Josh Kelley
2014-Jul-28 13:29 UTC
[Samba] Winbind rid + SID History creating duplicate per-user groups
Since upgrading from Ubuntu 12.04 (Samba 3.6.3) to Ubuntu 14.04 (Samba 4.1.6), I've noticed some strange problems with our group mappings: First, each of our Active Directory users now has a corresponding group in Linux. I don't remember ever noticing this in Ubuntu 12.04 / Samba 3.6.3. Is this feature new? Is it documented anywhere? (I tried searching online and couldn't find anything relevant.) Second, duplicate per-user groups are being created, and this is causing us lots of problems. For example, my username jkelley is assigned a uid of 14504 (based on its RID in AD), and so a jkelley group with gid 14504 is also created, but the jkelley user is actually a member of a second jkelley group with a different gid. By poking around with wbinfo, I determined that the duplicate groups are being created by SID history; one gid corresponds to the SID in the sIDHistory attribute, while the other corresponds to the current SID in the Active Directory domain. Is there a way to fix this without simply deleting the sIDHistory attributes from Active Directory? Winbind config from smb.conf: idmap backend = rid idmap uid = 10000-30000 idmap gid = 10000-30000 winbind enum groups = yes winbind enum users = yes winbind use default domain = yes winbind:ignore domains = OLDDOMAIN EXTERNALDOMAIN -- Josh Kelley
Rowland Penny
2014-Jul-28 14:00 UTC
[Samba] Winbind rid + SID History creating duplicate per-user groups
On 28/07/14 14:29, Josh Kelley wrote:> Since upgrading from Ubuntu 12.04 (Samba 3.6.3) to Ubuntu 14.04 (Samba > 4.1.6), I've noticed some strange problems with our group mappings: > > First, each of our Active Directory users now has a corresponding > group in Linux. I don't remember ever noticing this in Ubuntu 12.04 / > Samba 3.6.3. Is this feature new? Is it documented anywhere? (I > tried searching online and couldn't find anything relevant.) > > Second, duplicate per-user groups are being created, and this is > causing us lots of problems. For example, my username jkelley is > assigned a uid of 14504 (based on its RID in AD), and so a jkelley > group with gid 14504 is also created, but the jkelley user is actually > a member of a second jkelley group with a different gid. > > By poking around with wbinfo, I determined that the duplicate groups > are being created by SID history; one gid corresponds to the SID in > the sIDHistory attribute, while the other corresponds to the current > SID in the Active Directory domain. Is there a way to fix this > without simply deleting the sIDHistory attributes from Active > Directory? > > Winbind config from smb.conf: > > idmap backend = rid > idmap uid = 10000-30000 > idmap gid = 10000-30000 > winbind enum groups = yes > winbind enum users = yes > winbind use default domain = yes > winbind:ignore domains = OLDDOMAIN EXTERNALDOMAIN >Hi, the type of winbind that you posted was depreciated before samba 3.6.3 and even if it wasn't, there isn't enough lines there, any chance you could post your entire (sanitized) smb.conf Could you also tell us how you are creating users, something you are doing (and probably shouldn't be) is creating user groups, these are usually not used with AD. Rowland
Seemingly Similar Threads
- Mailbox sharing, user to user in same domain, OK! User to user sharing in separate domains, problem. ( ... and more oh boy!)
- DC's are unavailable when PDC halted
- Conflicts between RIDs from historical domain SIDs
- Permissions problem with Windows Vista / 7 clients, Debian Samba 3.4.7 server
- 'allow trusted domains = no' and sidhistory = bad