Bug 13274 - Netapp CDOT 9.1/9.2 cifs missing Domain Users
Netapp CDOT 9.1/9.2 cifs missing Domain Users
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
4.7.5
All Linux
: P5 major
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-02-14 19:10 UTC by trenta
Modified: 2018-02-23 22:05 UTC (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description trenta 2018-02-14 19:10:54 UTC
Hi, 

we are going to migrate our old 7 mode to a new CDOT 9.2 and for the cifs service we are setting up a new AD domain with Samba (4.6.7).

The cifs svm, joins the domain and can see users and groups.

But when i create a share with "Domain Users" full control, no one is able to access.

If I create another domain group and give to this goupt tyhe full control the users are able to use the share.

 

It seems that cifs svm ignores the fact that the user is member of the "Domain Users" group.

In fact:

  

c21-filer::*> diag secd authentication show-creds -node c21-filer-node2 -vserver cifs-node1-sata -win-name testuser

 UNIX UID: pcuser <> Windows User: MODIANOAD\testuser (Windows Domain User)

 GID: pcuser
 Supplementary GIDs: 
 pcuser

 Windows Membership:
 MODIANOAD\test_share (Windows Domain group)
 MODIANOAD\noc (Windows Domain group)
 User is also a member of Everyone, Authenticated Users, and Network Users

 Privileges (0x2000):
 SeChangeNotifyPrivilege

If I remove the user from "Domain Users" and assign him another primary group, this group disappears from "Windows Membership" section.

net group /domain "Domain Users" doesn't list users if is defines as primary group, tried with native AD, and users are reportes correctly,

 It could be the issue?
Comment 1 Giuseppe Ravasio 2018-02-15 08:17:18 UTC
Same problem here!
Obiouvsly with Windows 2016 DC it works as expected.
Comment 2 Volker Lendecke 2018-02-15 09:34:26 UTC
I think someone needs to let a Samba-Developer access those boxes to be able to poke around a bit. No Samba Developer I know has direct access to a NetApp box, so there's no way we can diagnose this properly given that all relevant communication is encrypted.
Comment 3 trenta 2018-02-16 07:50:40 UTC
Exactly what do you need, If you want I can to collect information or try to help to debug

Thanks
Comment 4 Giuseppe Ravasio 2018-02-16 08:54:59 UTC
Hi, 
If you would like to play with Netapp ONTAP there is also a simulator available:
https://mysupport.netapp.com/tools/info/ECMLP2538456I.html?productID=61970

Actually I'm a little busy and I do not have the time nor the hardware to set you up a testing environment, but if you do not want/have the time to test the simulator yourself, in April I think I could set you up a full testing environment.

Giuseppe
Comment 5 Volker Lendecke 2018-02-16 09:31:34 UTC
(In reply to Giuseppe Ravasio from comment #4)
> If you would like to play with Netapp ONTAP there is also a simulator
> available:
> https://mysupport.netapp.com/tools/info/ECMLP2538456I.html?productID=61970

The simulator is only available to existing customers, not to the world. At least that was the case when I last looked.
Comment 6 Volker Lendecke 2018-02-16 09:32:01 UTC
(In reply to trenta from comment #3)
> Exactly what do you need, If you want I can to collect information or try to
> help to debug

root access to the DC.
Comment 7 trenta 2018-02-23 22:05:14 UTC
Hi,
Sorry but now I'm a little busy and my production environment is
4.4.5, I'll try to prepare, but now I don't have availability... Ontap
simulator could be asokution for testing...
Thanks

2018-02-16 10:32 GMT+01:00  <samba-bugs@samba.org>:
> https://bugzilla.samba.org/show_bug.cgi?id=13274
>
> --- Comment #6 from Volker Lendecke <vl@samba.org> ---
> (In reply to trenta from comment #3)
>> Exactly what do you need, If you want I can to collect information or try to
>> help to debug
>
> root access to the DC.
>
> --
> You are receiving this mail because:
> You are on the CC list for the bug.
> You reported the bug.