samba - Jul 2014 - Winbind rid + SID History creating duplicate per-user groups

Since upgrading from Ubuntu 12.04 (Samba 3.6.3) to Ubuntu 14.04 (Samba
4.1.6), I've noticed some strange problems with our group mappings:

First, each of our Active Directory users now has a corresponding
group in Linux. I don't remember ever noticing this in Ubuntu 12.04 /
Samba 3.6.3.  Is this feature new?  Is it documented anywhere?  (I
tried searching online and couldn't find anything relevant.)

Second, duplicate per-user groups are being created, and this is
causing us lots of problems.  For example, my username jkelley is
assigned a uid of 14504 (based on its RID in AD), and so a jkelley
group with gid 14504 is also created, but the jkelley user is actually
a member of a second jkelley group with a different gid.

By poking around with wbinfo, I determined that the duplicate groups
are being created by SID history; one gid corresponds to the SID in
the sIDHistory attribute, while the other corresponds to the current
SID in the Active Directory domain.  Is there a way to fix this
without simply deleting the sIDHistory attributes from Active
Directory?

Winbind config from smb.conf:

idmap backend = rid
idmap uid = 10000-30000
idmap gid = 10000-30000
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
winbind:ignore domains = OLDDOMAIN EXTERNALDOMAIN

-- 
Josh Kelley

On 28/07/14 14:29, Josh Kelley wrote:
> Since upgrading from Ubuntu 12.04 (Samba 3.6.3) to Ubuntu 14.04 (Samba
> 4.1.6), I've noticed some strange problems with our group mappings:
>
> First, each of our Active Directory users now has a corresponding
> group in Linux. I don't remember ever noticing this in Ubuntu 12.04 /
> Samba 3.6.3.  Is this feature new?  Is it documented anywhere?  (I
> tried searching online and couldn't find anything relevant.)
>
> Second, duplicate per-user groups are being created, and this is
> causing us lots of problems.  For example, my username jkelley is
> assigned a uid of 14504 (based on its RID in AD), and so a jkelley
> group with gid 14504 is also created, but the jkelley user is actually
> a member of a second jkelley group with a different gid.
>
> By poking around with wbinfo, I determined that the duplicate groups
> are being created by SID history; one gid corresponds to the SID in
> the sIDHistory attribute, while the other corresponds to the current
> SID in the Active Directory domain.  Is there a way to fix this
> without simply deleting the sIDHistory attributes from Active
> Directory?
>
> Winbind config from smb.conf:
>
> idmap backend = rid
> idmap uid = 10000-30000
> idmap gid = 10000-30000
> winbind enum groups = yes
> winbind enum users = yes
> winbind use default domain = yes
> winbind:ignore domains = OLDDOMAIN EXTERNALDOMAIN
>
Hi, the type of winbind that you posted was depreciated before samba 
3.6.3 and even if it wasn't, there isn't enough lines there, any chance 
you could post your entire (sanitized) smb.conf

Could you also tell us how you are creating users, something you are 
doing (and probably shouldn't be) is creating user groups, these are 
usually not used with AD.

Rowland