct-20 15:48 UTC
[Samba] Samba 4.6.7 AD, Netapp CDOT 9.2 and missing "Domain Users" membership
On Fri, 20 Oct 2017 16:47:43 +0200 Giuseppe Ravasio <giuseppe_ravasio at ch.modiano.com> wrote:> Sorry for eventually wrong AD terminology!Don't worry about it, it is just confusing when you call a DC, a PDC, call it your first DC or anything, just don't call it a PDC ;-)> > > You haven't fixed the 'xidNumber:100 issue', giving 'Domain Users' > > the ID of '513' is not a good idea and I think you may have just > > changed '100' in idmap.ldb to '513' > > From the AD DC (;-)) shell the user was missing the "Domain Users" > group and we tought that could be a xidNumber mapping even on the > Netapp Filer. > > So I tried what is suggested in this thread: > https://lists.samba.org/archive/samba/2016-April/thread.html#199609I really should have said there that using '513' wasn't a good idea ;-) OK, here is why: On Unix the system users are given an ID from 0 to 999, the standard users start at 1000. if you give a user or group an ID like 513, you then need to start the low range for the DOMAIN 'idmap config' below this. if you don't, then your user or group will be unknown to Unix. It gets worse if you give Domain Users an ID of 513, unless the low range starts below 513, ALL your users will be unknown to Unix. On a DC, Domain Users is mapped to the ID '100' in idmap.ldb, '100' is the Unix group 'users', so this means that all Unix users will be members of the Unix group 'users', just as all windows users are members of Domain Users. Finally, the IDs you will find on a DC, are only used on that DC, except for the 'mapped' users and groups e.g. '100' for users. You will only see IDs in the '3000000' range on a DC (unless you misconfigure 'idmap config' on a Unix domain member If you use the winbind 'rid' backend on Unix domain members, you can get the same IDs on them, but they will still be different IDs to the DCs. The only way to get the same IDs everywhere is to use the winbind 'ad' backend, you will need to give your users and groups RFC2307 attributes though. Windows (when using RSAT) starts the IDs at '10000' and it is suggested to use that start number.> > /etc/resolv.conf > domain modianoad.modiano.com > nameserver 192.168.100.51 > search modianoad.modiano.com > > > /etc/hostname > sambatest1 > > > /etc/hosts > 127.0.0.1 localhost > # The following lines are desirable for IPv6 capable hosts > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > 192.168.100.50 sambatest1.modiano.com sambatest1 > 192.168.100.51 MODIANODC.modianoad.modiano.com MODIANODC > >Bit confused here (not hard) ;-) I take it the above three files are from the DC and the netbios name is 'MODIANODC' yet /etc/hostname contains 'sambatest1' If this is the DC, you don't need '192.168.100.50 sambatest1.modiano.com sambatest1' in /etc/hosts If it isn't the DC, you don't need the other line.> Clustered DataONTAP seems to be missing thoose files, or they are not > accessible via regular system CLI. > There are a lot of CIFS related commands and if you can tell me what > you're looking for I could try searching the docs. > > Anyway from Netapp is all working well l(Authentication, groups, > permissions, sharing etc etc) except when we try to use "Domain Users" > (and we think also Backup Operators) in ACLs. > In that case we can set the ACL with a Domain Admins user but the > other user that has only "Domain Users" permissions cannot access the > file because the system do not see him as member of the group >Is this 'Netapp' thing running some form of Samba ? If so it must have a smb.conf somewhere. Rowland
Giuseppe Ravasio
2017-Oct-23 07:11 UTC
[Samba] Samba 4.6.7 AD, Netapp CDOT 9.2 and missing "Domain Users" membership
On 10/20/2017 05:48 PM, Rowland Penny via samba wrote:>> So I tried what is suggested in this thread: >> https://lists.samba.org/archive/samba/2016-April/thread.html#199609 > > I really should have said there that using '513' wasn't a good idea ;-)ok I'll revert to 100 ;-)> The only way to get the same IDs everywhere is to use the winbind > 'ad' backend, you will need to give your users and groups RFC2307 > attributes though. Windows (when using RSAT) starts the IDs at > '10000' and it is suggested to use that start number.This means that even if I deployed the Domain with "--use-rfc2307" the RFC2037 attributes are not already populated?> If this is the DC, you don't need '192.168.100.50 > sambatest1.modiano.com sambatest1' in /etc/hostsYep sorry for not trashing the line... We are using an IP alias for ssh access and another one for samba. so the sambatest1 is just the entry for the other ip alias.>> Clustered DataONTAP seems to be missing thoose files, or they are not >> accessible via regular system CLI. >> There are a lot of CIFS related commands and if you can tell me what >> you're looking for I could try searching the docs. >> >> Anyway from Netapp is all working well l(Authentication, groups, >> permissions, sharing etc etc) except when we try to use "Domain Users" >> (and we think also Backup Operators) in ACLs. >> In that case we can set the ACL with a Domain Admins user but the >> other user that has only "Domain Users" permissions cannot access the >> file because the system do not see him as member of the group >> > > Is this 'Netapp' thing running some form of Samba ? > If so it must have a smb.conf somewhere.As far as I know Netapp OS is not running some form of Samba. And as usual they do not officially support Samba as DC :-( Thanks Giuseppe
Possibly Parallel Threads
- Samba 4.6.7 AD, Netapp CDOT 9.2 and missing "Domain Users" membership
- Samba 4.6.7 AD, Netapp CDOT 9.2 and missing "Domain Users" membership
- Samba 4.6.7 AD, Netapp CDOT 9.2 and missing "Domain Users" membership
- Samba 4.6.7 AD, Netapp CDOT 9.2 and missing "Domain Users" membership
- Samba 4.6.7 AD, Netapp CDOT 9.2 and missing "Domain Users" membership