Hi, If you try net group /domain "Domain Users" in samba domain with domain users as primary group any user is showed, but If you try the same in a native AD then users are listed, try this to reproduce the error Thanks 2018-02-12 20:24 GMT+01:00 Trenta sis <trenta.sis at gmail.com>:> Hi Rowland, > > Not really sure if that is correct, tried with native AD and domain > users are showed also if they have domain users as primary group, IT > seems a samba bug liek It was described here > https://lists.samba.org/archive/samba/2017-October/211699.html > > Any suggestion about how to solve, other groups are working OK, but > seems that with netapp cdot domain users are not usable, and this is a > problem... > > > Thanks<div id="DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><br /> <table > style="border-top: 1px solid #D3D4DE;"> > <tr> > <td style="width: 55px; padding-top: 18px;"><a > href="http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail" > target="_blank"><img > src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-green-avg-v1.png" > alt="" width="46" height="29" style="width: 46px; height: 29px;" > /></a></td> > <td style="width: 470px; padding-top: 17px; color: #41424e; > font-size: 13px; font-family: Arial, Helvetica, sans-serif; > line-height: 18px;">Libre de virus. <a > href="http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail" > target="_blank" style="color: #4453ea;">www.avg.com</a> </td> > </tr> > </table> > <a href="#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2" width="1" height="1"></a></div> > > 2018-02-12 17:28 GMT+01:00 Trenta sis <trenta.sis at gmail.com>: >> Hi, >> >> Using a samba 4, and having users configured as primary group domain >> users (513) we detected that then if you execute net group /domain >> "Domain Users" then user is not showed in as member of domain users, >> if you remove from primary group and assign another group then with >> net group /domain "Domain Users" you can list this user as member. >> >> This generates that for example permissions to ahres assigned to >> doamin users are not working >> >> Anybody can give some information where is the issue, reproduced with >> samba 4.4.5 and 4.4.16 >> >> thanks
Is not a permission issue, because if you replace primary group then works, It seems a bug related with priamry group and domain users, then not listed and permission not applied because is not working, tried with native AD windows 2008 and then error not reproduced net group /domain "Domain users" lists correctly users also if they have doamin users as primary groups Thanks 2018-02-12 20:52 GMT+01:00 Trenta sis <trenta.sis at gmail.com>:> Hi, > > If you try net group /domain "Domain Users" in samba domain with > domain users as primary group any user is showed, but If you try the > same in a native AD then users are listed, try this to reproduce the > error > Thanks > > > 2018-02-12 20:24 GMT+01:00 Trenta sis <trenta.sis at gmail.com>: >> Hi Rowland, >> >> Not really sure if that is correct, tried with native AD and domain >> users are showed also if they have domain users as primary group, IT >> seems a samba bug liek It was described here >> https://lists.samba.org/archive/samba/2017-October/211699.html >> >> Any suggestion about how to solve, other groups are working OK, but >> seems that with netapp cdot domain users are not usable, and this is a >> problem... >> >> >> Thanks<div id="DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><br /> <table >> style="border-top: 1px solid #D3D4DE;"> >> <tr> >> <td style="width: 55px; padding-top: 18px;"><a >> href="http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail" >> target="_blank"><img >> src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-green-avg-v1.png" >> alt="" width="46" height="29" style="width: 46px; height: 29px;" >> /></a></td> >> <td style="width: 470px; padding-top: 17px; color: #41424e; >> font-size: 13px; font-family: Arial, Helvetica, sans-serif; >> line-height: 18px;">Libre de virus. <a >> href="http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail" >> target="_blank" style="color: #4453ea;">www.avg.com</a> </td> >> </tr> >> </table> >> <a href="#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2" width="1" height="1"></a></div> >> >> 2018-02-12 17:28 GMT+01:00 Trenta sis <trenta.sis at gmail.com>: >>> Hi, >>> >>> Using a samba 4, and having users configured as primary group domain >>> users (513) we detected that then if you execute net group /domain >>> "Domain Users" then user is not showed in as member of domain users, >>> if you remove from primary group and assign another group then with >>> net group /domain "Domain Users" you can list this user as member. >>> >>> This generates that for example permissions to ahres assigned to >>> doamin users are not working >>> >>> Anybody can give some information where is the issue, reproduced with >>> samba 4.4.5 and 4.4.16 >>> >>> thanks
