Not possible, I do not have a Windows AD DC, but I don't doubt it works, probably because windows has a similar work around to 'samba-tool group listmembers Domain\ Users' --> Correct this command returns correctly the users Can you create a file on the netapp that ends up belonging to 'username:Domain Users' ? --> Correct fiel created without issues Does 'getent group Domain\ Users' produce output ? --> output: # getent group Domain\ Users DOMAIN\domain users:x:513: What version of Samba is running on the netapp and what is its smb.conf ? --> Not sure how to check samba versions used by netapp, how to check on cdot version of samba used? smb.conf is: samba pdc used is 4.4.5 and also tried with 4.4.16, but seems that with 4.7 i also reproduced [global] bind interfaces only = Yes interfaces = lo eth0 eth0:0 netbios name = SERVER realm = DOMAIN.COM server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = DOMAIN server role = active directory domain controller idmap_ldb:use rfc2307 = yes comment winbind enum users = yes winbind enum groups = yes tls enabled = yes tls keyfile = tls/server.pem.nopass.key tls certfile = tls/server.pem.crt tls cafile = tls/server_ca.pem.crt tls verify peer = ca_and_name ldap server require strong auth = no [netlogon] path = /usr/local/samba/var/locks/sysvol/domain.es/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No Rowland 2018-02-12 20:56 GMT+01:00 Trenta sis <trenta.sis at gmail.com>:> Is not a permission issue, because if you replace primary group then > works, It seems a bug related with priamry group and domain users, > then not listed and permission not applied because is not working, > tried with native AD windows 2008 and then error not reproduced net > group /domain "Domain users" lists correctly users also if they have > doamin users as primary groups > Thanks > > > 2018-02-12 20:52 GMT+01:00 Trenta sis <trenta.sis at gmail.com>: >> Hi, >> >> If you try net group /domain "Domain Users" in samba domain with >> domain users as primary group any user is showed, but If you try the >> same in a native AD then users are listed, try this to reproduce the >> error >> Thanks >> >> >> 2018-02-12 20:24 GMT+01:00 Trenta sis <trenta.sis at gmail.com>: >>> Hi Rowland, >>> >>> Not really sure if that is correct, tried with native AD and domain >>> users are showed also if they have domain users as primary group, IT >>> seems a samba bug liek It was described here >>> https://lists.samba.org/archive/samba/2017-October/211699.html >>> >>> Any suggestion about how to solve, other groups are working OK, but >>> seems that with netapp cdot domain users are not usable, and this is a >>> problem... >>> >>> >>> Thanks<div id="DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><br /> <table >>> style="border-top: 1px solid #D3D4DE;"> >>> <tr> >>> <td style="width: 55px; padding-top: 18px;"><a >>> href="http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail" >>> target="_blank"><img >>> src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-green-avg-v1.png" >>> alt="" width="46" height="29" style="width: 46px; height: 29px;" >>> /></a></td> >>> <td style="width: 470px; padding-top: 17px; color: #41424e; >>> font-size: 13px; font-family: Arial, Helvetica, sans-serif; >>> line-height: 18px;">Libre de virus. <a >>> href="http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail" >>> target="_blank" style="color: #4453ea;">www.avg.com</a> </td> >>> </tr> >>> </table> >>> <a href="#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2" width="1" height="1"></a></div> >>> >>> 2018-02-12 17:28 GMT+01:00 Trenta sis <trenta.sis at gmail.com>: >>>> Hi, >>>> >>>> Using a samba 4, and having users configured as primary group domain >>>> users (513) we detected that then if you execute net group /domain >>>> "Domain Users" then user is not showed in as member of domain users, >>>> if you remove from primary group and assign another group then with >>>> net group /domain "Domain Users" you can list this user as member. >>>> >>>> This generates that for example permissions to ahres assigned to >>>> doamin users are not working >>>> >>>> Anybody can give some information where is the issue, reproduced with >>>> samba 4.4.5 and 4.4.16 >>>> >>>> thanks
Hi, additional information, creating a new file or folder with full permission to domain user both are not usable (permission denied), then if you add permission at level user then works, It seems that issue is only with domain users as primary group Thanks 2018-02-12 21:21 GMT+01:00 Trenta sis <trenta.sis at gmail.com>:> Not possible, I do not have a Windows AD DC, but I don't doubt it > works, probably because windows has a similar work around to > 'samba-tool group listmembers Domain\ Users' --> Correct this command > returns correctly the users > > Can you create a file on the netapp that ends up belonging to > 'username:Domain Users' ? --> Correct fiel created without issues > > Does 'getent group Domain\ Users' produce output ? --> output: > # getent group Domain\ Users > DOMAIN\domain users:x:513: > > What version of Samba is running on the netapp and what is its > smb.conf ? --> Not sure how to check samba versions used by netapp, > how to check on cdot version of samba used? smb.conf is: > > samba pdc used is 4.4.5 and also tried with 4.4.16, but seems that > with 4.7 i also reproduced > > [global] > > bind interfaces only = Yes > interfaces = lo eth0 eth0:0 > netbios name = SERVER > realm = DOMAIN.COM > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > workgroup = DOMAIN > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > comment > > winbind enum users = yes > winbind enum groups = yes > > tls enabled = yes > tls keyfile = tls/server.pem.nopass.key > tls certfile = tls/server.pem.crt > tls cafile = tls/server_ca.pem.crt > > tls verify peer = ca_and_name > ldap server require strong auth = no > > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/domain.es/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > > Rowland > > 2018-02-12 20:56 GMT+01:00 Trenta sis <trenta.sis at gmail.com>: >> Is not a permission issue, because if you replace primary group then >> works, It seems a bug related with priamry group and domain users, >> then not listed and permission not applied because is not working, >> tried with native AD windows 2008 and then error not reproduced net >> group /domain "Domain users" lists correctly users also if they have >> doamin users as primary groups >> Thanks >> >> >> 2018-02-12 20:52 GMT+01:00 Trenta sis <trenta.sis at gmail.com>: >>> Hi, >>> >>> If you try net group /domain "Domain Users" in samba domain with >>> domain users as primary group any user is showed, but If you try the >>> same in a native AD then users are listed, try this to reproduce the >>> error >>> Thanks >>> >>> >>> 2018-02-12 20:24 GMT+01:00 Trenta sis <trenta.sis at gmail.com>: >>>> Hi Rowland, >>>> >>>> Not really sure if that is correct, tried with native AD and domain >>>> users are showed also if they have domain users as primary group, IT >>>> seems a samba bug liek It was described here >>>> https://lists.samba.org/archive/samba/2017-October/211699.html >>>> >>>> Any suggestion about how to solve, other groups are working OK, but >>>> seems that with netapp cdot domain users are not usable, and this is a >>>> problem... >>>> >>>> >>>> Thanks<div id="DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><br /> <table >>>> style="border-top: 1px solid #D3D4DE;"> >>>> <tr> >>>> <td style="width: 55px; padding-top: 18px;"><a >>>> href="http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail" >>>> target="_blank"><img >>>> src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-green-avg-v1.png" >>>> alt="" width="46" height="29" style="width: 46px; height: 29px;" >>>> /></a></td> >>>> <td style="width: 470px; padding-top: 17px; color: #41424e; >>>> font-size: 13px; font-family: Arial, Helvetica, sans-serif; >>>> line-height: 18px;">Libre de virus. <a >>>> href="http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail" >>>> target="_blank" style="color: #4453ea;">www.avg.com</a> </td> >>>> </tr> >>>> </table> >>>> <a href="#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2" width="1" height="1"></a></div> >>>> >>>> 2018-02-12 17:28 GMT+01:00 Trenta sis <trenta.sis at gmail.com>: >>>>> Hi, >>>>> >>>>> Using a samba 4, and having users configured as primary group domain >>>>> users (513) we detected that then if you execute net group /domain >>>>> "Domain Users" then user is not showed in as member of domain users, >>>>> if you remove from primary group and assign another group then with >>>>> net group /domain "Domain Users" you can list this user as member. >>>>> >>>>> This generates that for example permissions to ahres assigned to >>>>> doamin users are not working >>>>> >>>>> Anybody can give some information where is the issue, reproduced with >>>>> samba 4.4.5 and 4.4.16 >>>>> >>>>> thanks
On Mon, 12 Feb 2018 21:25:47 +0100 Trenta sis via samba <samba at lists.samba.org> wrote:> Hi, > additional information, creating a new file or folder with full > permission to domain user both are not usable (permission denied), > then if you add permission at level user then works, It seems that > issue is only with domain users as primary group > Thanks > > 2018-02-12 21:21 GMT+01:00 Trenta sis <trenta.sis at gmail.com>: > > Not possible, I do not have a Windows AD DC, but I don't doubt it > > works, probably because windows has a similar work around to > > 'samba-tool group listmembers Domain\ Users' --> Correct this > > command returns correctly the users > > > > Can you create a file on the netapp that ends up belonging to > > 'username:Domain Users' ? --> Correct fiel created without issues > > > > Does 'getent group Domain\ Users' produce output ? --> output: > > # getent group Domain\ Users > > DOMAIN\domain users:x:513:Then your netapp knows about Domain Users and its members> > > > What version of Samba is running on the netapp and what is its > > smb.conf ? --> Not sure how to check samba versions used by netapp, > > how to check on cdot version of samba used? smb.conf is:The more I here about this problem, the more I think it is a problem with the netapp, have you tried asking whoever makes it ? Rowland