David Maltz
2014-Sep-11 18:48 UTC
[Samba] Conflicts between RIDs from historical domain SIDs
Samba version: 4.1.9
Using the idmap_rid backend
Case:
A Windows AD security group has a historical SID (sidHistory) whose RID
matches the RID of a user in the "current domain"
For example: (Note the different domain portions of the SID)
Current SID of group G:
S-1-5-21-1405700021-3363460546-1698178416-30661
Historical SID of group G:
S-1-5-21-2389300033-4596500334-3403203421-43872
Current SID of user U: S-1-5-21-1405700021-3363460546-1698178416-43872
Since the RID portion of the historical group SID (43872) matches the RID
portion of the current user SID,
there are multiple mappings for the resultant unix ID (e.g. 543872) in the
winbindd cache.
This seems to cause the user not to have access to folders to which they
should have access.
Running a "net cache flush" cleans out the winbindd cache and
temporarily resolves the issue.
Any ideas on what might be happening here?
Thanks
Rowland Penny
2014-Sep-11 19:04 UTC
[Samba] Conflicts between RIDs from historical domain SIDs
On 11/09/14 19:48, David Maltz wrote:> Samba version: 4.1.9 > Using the idmap_rid backend > > > Case: > A Windows AD security group has a historical SID (sidHistory) whose RID matches the RID of a user in the "current domain" > > For example: (Note the different domain portions of the SID) > Current SID of group G: S-1-5-21-1405700021-3363460546-1698178416-30661 > Historical SID of group G: S-1-5-21-2389300033-4596500334-3403203421-43872 > > > Current SID of user U: S-1-5-21-1405700021-3363460546-1698178416-43872 > > > Since the RID portion of the historical group SID (43872) matches the RID portion of the current user SID, > there are multiple mappings for the resultant unix ID (e.g. 543872) in the winbindd cache. > > This seems to cause the user not to have access to folders to which they should have access. > > Running a "net cache flush" cleans out the winbindd cache and temporarily resolves the issue. > > Any ideas on what might be happening here? > > > ThanksNot a clue, though providing a bit more info like how did you upgrade, how are you running samba, showing us your smb.conf etc ;-) Rowland
Christof Schmitt
2014-Sep-15 23:06 UTC
[Samba] Conflicts between RIDs from historical domain SIDs
On Thu, Sep 11, 2014 at 02:48:27PM -0400, David Maltz wrote:> Samba version: 4.1.9 > Using the idmap_rid backend > > > Case: > A Windows AD security group has a historical SID (sidHistory) whose RID matches the RID of a user in the "current domain" > > For example: (Note the different domain portions of the SID) > Current SID of group G: S-1-5-21-1405700021-3363460546-1698178416-30661 > Historical SID of group G: S-1-5-21-2389300033-4596500334-3403203421-43872 > > > Current SID of user U: S-1-5-21-1405700021-3363460546-1698178416-43872 > > > Since the RID portion of the historical group SID (43872) matches the RID portion of the current user SID, > there are multiple mappings for the resultant unix ID (e.g. 543872) in the winbindd cache. > > This seems to cause the user not to have access to folders to which they should have access. > > Running a "net cache flush" cleans out the winbindd cache and temporarily resolves the issue. > > Any ideas on what might be happening here?There is a codepath that combines the domain sid from a current domain wit the rid of a previous domain. I posted a patch to avoid at least this particular case: https://lists.samba.org/archive/samba-technical/2014-September/102456.html Christof