On Mon, 12 Feb 2018 20:52:54 +0100 Trenta sis via samba <samba at lists.samba.org> wrote:> Hi, > > If you try net group /domain "Domain Users" in samba domain with > domain users as primary group any user is showed, but If you try the > same in a native AD then users are listed, try this to reproduce the > error > Thanks >Not possible, I do not have a Windows AD DC, but I don't doubt it works, probably because windows has a similar work around to 'samba-tool group listmembers Domain\ Users' Can you create a file on the netapp that ends up belonging to 'username:Domain Users' ? Does 'getent group Domain\ Users' produce output ? What version of Samba is running on the netapp and what is its smb.conf ? Rowland
Not possible, I do not have a Windows AD DC, but I don't doubt it
works, probably because windows has a similar work around to
'samba-tool group listmembers Domain\ Users' --> Correct this
command
returns correctly the users
Can you create a file on the netapp that ends up belonging to
'username:Domain Users' ? --> Correct fiel created without issues
Does 'getent group Domain\ Users' produce output ? --> output:
# getent group Domain\ Users
DOMAIN\domain users:x:513:
What version of Samba is running on the netapp and what is its
smb.conf ? --> Not sure how to check samba versions used by netapp,
how to check on cdot version of samba used? smb.conf is:
samba pdc used is 4.4.5 and also tried with 4.4.16, but seems that
with 4.7 i also reproduced
[global]
bind interfaces only = Yes
interfaces = lo eth0 eth0:0
netbios name = SERVER
realm = DOMAIN.COM
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = DOMAIN
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
comment
winbind enum users = yes
winbind enum groups = yes
tls enabled = yes
tls keyfile = tls/server.pem.nopass.key
tls certfile = tls/server.pem.crt
tls cafile = tls/server_ca.pem.crt
tls verify peer = ca_and_name
ldap server require strong auth = no
[netlogon]
path = /usr/local/samba/var/locks/sysvol/domain.es/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
Rowland
2018-02-12 20:56 GMT+01:00 Trenta sis <trenta.sis at
gmail.com>:> Is not a permission issue, because if you replace primary group then
> works, It seems a bug related with priamry group and domain users,
> then not listed and permission not applied because is not working,
> tried with native AD windows 2008 and then error not reproduced net
> group /domain "Domain users" lists correctly users also if they
have
> doamin users as primary groups
> Thanks
>
>
> 2018-02-12 20:52 GMT+01:00 Trenta sis <trenta.sis at gmail.com>:
>> Hi,
>>
>> If you try net group /domain "Domain Users" in samba domain
with
>> domain users as primary group any user is showed, but If you try the
>> same in a native AD then users are listed, try this to reproduce the
>> error
>> Thanks
>>
>>
>> 2018-02-12 20:24 GMT+01:00 Trenta sis <trenta.sis at gmail.com>:
>>> Hi Rowland,
>>>
>>> Not really sure if that is correct, tried with native AD and domain
>>> users are showed also if they have domain users as primary group,
IT
>>> seems a samba bug liek It was described here
>>> https://lists.samba.org/archive/samba/2017-October/211699.html
>>>
>>> Any suggestion about how to solve, other groups are working OK, but
>>> seems that with netapp cdot domain users are not usable, and this
is a
>>> problem...
>>>
>>>
>>> Thanks<div
id="DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><br /> <table
>>> style="border-top: 1px solid #D3D4DE;">
>>> <tr>
>>> <td style="width: 55px; padding-top:
18px;"><a
>>>
href="http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail"
>>> target="_blank"><img
>>>
src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-green-avg-v1.png"
>>> alt="" width="46" height="29"
style="width: 46px; height: 29px;"
>>> /></a></td>
>>> <td style="width: 470px; padding-top: 17px;
color: #41424e;
>>> font-size: 13px; font-family: Arial, Helvetica, sans-serif;
>>> line-height: 18px;">Libre de virus. <a
>>>
href="http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail"
>>> target="_blank" style="color:
#4453ea;">www.avg.com</a> </td>
>>> </tr>
>>> </table>
>>> <a href="#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"
width="1" height="1"></a></div>
>>>
>>> 2018-02-12 17:28 GMT+01:00 Trenta sis <trenta.sis at
gmail.com>:
>>>> Hi,
>>>>
>>>> Using a samba 4, and having users configured as primary group
domain
>>>> users (513) we detected that then if you execute net group
/domain
>>>> "Domain Users" then user is not showed in as member
of domain users,
>>>> if you remove from primary group and assign another group then
with
>>>> net group /domain "Domain Users" you can list this
user as member.
>>>>
>>>> This generates that for example permissions to ahres assigned
to
>>>> doamin users are not working
>>>>
>>>> Anybody can give some information where is the issue,
reproduced with
>>>> samba 4.4.5 and 4.4.16
>>>>
>>>> thanks